github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-09 01:47:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c3532d2e6098e1ae07bc050aafa7781d4ca03616
wonderwall/pkg/handler/session_refresh.go
Trong Huu Nguyen 0537c8172f feat(session): use tickets for per-session data encryption 
Replace the usage of a single application-wide session crypter
with per-session crypters.

The application is no longer able to decrypt any session
encrypted with its symmetric key alone. Instead, a session ticket
with its associated data encryption key (DEK) is also required in order
to decrypt the associated session data. The ticket itself is
encrypted with the application's crypter; the latter of which is
effectively a key-encryption key (KEK).

Fixes #49.
2023-02-14 21:50:19 +01:00

60 lines
1.6 KiB
Go
Raw Blame History

package handler
import (
"encoding/json"
"errors"
"net/http"
mw "github.com/nais/wonderwall/pkg/middleware"
"github.com/nais/wonderwall/pkg/session"
)
type SessionRefreshSource interface {
GetSessions() *session.Handler
}
func SessionRefresh(src SessionRefreshSource, w http.ResponseWriter, r *http.Request) {
logger := mw.LogEntryFrom(r)
ticket, err := src.GetSessions().GetTicket(r)
if err != nil {
logger.Infof("session/refresh: getting ticket: %+v", err)
w.WriteHeader(http.StatusUnauthorized)
return
}
data, err := src.GetSessions().Get(r, ticket)
if err != nil {
switch {
case errors.Is(err, session.ErrInvalidSession), errors.Is(err, session.ErrKeyNotFound):
logger.Infof("session/refresh: getting session: %+v", err)
w.WriteHeader(http.StatusUnauthorized)
default:
logger.Warnf("session/refresh: getting session: %+v", err)
w.WriteHeader(http.StatusInternalServerError)
}
return
}
data, err = src.GetSessions().Refresh(r, ticket, data)
if err != nil {
if errors.Is(err, session.ErrInvalidIdpState) || errors.Is(err, session.ErrInvalidSession) {
logger.Infof("session/refresh: refreshing: %+v", err)
w.WriteHeader(http.StatusUnauthorized)
return
}
logger.Warnf("session/refresh: refreshing: %+v", err)
w.WriteHeader(http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
err = json.NewEncoder(w).Encode(data.Metadata.VerboseWithRefresh())
if err != nil {
logger.Warnf("session/refresh: marshalling metadata: %+v", err)
w.WriteHeader(http.StatusInternalServerError)
return
}
}
Reference in New Issue View Git Blame Copy Permalink