fix: rename from externalSessionId to sessionID.

Better impl. for generating a random sessionID.

go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.9.0
 	github.com/stretchr/testify v1.7.0
-	github.com/xyproto/randomstring v0.0.0-20211020123341-4731a123782f
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 )
 

go.sum

@@ -543,8 +543,6 @@ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb
 github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/xyproto/randomstring v0.0.0-20211020123341-4731a123782f h1:9gUNSzKYBH9y70Z4PQBvFm8DeIHDBLomTZ/5G5v3eyY=
-github.com/xyproto/randomstring v0.0.0-20211020123341-4731a123782f/go.mod h1:HcK1ojGYWgNJz1Rp9UouvxVGIWsMFAtkftDoHZ6DE9k=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

pkg/router/handler_callback.go

@@ -2,7 +2,10 @@ package router
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"time"
@@ -11,7 +14,6 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/nais/wonderwall/pkg/openid"
-	"github.com/xyproto/randomstring"
 )
 
 func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) {
@@ -47,13 +49,13 @@ func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	externalSessionID, err := h.validateIDToken(idToken, loginCookie, params)
+	sessionID, err := h.validateIDToken(idToken, loginCookie, params)
 	if err != nil {
 		h.InternalError(w, r, fmt.Errorf("callback: validating id_token: %w", err))
 		return
 	}
 
-	err = h.createSession(w, r, externalSessionID, tokens, idToken)
+	err = h.createSession(w, r, sessionID, tokens, idToken)
 	if err != nil {
 		h.InternalError(w, r, fmt.Errorf("callback: creating session: %w", err))
 		return
@@ -108,15 +110,15 @@ func (h *Handler) validateIDToken(idToken *openid.IDToken, loginCookie *openid.L
 		return "", err
 	}
 
-	externalSessionID, err := h.ExternalSessionId(idToken, params)
+	sessionID, err := h.SessionId(idToken, params)
 	if err != nil {
 		return "", fmt.Errorf("getting external session ID from id_token: %w", err)
 	}
 
-	return externalSessionID, nil
+	return sessionID, nil
 }
 
-func (h *Handler) ExternalSessionId(idToken *openid.IDToken, params url.Values) (string, error) {
+func (h *Handler) SessionId(idToken *openid.IDToken, params url.Values) (string, error) {
 	var openIDconfig = h.Provider.GetOpenIDConfiguration()
 	var externalSessionID string
 	var err error
@@ -127,7 +129,7 @@ func (h *Handler) ExternalSessionId(idToken *openid.IDToken, params url.Values)
 	case openIDconfig.GetCheckSessionIframe():
 		externalSessionID, err = getSessionStateFrom(params)
 	default:
-		externalSessionID = h.GenerateExternalSessionID()
+		externalSessionID, err = h.GenerateSessionID()
 	}
 
 	if err != nil {
@@ -146,6 +148,13 @@ func getSessionStateFrom(params url.Values) (string, error) {
 	return sessionState, nil
 }
 
-func (h *Handler) GenerateExternalSessionID() string {
-	return randomstring.CookieFriendlyString(36)
+func (h *Handler) GenerateSessionID() (string, error) {
+	rawID := make([]byte, 64)
+
+	_, err := io.ReadFull(rand.Reader, rawID)
+	if err != nil {
+		return "", fmt.Errorf("generating session ID: %w", err)
+	}
+
+	return base64.RawURLEncoding.EncodeToString(rawID), nil
 }

pkg/router/session.go

@@ -20,8 +20,8 @@ import (
 // in all tokens acquired by any Relying Party (such as Wonderwall) during that session.
 // Thus, we cannot assume that the value of `sid` or `session_state` to uniquely identify the pair of (user, application session)
 // if using a shared session store.
-func (h *Handler) localSessionID(externalSessionID string) string {
-	return fmt.Sprintf("%s:%s:%s", h.Config.OpenID.Provider, h.Provider.GetClientConfiguration().GetClientID(), externalSessionID)
+func (h *Handler) localSessionID(sessionID string) string {
+	return fmt.Sprintf("%s:%s:%s", h.Config.OpenID.Provider, h.Provider.GetClientConfiguration().GetClientID(), sessionID)
 }
 
 func (h *Handler) getSessionFromCookie(w http.ResponseWriter, r *http.Request) (*session.Data, error) {