control: Generalize cookie and csrf handling

2023-01-05 15:59:24 +01:00 · 2023-01-05 15:59:24 +01:00 · 34bdb3cf24
commit 34bdb3cf24
parent eb17dbe33f
15 changed files with 122 additions and 44 deletions
--- a/internal/dis/component/auth/auth.go
+++ b/internal/dis/component/auth/auth.go
@ -19,14 +19,18 @@ type Auth struct {
 	}

 	store lazy.Lazy[sessions.Store]
-	csrf  lazy.Lazy[func(http.Handler) http.Handler]
 }

 var (
 	_ component.Routeable = (*Auth)(nil)
 )

-func (auth *Auth) Routes() []string { return []string{"/auth/"} }
+func (auth *Auth) Routes() component.Routes {
+	return component.Routes{
+		Paths: []string{"/auth/"},
+		CSRF:  true,
+	}
+}

 func (auth *Auth) HandleRoute(ctx context.Context, route string) (http.Handler, error) {
 	router := httprouter.New()
--- a/internal/dis/component/auth/panel/panel.go
+++ b/internal/dis/component/auth/panel/panel.go
@ -22,7 +22,13 @@ var (
 	_ component.Routeable = (*UserPanel)(nil)
 )

-func (panel *UserPanel) Routes() []string { return []string{"/user/"} }
+func (panel *UserPanel) Routes() component.Routes {
+	return component.Routes{
+		Paths:     []string{"/user/"},
+		CSRF:      true,
+		Decorator: panel.Dependencies.Auth.Require(nil),
+	}
+}

 func (panel *UserPanel) HandleRoute(ctx context.Context, route string) (http.Handler, error) {
 	router := httprouter.New()
--- a/internal/dis/component/auth/panel/password.go
+++ b/internal/dis/component/auth/panel/password.go
@ -33,7 +33,6 @@ func (panel *UserPanel) routePassword(ctx context.Context) http.Handler {
 			{Name: "new2", Type: httpx.PasswordField, EmptyOnError: true, Label: "New Password (again)"},
 		},
 		FieldTemplate: httpx.PureCSSFieldTemplate,
-		CSRF:          true,

 		RenderTemplate:        passwordTemplate,
 		RenderTemplateContext: panel.UserFormContext,
--- a/internal/dis/component/auth/panel/totp.go
+++ b/internal/dis/component/auth/panel/totp.go
@ -22,7 +22,6 @@ func (panel *UserPanel) routeTOTPEnable(ctx context.Context) http.Handler {
 			{Name: "password", Type: httpx.PasswordField, EmptyOnError: true, Label: "Current Password"},
 		},
 		FieldTemplate: httpx.PureCSSFieldTemplate,
-		CSRF:          true,

 		SkipForm: func(r *http.Request) (data struct{}, skip bool) {
 			user, err := panel.Dependencies.Auth.UserOf(r)
@ -80,7 +79,6 @@ func (panel *UserPanel) routeTOTPEnroll(ctx context.Context) http.Handler {
 			{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Passcode"},
 		},
 		FieldTemplate: httpx.PureCSSFieldTemplate,
-		CSRF:          true,

 		SkipForm: func(r *http.Request) (data struct{}, skip bool) {
 			user, err := panel.Dependencies.Auth.UserOf(r)
@ -150,7 +148,6 @@ func (panel *UserPanel) routeTOTPDisable(ctx context.Context) http.Handler {
 			{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Current Passcode"},
 		},
 		FieldTemplate: httpx.PureCSSFieldTemplate,
-		CSRF:          true,

 		SkipForm: func(r *http.Request) (data struct{}, skip bool) {
 			user, err := panel.Dependencies.Auth.UserOf(r)
--- a/internal/dis/component/auth/protect.go
+++ b/internal/dis/component/auth/protect.go
@ -72,6 +72,14 @@ func (auth *Auth) Protect(handler http.Handler, perm Permission) http.Handler {
 	})
 }

+// Require returns a slice containing one decorator that acts like Protect(perm) on every request.
+// It returns
+func (auth *Auth) Require(perm Permission) func(http.Handler) http.Handler {
+	return func(h http.Handler) http.Handler {
+		return auth.Protect(h, perm)
+	}
+}
+
 // Admin represents a permission that checks if a user is an administrator and has totp enabled.
 var Admin Permission = func(user *AuthUser, r *http.Request) (ok Grant, err error) {
 	return Bool2Grant(user != nil && user.IsAdmin() && user.IsTOTPEnabled(), "user needs to have admin permissions and passcode enabled"), nil
--- a/internal/dis/component/auth/session.go
+++ b/internal/dis/component/auth/session.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"net/http"

+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control"
 	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static"
 	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
 	"github.com/gorilla/sessions"
@ -30,7 +31,7 @@ func (auth *Auth) UserOf(r *http.Request) (user *AuthUser, err error) {
 	}

 	// try to read the name from the session
-	name, ok := sess.Values[sessionUserKey]
+	name, ok := sess.Values[control.SessionUserKey]
 	if !ok {
 		return nil, nil
 	}
@ -57,18 +58,14 @@ func (auth *Auth) UserOf(r *http.Request) (user *AuthUser, err error) {
 	return user, nil
 }

-const sessionCookieName = "distillery-session"
-
 // session returns the session that belongs to a given request.
 // If the session is not set, creates a new session.
 func (auth *Auth) session(r *http.Request) (*sessions.Session, error) {
 	return auth.store.Get(func() sessions.Store {
 		return sessions.NewCookieStore([]byte(auth.Config.SessionSecret))
-	}).Get(r, sessionCookieName)
+	}).Get(r, control.SessionCookie)
 }

-const sessionUserKey = "user"
-
 type contextUserKey struct{}

 var ctxUserKey = contextUserKey{}
@ -84,7 +81,7 @@ func (auth *Auth) Login(w http.ResponseWriter, r *http.Request, user *AuthUser)
 	if err != nil {
 		return err
 	}
-	sess.Values[sessionUserKey] = user.User.User
+	sess.Values[control.SessionUserKey] = user.User.User
 	return sess.Save(r, w)
 }

@ -121,7 +118,6 @@ func (auth *Auth) authLogin(ctx context.Context) http.Handler {
 			{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Passcode (optional)"},
 		},
 		FieldTemplate: httpx.PureCSSFieldTemplate,
-		CSRF:          true,

 		RenderForm: func(context httpx.FormContext, w http.ResponseWriter, r *http.Request) {
 			if context.Err != nil {