Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // Error raised when browser state cannot be retrieved. ErrInvalidBrowserState = fmt.Errorf(`%w: browser state is invalid, not found or expired`, oidc.ErrInvalidRequest) )
Functions ¶
This section is empty.
Types ¶
type BrowserState ¶
type BrowserState struct { Id string `json:"id"` Sessions []*Session `json:"s"` New bool `json:"-"` // transient, true if the state is new OldHash string `json:"-"` // transient, records the old hash }
BrowserState is the collection of all on-going user sessions that is remembered in the browser. A browser state should be automatically cleared a year after its longest living session has expired. This prevents zombie browsers from lingering in the storage.
func MustBrowserState ¶
func MustBrowserState(ctx context.Context) *BrowserState
MustBrowserState retrieves the browser state in the context, or panics if one is not found.
func (*BrowserState) AddSession ¶
func (b *BrowserState) AddSession(s *Session)
func (*BrowserState) Expired ¶
func (b *BrowserState) Expired() bool
Expired returns true if the browser state is expired.
func (*BrowserState) Expiry ¶
func (b *BrowserState) Expiry() time.Time
Expiry returns the time at which this browser state shall expire at the server side. It is usually a year after the expiry of its longest living session. Hypothetically, if the browser has been idled for longer than a year, its server side state will automatically expire. After that, even if the browser resumed activity and came to claim its browser state via its cookies, the server shall deny it and assign a new empty browser state.
func (*BrowserState) Hash ¶
func (b *BrowserState) Hash() string
Hash returns a stable hash representation of this browser state. Sorted session ids are included in the hash computation.
func (*BrowserState) Sanitize ¶
func (b *BrowserState) Sanitize()
Sanitize clears any expired sessions from browser state.
func (*BrowserState) ToLite ¶
func (b *BrowserState) ToLite() *BrowserStateLite
ToLite returns a lite representation of BrowserState that is suitable to be saved as browser cookies.
type BrowserStateController ¶
type BrowserStateController struct { CookieDomain string CookieSecure bool Storage BrowserStateStorage Logger *zerolog.Logger }
BrowserStateController controls the aspect around the main HTTP handler logic with respect to translating between "opbs" (OP browser state) cookie and full representation of browser state. It reads the "opbs" cookie and find the corresponding server side browser state from storage (or create a new one, if configured) and sets it on the request context. Downstream handlers will have access to the browser state by calling
browserState := MustBrowserState(ctx)
After downstream handlers are finished, it checks if the browser state has changed and saves it back to database if necessary. Unchanged browser state avoid a trip to database. Finally, browser state is converted back to its cookie form and written back to the browser.
func (*BrowserStateController) BrowserStateDefault ¶
func (c *BrowserStateController) BrowserStateDefault(handlerFunc http.HandlerFunc) http.HandlerFunc
BrowserStateDefault creates an HTTP middleware that parse the browser state from cookie, or create a new one
func (*BrowserStateController) BrowserStateRequired ¶
func (c *BrowserStateController) BrowserStateRequired(handlerFunc http.HandlerFunc) http.HandlerFunc
BrowserStateRequired creates an HTTP middleware that parse the browser state from cookie, or return error if it cannot be parsed due to various reasons (i.e. malformed cookie, missing browser state from storage, expired)
func (*BrowserStateController) FlushBrowserState ¶
func (c *BrowserStateController) FlushBrowserState(ctx context.Context, rw http.ResponseWriter)
type BrowserStateKey ¶
type BrowserStateKey struct{}
Key used to retrieve browser state in context.Context
type BrowserStateLite ¶
BrowserStateLite is the compact form of browser state will only contain the ids of the browser and ids of its sessions that has not expired. These ids are random and cannot be used by malicious party to fish on the identity of the logged-in user.
type BrowserStateStorage ¶
type BrowserStateStorage interface { // Save inserts a new or updates an existing BrowserState in the storage. If the underlying // database cannot automatically remove expired sessions. Implementation is responsible for // removing expired sessions manually. Save(ctx context.Context, bs *BrowserState) error // Get the browser state by its id. Implementation may return browser state that contained // expired sessions, if the underlying database does not support automatic removal. However, // if the browser state itself has expired, implementation shall not return any browser state // and should take steps to ensure it is deleted from database. Get(ctx context.Context, id string) (*BrowserState, error) }
BrowserStateStorage is responsible of persisting BrowserState. Any error encountered by the implementation should return ErrInvalidBrowserState error.
func MemoryBrowserStateStorage ¶
func MemoryBrowserStateStorage() BrowserStateStorage
MemoryBrowserStateStorage return an implementation of BrowserStateStorage that stores it in memory. The implementation is not thread-safe and it not intended for production use.
type Consent ¶
Consent represents the record which the user authorized onr or more requested scopes. The consent may or may not have an expiry.
func (*Consent) MarshalJSON ¶
func (*Consent) UnmarshalJSON ¶
type ConsentStorage ¶
type ConsentStorage interface { // Save the consent record to storage Save(ctx context.Context, consent *Consent) error // Get all consent session by this subject. Implementations may or may not return // expired records. If records were not found, return an empty slice. GetBySubject(ctx context.Context, subject string) []*Consent }
ConsentStorage provides persistence storage for consent records.
func MemoryConsentStorage ¶
func MemoryConsentStorage() ConsentStorage
MemoryConsentStorage returns an in-memory implementation of ConsentStorage. The implementation is not thread-safe and is not intended for production usage.
type RedisBrowserStateStorage ¶
func (*RedisBrowserStateStorage) Get ¶
func (s *RedisBrowserStateStorage) Get(_ context.Context, id string) (*BrowserState, error)
func (*RedisBrowserStateStorage) Save ¶
func (s *RedisBrowserStateStorage) Save(ctx context.Context, bs *BrowserState) error
type RedisConsentStorage ¶
func (*RedisConsentStorage) GetBySubject ¶
func (s *RedisConsentStorage) GetBySubject(_ context.Context, subject string) []*Consent
type Session ¶
type Session struct { Id string Subject string UIData json.RawMessage AuthTime time.Time Lifespan time.Duration Claims map[string]interface{} }
Session represents a user during the period of time he is authenticated with the the authorization server by request of a client. It is persisted in server side storage in order to preserve user's login state.
The ID of the session is sent to browser as part of the browser state. This constitutes the design of OpenID Connect Session Management where the client can have a degree of insight on the login status of the user without constantly querying the server.
func (*Session) ExceededMaxAge ¶
ExceededMaxAge returns true if the session's authentication is older than the number of seconds specified by the age parameter. If so, such session cannot be considered to meet request's requirement, even though it has not expired.