diff --git a/api/external.go b/api/external.go index ffa5c7da6..1ea3c7fe9 100644 --- a/api/external.go +++ b/api/external.go @@ -11,7 +11,6 @@ import ( "github.com/gofrs/uuid" jwt "github.com/golang-jwt/jwt" - "github.com/markbates/goth/gothic" "github.com/netlify/gotrue/api/provider" "github.com/netlify/gotrue/models" "github.com/netlify/gotrue/storage" @@ -83,7 +82,7 @@ func (a *API) ExternalProviderRedirect(w http.ResponseWriter, r *http.Request) e switch externalProvider := p.(type) { case *provider.TwitterProvider: authURL = externalProvider.AuthCodeURL(tokenString) - err := gothic.StoreInSession(providerType, externalProvider.Marshal(), r, w) + err := storage.StoreInSession(providerType, externalProvider.Marshal(), r, w) if err != nil { return internalServerError("Error storing request token in session").WithInternalError(err) } diff --git a/api/external_oauth.go b/api/external_oauth.go index 0b245900c..c15ea743e 100644 --- a/api/external_oauth.go +++ b/api/external_oauth.go @@ -5,9 +5,9 @@ import ( "net/http" "net/url" - "github.com/markbates/goth/gothic" "github.com/mrjones/oauth" "github.com/netlify/gotrue/api/provider" + "github.com/netlify/gotrue/storage" "github.com/sirupsen/logrus" ) @@ -102,7 +102,7 @@ func (a *API) oAuth1Callback(ctx context.Context, r *http.Request, providerType if err != nil { return nil, badRequestError("Unsupported provider: %+v", err).WithInternalError(err) } - value, err := gothic.GetFromSession(providerType, r) + value, err := storage.GetFromSession(providerType, r) if err != nil { return &OAuthProviderData{}, err } diff --git a/go.mod b/go.mod index 9f02925fe..39faadd6d 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,7 @@ module github.com/netlify/gotrue require ( + cloud.google.com/go v0.67.0 // indirect github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20170623214735-571947b0f240 github.com/Masterminds/semver/v3 v3.1.1 // indirect github.com/badoux/checkmail v0.0.0-20170203135005-d0a759655d62 @@ -19,6 +20,8 @@ require ( github.com/gobuffalo/validate/v3 v3.3.0 // indirect github.com/gofrs/uuid v4.0.0+incompatible github.com/golang-jwt/jwt v3.2.1+incompatible + github.com/gorilla/securecookie v1.1.1 // indirect + github.com/gorilla/sessions v1.1.1 github.com/imdario/mergo v0.0.0-20160216103600-3e95a51e0639 github.com/jackc/pgproto3/v2 v2.0.7 // indirect github.com/jmoiron/sqlx v1.3.1 // indirect @@ -26,7 +29,6 @@ require ( github.com/kelseyhightower/envconfig v1.4.0 github.com/lestrrat-go/jwx v0.9.0 github.com/lib/pq v1.9.0 // indirect - github.com/markbates/goth v1.67.1 github.com/microcosm-cc/bluemonday v1.0.5 // indirect github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 github.com/netlify/mailme v1.1.1 diff --git a/go.sum b/go.sum index 1b2671ff0..bc030a9bf 100644 --- a/go.sum +++ b/go.sum @@ -232,9 +232,6 @@ github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY= github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c= -github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk= -github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY= github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/sessions v1.1.1 h1:YMDmfaK68mUixINzY/XjscuJ47uXFWSSHzFbBQM0PrE= @@ -333,7 +330,6 @@ github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0f github.com/jackc/puddle v1.1.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= -github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4= github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/jmoiron/sqlx v1.3.1 h1:aLN7YINNZ7cYOPK3QC83dbM6KT0NMqVMw961TqrejlE= github.com/jmoiron/sqlx v1.3.1/go.mod h1:2BljVx/86SuTyjE+aPYlHCTNvZrnJXghYGpNiXLBMCQ= @@ -383,9 +379,6 @@ github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= -github.com/markbates/going v1.0.0/go.mod h1:I6mnB4BPnEeqo85ynXIx1ZFLLbtiLHNXVgWeFO9OGOA= -github.com/markbates/goth v1.67.1 h1:gU5B0pzHVyhnJPwGynfFnkfvaQ39C1Sy+ewdl+bhAOw= -github.com/markbates/goth v1.67.1/go.mod h1:EyLFHGU5ySr2GXRDyJH5nu2dA7parbC8QwIYW/rGcWg= github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= @@ -413,8 +406,6 @@ github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJK github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc= -github.com/microcosm-cc/bluemonday v1.0.4 h1:p0L+CTpo/PLFdkoPcJemLXG+fpMD7pYOoDEq1axMbGg= -github.com/microcosm-cc/bluemonday v1.0.4/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w= github.com/microcosm-cc/bluemonday v1.0.5 h1:cF59UCKMmmUgqN1baLvqU/B1ZsMori+duLVTLpgiG3w= github.com/microcosm-cc/bluemonday v1.0.5/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= @@ -428,7 +419,6 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM= github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 h1:j2kD3MT1z4PXCiUllUJF9mWUESr9TWKS7iEKsQ/IipM= github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -662,7 +652,6 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200927032502-5d4f70055728/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= diff --git a/storage/session.go b/storage/session.go new file mode 100644 index 000000000..e6189690d --- /dev/null +++ b/storage/session.go @@ -0,0 +1,42 @@ +package storage + +import ( + "errors" + "net/http" + + "github.com/gorilla/securecookie" + "github.com/gorilla/sessions" + "github.com/kelseyhightower/envconfig" +) + +var sessionName = "_gotrue_session" +var Store sessions.Store + +type SessionConfig struct { + Key []byte `envconfig:"GOTRUE_SESSION_KEY"` +} + +func init() { + var sessionConfig SessionConfig + err := envconfig.Process("GOTRUE_SESSION_KEY", &sessionConfig) + if err != nil || len(sessionConfig.Key) == 0 { + sessionConfig.Key = securecookie.GenerateRandomKey(32) + } + Store = sessions.NewCookieStore(sessionConfig.Key) +} + +func StoreInSession(key string, value string, req *http.Request, res http.ResponseWriter) error { + session, _ := Store.New(req, sessionName) + session.Values[key] = value + return session.Save(req, res) +} + +func GetFromSession(key string, req *http.Request) (string, error) { + session, _ := Store.Get(req, sessionName) + value, ok := session.Values[key] + if !ok { + return "", errors.New("session could not be found for this request") + } + + return value.(string), nil +}