From 8b09d46121bc30f6d26859fe6d2b1110838f0c14 Mon Sep 17 00:00:00 2001 From: Sidharth Ramesh Date: Thu, 3 Mar 2022 17:39:09 +0530 Subject: [PATCH 1/2] changed cookie names to reflect client id --- consent/strategy_default.go | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/consent/strategy_default.go b/consent/strategy_default.go index 6f67951fc05..83ab1380389 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -22,6 +22,7 @@ package consent import ( "context" + "fmt" "net/http" "net/url" "strconv" @@ -281,7 +282,11 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(w http.ResponseWriter, r return errorsx.WithStack(err) } - if err := createCsrfSession(w, r, s.r.CookieStore(), cookieAuthenticationCSRFName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil { + authCookieName := cookieAuthenticationCSRFName + ar.GetClient().GetID() + + fmt.Printf("Setting Auth Cookie + client_ID: %s ", authCookieName) + + if err := createCsrfSession(w, r, s.r.CookieStore(), authCookieName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil { return errorsx.WithStack(err) } @@ -356,8 +361,10 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re if session.RequestedAt.Add(s.c.ConsentRequestMaxAge()).Before(time.Now()) { return nil, errorsx.WithStack(fosite.ErrRequestUnauthorized.WithHint("The login request has expired. Please try again.")) } + authCookieName := cookieAuthenticationCSRFName + session.LoginRequest.ClientID - if err := validateCsrfSession(r, s.r.CookieStore(), cookieAuthenticationCSRFName, session.LoginRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil { + fmt.Printf("Validating Auth Cookie + client_ID: %s ", authCookieName) + if err := validateCsrfSession(r, s.r.CookieStore(), authCookieName, session.LoginRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil { return nil, err } @@ -569,8 +576,10 @@ func (s *DefaultStrategy) forwardConsentRequest(w http.ResponseWriter, r *http.R ); err != nil { return errorsx.WithStack(err) } + consentCookieName := cookieConsentCSRFName + ar.GetClient().GetID() + fmt.Printf("Setting Consent Cookie + client_ID: %s ", consentCookieName) - if err := createCsrfSession(w, r, s.r.CookieStore(), cookieConsentCSRFName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil { + if err := createCsrfSession(w, r, s.r.CookieStore(), consentCookieName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil { return errorsx.WithStack(err) } @@ -604,8 +613,10 @@ func (s *DefaultStrategy) verifyConsent(w http.ResponseWriter, r *http.Request, if time.Time(session.ConsentRequest.AuthenticatedAt).IsZero() { return nil, errorsx.WithStack(fosite.ErrServerError.WithHint("The authenticatedAt value was not set.")) } + consentCookieName := cookieConsentCSRFName + session.ConsentRequest.ClientID - if err := validateCsrfSession(r, s.r.CookieStore(), cookieConsentCSRFName, session.ConsentRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil { + fmt.Printf("Validating Consent Cookie + client_ID: %s ", consentCookieName) + if err := validateCsrfSession(r, s.r.CookieStore(), consentCookieName, session.ConsentRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil { return nil, err } From d291964043c431cc607e267a3ec013725568d016 Mon Sep 17 00:00:00 2001 From: Sidharth Ramesh Date: Thu, 7 Apr 2022 10:53:57 +0530 Subject: [PATCH 2/2] removed log lines --- consent/strategy_default.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/consent/strategy_default.go b/consent/strategy_default.go index 83ab1380389..765d15ca670 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -22,7 +22,6 @@ package consent import ( "context" - "fmt" "net/http" "net/url" "strconv" @@ -284,7 +283,6 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(w http.ResponseWriter, r authCookieName := cookieAuthenticationCSRFName + ar.GetClient().GetID() - fmt.Printf("Setting Auth Cookie + client_ID: %s ", authCookieName) if err := createCsrfSession(w, r, s.r.CookieStore(), authCookieName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil { return errorsx.WithStack(err) @@ -363,7 +361,6 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re } authCookieName := cookieAuthenticationCSRFName + session.LoginRequest.ClientID - fmt.Printf("Validating Auth Cookie + client_ID: %s ", authCookieName) if err := validateCsrfSession(r, s.r.CookieStore(), authCookieName, session.LoginRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil { return nil, err } @@ -577,7 +574,6 @@ func (s *DefaultStrategy) forwardConsentRequest(w http.ResponseWriter, r *http.R return errorsx.WithStack(err) } consentCookieName := cookieConsentCSRFName + ar.GetClient().GetID() - fmt.Printf("Setting Consent Cookie + client_ID: %s ", consentCookieName) if err := createCsrfSession(w, r, s.r.CookieStore(), consentCookieName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil { return errorsx.WithStack(err) @@ -615,7 +611,6 @@ func (s *DefaultStrategy) verifyConsent(w http.ResponseWriter, r *http.Request, } consentCookieName := cookieConsentCSRFName + session.ConsentRequest.ClientID - fmt.Printf("Validating Consent Cookie + client_ID: %s ", consentCookieName) if err := validateCsrfSession(r, s.r.CookieStore(), consentCookieName, session.ConsentRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil { return nil, err }