-
Notifications
You must be signed in to change notification settings - Fork 0
/
sessions.go
123 lines (104 loc) · 2.88 KB
/
sessions.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package main
import (
"crypto/rsa"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"time"
"github.com/dgrijalva/jwt-go"
)
const (
secKey = "cookie.key" // openssl genrsa -out cookie.key
pubKey = "cookie.pub" // openssl rsa -in cookie.key -pubout > cookie.pub
sessionLength = 1 * time.Hour
sessionName = "session"
)
func decryptToken(encToken string) (string, string, error) {
token, err := jwt.ParseWithClaims(encToken, &AdminClaims{}, func(token *jwt.Token) (interface{}, error) {
return verifyKey, nil
})
if err != nil {
return "", "", err
}
claims := token.Claims.(*AdminClaims)
return claims.Account, claims.Fingerprint, nil
}
func getSession(r *http.Request) (string, string, error) {
cookie, err := r.Cookie(sessionName)
if err != nil || cookie == nil {
return "", "", fmt.Errorf("No session set available")
}
return decryptToken(cookie.Value)
}
func setEncryptedSession(w http.ResponseWriter, encryptedToken string) {
setCookie(w, sessionName, encryptedToken, int(sessionLength.Seconds()))
}
func createSession(w http.ResponseWriter, account, fingerprint string) error {
return createSessionLength(w, account, fingerprint, sessionLength)
}
func createSessionLength(w http.ResponseWriter, account, fingerprint string,
length time.Duration) error {
tokenString, err := createToken(account, fingerprint, length)
if err != nil {
return err
}
setCookie(w, sessionName, tokenString, int(length.Seconds()))
return err
}
func setCookie(w http.ResponseWriter, name string, value string, maxAge int) {
c := &http.Cookie{Name: name, MaxAge: maxAge, Value: value, HttpOnly: true, Path: "/"}
http.SetCookie(w, c)
}
// AdminClaims JWT data
type AdminClaims struct {
jwt.StandardClaims
Account string `json:"account"`
Fingerprint string `json:"fingerprint"`
}
func createToken(account, fingerprint string, dur time.Duration) (string, error) {
t := jwt.New(jwt.GetSigningMethod("RS256"))
t.Claims = AdminClaims{
jwt.StandardClaims{
// see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4.1.4
// 1 month from now
ExpiresAt: time.Now().Add(dur).Unix(),
},
account,
fingerprint,
}
return t.SignedString(signKey)
}
var (
verifyKey *rsa.PublicKey
signKey *rsa.PrivateKey
)
func init() {
secKey, exists := os.LookupEnv("SECKEY_PATH")
if !exists {
/* we are in local dev mode */
secKey = "cookie.key" // openssl genrsa -out jwt.key
}
signBytes, err := ioutil.ReadFile(secKey)
if err != nil {
log.Fatal(err)
}
signKey, err = jwt.ParseRSAPrivateKeyFromPEM(signBytes)
if err != nil {
log.Fatal(err)
}
pubKey, exists := os.LookupEnv("PUBKEY_PATH")
if !exists {
/* we are in local dev mode */
pubKey = "cookie.pub" // openssl genrsa -out jwt.key
}
verifyBytes, err := ioutil.ReadFile(pubKey)
if err != nil {
log.Fatal(err)
}
verifyKey, err = jwt.ParseRSAPublicKeyFromPEM(verifyBytes)
if err != nil {
log.Fatal(err)
}
}