+18

internal/server/middleware.go

reviewed

··· 1 1 package server 2 2 3 3 import ( 4 4 + "context" 4 5 "crypto/rand" 5 6 "encoding/hex" 6 7 "net/http" 7 8 "net/url" 8 9 "strings" 9 10 "time" 11 11 + 12 12 + "github.com/bluesky-social/indigo/atproto/syntax" 10 13 ) 11 14 12 15 func (s *Server) sessionMiddleware(next http.Handler) http.Handler { 13 16 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 14 17 user := s.getUserFromSession(r) 15 18 if user != nil { 19 19 + data := s.getSessionData(r) 20 20 + if data != nil && data.SessionID != "" && !s.isOAuthSessionValid(r.Context(), data) { 21 21 + s.clearUserSession(w) 22 22 + next.ServeHTTP(w, r) 23 23 + return 24 24 + } 16 25 ctx := contextWithUser(r.Context(), user) 17 26 r = r.WithContext(ctx) 18 27 } 19 28 next.ServeHTTP(w, r) 20 29 }) 30 30 + } 31 31 + 32 32 + func (s *Server) isOAuthSessionValid(ctx context.Context, data *sessionData) bool { 33 33 + did, err := syntax.ParseDID(data.DID) 34 34 + if err != nil { 35 35 + return false 36 36 + } 37 37 + _, err = s.oauthStore.GetSession(ctx, did, data.SessionID) 38 38 + return err == nil 21 39 } 22 40 23 41 func (s *Server) requireAuth(next http.Handler) http.Handler {

+222

internal/server/middleware_test.go

reviewed

··· 1 1 + package server 2 2 + 3 3 + import ( 4 4 + "context" 5 5 + "net/http" 6 6 + "net/http/httptest" 7 7 + "os" 8 8 + "testing" 9 9 + 10 10 + oauth "github.com/bluesky-social/indigo/atproto/auth/oauth" 11 11 + "github.com/bluesky-social/indigo/atproto/syntax" 12 12 + "gotest.tools/v3/assert" 13 13 + 14 14 + "pkg.rbrt.fr/glean/internal/db" 15 15 + ) 16 16 + 17 17 + func setupTestServer(t *testing.T) (*Server, *db.Store) { 18 18 + t.Helper() 19 19 + f, err := os.CreateTemp("", "glean-test-*.db") 20 20 + assert.NilError(t, err) 21 21 + assert.NilError(t, f.Close()) 22 22 + path := f.Name() 23 23 + t.Cleanup(func() { 24 24 + for _, suffix := range []string{"", "_users", "_users-shm", "_users-wal", "_articles", "_articles-shm", "_articles-wal", "_recs", "_recs-shm", "_recs-wal"} { 25 25 + _ = os.Remove(path + suffix) 26 26 + } 27 27 + }) 28 28 + 29 29 + dbs, err := db.Open(path) 30 30 + assert.NilError(t, err) 31 31 + t.Cleanup(func() { _ = dbs.Close() }) 32 32 + 33 33 + s := &Server{ 34 34 + dbs: dbs, 35 35 + oauthStore: db.NewOAuthStore(dbs), 36 36 + sessionKey: []byte("test-session-key-32-bytes-long!"), 37 37 + } 38 38 + return s, dbs 39 39 + } 40 40 + 41 41 + func encodeTestSession(t *testing.T, s *Server, data sessionData) string { 42 42 + t.Helper() 43 43 + encoded, err := encodeSession(s.sessionKey, data) 44 44 + assert.NilError(t, err) 45 45 + return encoded 46 46 + } 47 47 + 48 48 + func seedOAuthSession(t *testing.T, s *Server, did, sessionID string) { 49 49 + t.Helper() 50 50 + parsedDID, err := syntax.ParseDID(did) 51 51 + assert.NilError(t, err) 52 52 + sessData := oauth.ClientSessionData{ 53 53 + AccountDID: parsedDID, 54 54 + SessionID: sessionID, 55 55 + HostURL: "https://example.com", 56 56 + AccessToken: "test-access-token", 57 57 + RefreshToken: "test-refresh-token", 58 58 + } 59 59 + err = s.oauthStore.SaveSession(context.Background(), sessData) 60 60 + assert.NilError(t, err) 61 61 + } 62 62 + 63 63 + func TestSessionMiddleware_ValidOAuthSession(t *testing.T) { 64 64 + s, dbs := setupTestServer(t) 65 65 + ctx := context.Background() 66 66 + 67 67 + _, err := dbs.Users.CreateUser(ctx, "did:test:user1") 68 68 + assert.NilError(t, err) 69 69 + 70 70 + seedOAuthSession(t, s, "did:test:user1", "session-1") 71 71 + 72 72 + cookieVal := encodeTestSession(t, s, sessionData{ 73 73 + DID: "did:test:user1", 74 74 + SessionID: "session-1", 75 75 + }) 76 76 + 77 77 + called := false 78 78 + handler := s.sessionMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 79 79 + called = true 80 80 + u := currentUser(r) 81 81 + assert.Assert(t, u != nil) 82 82 + assert.Equal(t, u.DID, "did:test:user1") 83 83 + w.WriteHeader(http.StatusOK) 84 84 + })) 85 85 + 86 86 + req := httptest.NewRequest(http.MethodGet, "/dashboard", nil) 87 87 + req.AddCookie(&http.Cookie{Name: "glean_session", Value: cookieVal}) 88 88 + rec := httptest.NewRecorder() 89 89 + 90 90 + handler.ServeHTTP(rec, req) 91 91 + assert.Assert(t, called) 92 92 + assert.Equal(t, rec.Code, http.StatusOK) 93 93 + } 94 94 + 95 95 + func TestSessionMiddleware_InvalidOAuthSession_ClearsCookie(t *testing.T) { 96 96 + s, dbs := setupTestServer(t) 97 97 + ctx := context.Background() 98 98 + 99 99 + _, err := dbs.Users.CreateUser(ctx, "did:test:user2") 100 100 + assert.NilError(t, err) 101 101 + 102 102 + cookieVal := encodeTestSession(t, s, sessionData{ 103 103 + DID: "did:test:user2", 104 104 + SessionID: "session-gone", 105 105 + }) 106 106 + 107 107 + called := false 108 108 + handler := s.sessionMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 109 109 + called = true 110 110 + u := currentUser(r) 111 111 + assert.Assert(t, u == nil) 112 112 + w.WriteHeader(http.StatusOK) 113 113 + })) 114 114 + 115 115 + req := httptest.NewRequest(http.MethodGet, "/dashboard", nil) 116 116 + req.AddCookie(&http.Cookie{Name: "glean_session", Value: cookieVal}) 117 117 + rec := httptest.NewRecorder() 118 118 + 119 119 + handler.ServeHTTP(rec, req) 120 120 + assert.Assert(t, called) 121 121 + assert.Equal(t, rec.Code, http.StatusOK) 122 122 + 123 123 + var cleared bool 124 124 + for _, c := range rec.Result().Cookies() { 125 125 + if c.Name == "glean_session" && c.MaxAge == -1 { 126 126 + cleared = true 127 127 + } 128 128 + } 129 129 + assert.Assert(t, cleared, "expected glean_session cookie to be cleared") 130 130 + } 131 131 + 132 132 + func TestSessionMiddleware_NonOAuthSession_PassesThrough(t *testing.T) { 133 133 + s, dbs := setupTestServer(t) 134 134 + ctx := context.Background() 135 135 + 136 136 + _, err := dbs.Users.CreateUser(ctx, "did:test:user3") 137 137 + assert.NilError(t, err) 138 138 + 139 139 + cookieVal := encodeTestSession(t, s, sessionData{ 140 140 + DID: "did:test:user3", 141 141 + }) 142 142 + 143 143 + called := false 144 144 + handler := s.sessionMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 145 145 + called = true 146 146 + u := currentUser(r) 147 147 + assert.Assert(t, u != nil) 148 148 + assert.Equal(t, u.DID, "did:test:user3") 149 149 + w.WriteHeader(http.StatusOK) 150 150 + })) 151 151 + 152 152 + req := httptest.NewRequest(http.MethodGet, "/dashboard", nil) 153 153 + req.AddCookie(&http.Cookie{Name: "glean_session", Value: cookieVal}) 154 154 + rec := httptest.NewRecorder() 155 155 + 156 156 + handler.ServeHTTP(rec, req) 157 157 + assert.Assert(t, called) 158 158 + assert.Equal(t, rec.Code, http.StatusOK) 159 159 + } 160 160 + 161 161 + func TestSessionMiddleware_OAuthSessionDeletedAfterLogin_ClearsCookie(t *testing.T) { 162 162 + s, dbs := setupTestServer(t) 163 163 + ctx := context.Background() 164 164 + 165 165 + _, err := dbs.Users.CreateUser(ctx, "did:test:user4") 166 166 + assert.NilError(t, err) 167 167 + 168 168 + seedOAuthSession(t, s, "did:test:user4", "session-4") 169 169 + 170 170 + cookieVal := encodeTestSession(t, s, sessionData{ 171 171 + DID: "did:test:user4", 172 172 + SessionID: "session-4", 173 173 + }) 174 174 + 175 175 + handler := s.sessionMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 176 176 + u := currentUser(r) 177 177 + if u == nil { 178 178 + w.WriteHeader(http.StatusUnauthorized) 179 179 + return 180 180 + } 181 181 + w.WriteHeader(http.StatusOK) 182 182 + })) 183 183 + 184 184 + req := httptest.NewRequest(http.MethodGet, "/dashboard", nil) 185 185 + req.AddCookie(&http.Cookie{Name: "glean_session", Value: cookieVal}) 186 186 + rec := httptest.NewRecorder() 187 187 + handler.ServeHTTP(rec, req) 188 188 + assert.Equal(t, rec.Code, http.StatusOK) 189 189 + 190 190 + parsedDID, err := syntax.ParseDID("did:test:user4") 191 191 + assert.NilError(t, err) 192 192 + err = s.oauthStore.DeleteSession(ctx, parsedDID, "session-4") 193 193 + assert.NilError(t, err) 194 194 + 195 195 + req2 := httptest.NewRequest(http.MethodGet, "/dashboard", nil) 196 196 + req2.AddCookie(&http.Cookie{Name: "glean_session", Value: cookieVal}) 197 197 + rec2 := httptest.NewRecorder() 198 198 + handler.ServeHTTP(rec2, req2) 199 199 + assert.Equal(t, rec2.Code, http.StatusUnauthorized) 200 200 + } 201 201 + 202 202 + func TestIsOAuthSessionValid(t *testing.T) { 203 203 + s, _ := setupTestServer(t) 204 204 + ctx := context.Background() 205 205 + 206 206 + seedOAuthSession(t, s, "did:test:valid", "sess-1") 207 207 + 208 208 + assert.Assert(t, s.isOAuthSessionValid(ctx, &sessionData{ 209 209 + DID: "did:test:valid", 210 210 + SessionID: "sess-1", 211 211 + })) 212 212 + 213 213 + assert.Assert(t, !s.isOAuthSessionValid(ctx, &sessionData{ 214 214 + DID: "did:test:valid", 215 215 + SessionID: "sess-nonexistent", 216 216 + })) 217 217 + 218 218 + assert.Assert(t, !s.isOAuthSessionValid(ctx, &sessionData{ 219 219 + DID: "did:test:nonexistent", 220 220 + SessionID: "sess-1", 221 221 + })) 222 222 + }