Penpot/penpot
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-03-12 15:51:37 -05:00
Code Issues Activity

🐛 Fix incorrect auth cookie decoding on first stage session middleware

Browse source
This commit is contained in:
Andrey Antukh 2022-12-15 11:43:31 +01:00
parent 226afe98e0
commit 408d33bdec
2 changed files with 23 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
backend/src/app/http/session.clj
View file

@ -12,6 +12,7 @@
[app.config :as cf] [app.config :as cf]
[app.db :as db] [app.db :as db]
[app.db.sql :as sql] [app.db.sql :as sql]
[app.main :as-alias main]
[app.tokens :as tokens] [app.tokens :as tokens]
[app.util.time :as dt] [app.util.time :as dt]
[app.worker :as wrk] [app.worker :as wrk]
@ -56,13 +57,13 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(defn- prepare-session-params (defn- prepare-session-params
[sprops data] [props data]
(let [profile-id (:profile-id data) (let [profile-id (:profile-id data)
user-agent (:user-agent data) user-agent (:user-agent data)
created-at (or (:created-at data) (dt/now)) created-at (or (:created-at data) (dt/now))
token (tokens/generate sprops {:iss "authentication" token (tokens/generate props {:iss "authentication"
:iat created-at :iat created-at
:uid profile-id})] :uid profile-id})]
{:user-agent user-agent {:user-agent user-agent
:profile-id profile-id :profile-id profile-id
:created-at created-at :created-at created-at
@ -70,7 +71,7 @@
:id token})) :id token}))
(defn- database-manager (defn- database-manager
[{:keys [pool sprops executor]}] [{:keys [::db/pool ::wrk/executor ::main/props]}]
(reify ISessionManager (reify ISessionManager
(read [_ token] (read [_ token]
(px/with-dispatch executor (px/with-dispatch executor
@ -78,11 +79,11 @@
(decode [_ token] (decode [_ token]
(px/with-dispatch executor (px/with-dispatch executor
(tokens/verify sprops {:token token :iss "authentication"}))) (tokens/verify props {:token token :iss "authentication"})))
(write! [_ _ data] (write! [_ _ data]
(px/with-dispatch executor (px/with-dispatch executor
(let [params (prepare-session-params sprops data)] (let [params (prepare-session-params props data)]
(db/insert! pool :http-session params) (db/insert! pool :http-session params)
params))) params)))
@ -100,7 +101,7 @@
nil)))) nil))))
(defn inmemory-manager (defn inmemory-manager
[{:keys [sprops executor]}] [{:keys [::wrk/executor ::main/props]}]
(let [cache (atom {})] (let [cache (atom {})]
(reify ISessionManager (reify ISessionManager
(read [_ token] (read [_ token]
@ -108,11 +109,11 @@
(decode [_ token] (decode [_ token]
(px/with-dispatch executor (px/with-dispatch executor
(tokens/verify sprops {:token token :iss "authentication"}))) (tokens/verify props {:token token :iss "authentication"})))
(write! [_ _ data] (write! [_ _ data]
(p/do (p/do
(let [{:keys [token] :as params} (prepare-session-params sprops data)] (let [{:keys [token] :as params} (prepare-session-params props data)]
(swap! cache assoc token params) (swap! cache assoc token params)
params))) params)))
@ -127,12 +128,11 @@
(swap! cache dissoc token) (swap! cache dissoc token)
nil))))) nil)))))
(s/def ::sprops map?)
(defmethod ig/pre-init-spec ::manager [_] (defmethod ig/pre-init-spec ::manager [_]
(s/keys :req-un [::db/pool ::wrk/executor ::sprops])) (s/keys :req [::db/pool ::wrk/executor ::main/props]))
(defmethod ig/init-key ::manager (defmethod ig/init-key ::manager
[_ {:keys [pool] :as cfg}] [_ {:keys [::db/pool] :as cfg}]
(if (db/read-only? pool) (if (db/read-only? pool)
(inmemory-manager cfg) (inmemory-manager cfg)
(database-manager cfg))) (database-manager cfg)))
@ -179,17 +179,13 @@
(def middleware-1 (def middleware-1
(letfn [(wrap-handler [manager handler request respond raise] (letfn [(wrap-handler [manager handler request respond raise]
(try (when-let [cookie (some->> (cf/get :auth-token-cookie-name default-auth-token-cookie-name)
(let [claims (some->> (cf/get :auth-token-cookie-name default-auth-token-cookie-name) (yrq/get-cookie request))]
(yrq/get-cookie request) (->> (decode manager (:value cookie))
(decode manager)) (p/fnly (fn [claims _]
request (cond-> request (cond-> request
(some? claims) (some? claims) (assoc :session-token-claims claims)
(assoc :session-token-claims claims))] :always (handler respond raise)))))))]
(handler request respond raise))
(catch Throwable _
(handler request respond raise))))]
{:name :session-1 {:name :session-1
:compile (fn [& _] :compile (fn [& _]
(fn [handler manager] (fn [handler manager]

6
backend/src/app/main.clj
View file

@ -207,9 +207,9 @@
{::wrk/executor (ig/ref ::wrk/executor)} {::wrk/executor (ig/ref ::wrk/executor)}
:app.http.session/manager :app.http.session/manager
{:pool (ig/ref ::db/pool) {::db/pool (ig/ref ::db/pool)
:sprops (ig/ref :app.setup/props) ::wrk/executor (ig/ref ::wrk/executor)
:executor (ig/ref ::wrk/executor)} ::props (ig/ref :app.setup/props)}
:app.http.session/gc-task :app.http.session/gc-task
{:pool (ig/ref ::db/pool) {:pool (ig/ref ::db/pool)