From af48778bf7e99b9e38f20fe47ef1438c996b7b28 Mon Sep 17 00:00:00 2001 From: Trong Huu Nguyen Date: Mon, 29 Aug 2022 09:49:33 +0200 Subject: [PATCH] fix(session/handler): lock metadata operations behind feature gate until rollout --- pkg/config/config.go | 14 +++++++++----- pkg/session/handler.go | 24 +++++++++++++----------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index cef7775..773b727 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -40,8 +40,9 @@ type Loginstatus struct { } type Session struct { - MaxLifetime time.Duration `json:"max-lifetime"` - Refresh bool `json:"refresh"` + MaxLifetime time.Duration `json:"max-lifetime"` + Refresh bool `json:"refresh"` + MetadataRollout bool `json:"metadata-rollout"` } const ( @@ -57,8 +58,9 @@ const ( Ingress = "ingress" UpstreamHost = "upstream-host" - SessionMaxLifetime = "session.max-lifetime" - SessionRefresh = "session.refresh" + SessionMaxLifetime = "session.max-lifetime" + SessionRefresh = "session.refresh" + SessionMetadataRollout = "session.metadata-rollout" LoginstatusEnabled = "loginstatus.enabled" LoginstatusCookieDomain = "loginstatus.cookie-domain" @@ -80,9 +82,11 @@ func Initialize() (*Config, error) { flag.String(EncryptionKey, "", "Base64 encoded 256-bit cookie encryption key; must be identical in instances that share session store.") flag.String(ErrorRedirectURI, "", "URI to redirect user to on errors for custom error handling.") flag.StringSlice(Ingress, []string{}, "Comma separated list of ingresses used to access the main application.") + flag.String(UpstreamHost, "127.0.0.1:8080", "Address of upstream host.") + flag.Duration(SessionMaxLifetime, time.Hour, "Max lifetime for user sessions.") flag.Bool(SessionRefresh, false, "Automatically refresh the tokens for user sessions if they are expired, as long as the session exists (indicated by the session max lifetime).") - flag.String(UpstreamHost, "127.0.0.1:8080", "Address of upstream host.") + flag.Bool(SessionMetadataRollout, false, "Feature toggle for metadata rollout.") flag.Bool(LoginstatusEnabled, false, "Feature toggle for Loginstatus, a separate service that should provide an opaque token to indicate that a user has been authenticated previously, e.g. by another application in another subdomain.") flag.String(LoginstatusCookieDomain, "", "The domain that the cookie should be set for.") diff --git a/pkg/session/handler.go b/pkg/session/handler.go index af3b5e0..49e0815 100644 --- a/pkg/session/handler.go +++ b/pkg/session/handler.go @@ -29,11 +29,12 @@ var ( ) type Handler struct { - client openidclient.Client - crypter crypto.Crypter - openidCfg openidconfig.Config - refreshEnabled bool - store Store + client openidclient.Client + crypter crypto.Crypter + openidCfg openidconfig.Config + refreshEnabled bool + metadataRolloutEnabled bool + store Store } func NewHandler(cfg *config.Config, openidCfg openidconfig.Config, crypter crypto.Crypter, openidClient openidclient.Client) (*Handler, error) { @@ -43,11 +44,12 @@ func NewHandler(cfg *config.Config, openidCfg openidconfig.Config, crypter crypt } return &Handler{ - crypter: crypter, - client: openidClient, - openidCfg: openidCfg, - store: store, - refreshEnabled: cfg.Session.Refresh, + crypter: crypter, + client: openidClient, + openidCfg: openidCfg, + store: store, + refreshEnabled: cfg.Session.Refresh, + metadataRolloutEnabled: cfg.Session.MetadataRollout, }, nil } @@ -130,7 +132,7 @@ func (h *Handler) GetAccessToken(r *http.Request) (string, error) { return "", NoAccessTokenError } - if sessionData.Metadata.IsExpired() { + if h.metadataRolloutEnabled && sessionData.Metadata.IsExpired() { return "", ExpiredAccessTokenError }