Affected by GO-2022-0783 and 4 other vulnerabilities

GO-2022-0783: JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

GO-2022-0933: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

sessions

package

v0.0.1 Latest Latest Go to latest Published: Jan 2, 2019 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func CreateMiscreantCookieCipher(cookieSecret []byte) func(s *CookieStore) error
func ExtendDeadline(ttl time.Duration) time.Time
func MarshalSession(s *SessionState, c aead.Cipher) (string, error)
type CSRFStore
type CookieStore
- func NewCookieStore(cookieName string, optFuncs ...func(*CookieStore) error) (*CookieStore, error)
type MockCSRFStore
type MockSessionStore
type SessionState
- func UnmarshalSession(value string, c aead.Cipher) (*SessionState, error)
type SessionStore

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrInvalidSession = errors.New("invalid session")

ErrInvalidSession is an error for invalid sessions.

View Source

var (
	// ErrLifetimeExpired is an error for the lifetime deadline expiring
	ErrLifetimeExpired = errors.New("user lifetime expired")
)

Functions ¶

func CreateMiscreantCookieCipher ¶

func CreateMiscreantCookieCipher(cookieSecret []byte) func(s *CookieStore) error

CreateMiscreantCookieCipher creates a new miscreant cipher with the cookie secret

func ExtendDeadline ¶

func ExtendDeadline(ttl time.Duration) time.Time

ExtendDeadline returns the time extended by a given duration

func MarshalSession ¶

func MarshalSession(s *SessionState, c aead.Cipher) (string, error)

MarshalSession marshals the session state as JSON, encrypts the JSON using the given cipher, and base64-encodes the result

Types ¶

type CSRFStore ¶

type CSRFStore interface {
	SetCSRF(http.ResponseWriter, *http.Request, string)
	GetCSRF(*http.Request) (*http.Cookie, error)
	ClearCSRF(http.ResponseWriter, *http.Request)
}

CSRFStore has the functions for setting, getting, and clearing the CSRF cookie

type CookieStore ¶

type CookieStore struct {
	Name               string
	CSRFCookieName     string
	CookieExpire       time.Duration
	CookieRefresh      time.Duration
	CookieSecure       bool
	CookieHTTPOnly     bool
	CookieDomain       string
	CookieCipher       aead.Cipher
	SessionLifetimeTTL time.Duration
}

CookieStore represents all the cookie related configurations

func NewCookieStore ¶

func NewCookieStore(cookieName string, optFuncs ...func(*CookieStore) error) (*CookieStore, error)

NewCookieStore returns a new session with ciphers for each of the cookie secrets

func (*CookieStore) ClearCSRF ¶

func (s *CookieStore) ClearCSRF(rw http.ResponseWriter, req *http.Request)

ClearCSRF clears the CSRF cookie from the request

func (*CookieStore) ClearSession ¶

func (s *CookieStore) ClearSession(rw http.ResponseWriter, req *http.Request)

ClearSession clears the session cookie from a request

func (*CookieStore) GetCSRF ¶

func (s *CookieStore) GetCSRF(req *http.Request) (*http.Cookie, error)

GetCSRF gets the CSRFCookie creates a CSRF cookie in a given request

func (*CookieStore) LoadSession ¶

func (s *CookieStore) LoadSession(req *http.Request) (*SessionState, error)

LoadSession returns a SessionState from the cookie in the request.

func (*CookieStore) SaveSession ¶

func (s *CookieStore) SaveSession(rw http.ResponseWriter, req *http.Request, sessionState *SessionState) error

SaveSession saves a session state to a request sessions.

func (*CookieStore) SetCSRF ¶

func (s *CookieStore) SetCSRF(rw http.ResponseWriter, req *http.Request, val string)

SetCSRF sets the CSRFCookie creates a CSRF cookie in a given request

type MockCSRFStore ¶

type MockCSRFStore struct {
	ResponseCSRF string
	Cookie       *http.Cookie
	GetError     error
}

MockCSRFStore is a mock implementation of the CSRF store interface

func (*MockCSRFStore) ClearCSRF ¶

func (ms *MockCSRFStore) ClearCSRF(http.ResponseWriter, *http.Request)

ClearCSRF clears the ResponseCSRF string

func (*MockCSRFStore) GetCSRF ¶

func (ms *MockCSRFStore) GetCSRF(*http.Request) (*http.Cookie, error)

GetCSRF returns the cookie and error

func (*MockCSRFStore) SetCSRF ¶

func (ms *MockCSRFStore) SetCSRF(rw http.ResponseWriter, req *http.Request, val string)

SetCSRF sets the ResponseCSRF string to a val

type MockSessionStore ¶

type MockSessionStore struct {
	ResponseSession string
	Session         *SessionState
	SaveError       error
	LoadError       error
}

MockSessionStore is a mock implementation of the SessionStore interface

func (*MockSessionStore) ClearSession ¶

func (ms *MockSessionStore) ClearSession(http.ResponseWriter, *http.Request)

ClearSession clears the ResponseSession

func (*MockSessionStore) LoadSession ¶

func (ms *MockSessionStore) LoadSession(*http.Request) (*SessionState, error)

LoadSession returns the session and a error

func (*MockSessionStore) SaveSession ¶

func (ms *MockSessionStore) SaveSession(http.ResponseWriter, *http.Request, *SessionState) error

SaveSession returns a save error.

type SessionState ¶

type SessionState struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
	IDToken      string `json:"id_token"` // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse

	RefreshDeadline  time.Time `json:"refresh_deadline"`
	LifetimeDeadline time.Time `json:"lifetime_deadline"`
	ValidDeadline    time.Time `json:"valid_deadline"`
	GracePeriodStart time.Time `json:"grace_period_start"`

	Email  string   `json:"email"`
	User   string   `json:"user"`
	Groups []string `json:"groups"`
}

SessionState is our object that keeps track of a user's session state

func UnmarshalSession ¶

func UnmarshalSession(value string, c aead.Cipher) (*SessionState, error)

UnmarshalSession takes the marshaled string, base64-decodes into a byte slice, decrypts the byte slice using the pased cipher, and unmarshals the resulting JSON into a session state struct

func (*SessionState) LifetimePeriodExpired ¶

func (s *SessionState) LifetimePeriodExpired() bool

LifetimePeriodExpired returns true if the lifetime has expired

func (*SessionState) RefreshPeriodExpired ¶

func (s *SessionState) RefreshPeriodExpired() bool

RefreshPeriodExpired returns true if the refresh period has expired

func (*SessionState) ValidationPeriodExpired ¶

func (s *SessionState) ValidationPeriodExpired() bool

ValidationPeriodExpired returns true if the validation period has expired

type SessionStore ¶

type SessionStore interface {
	ClearSession(http.ResponseWriter, *http.Request)
	LoadSession(*http.Request) (*SessionState, error)
	SaveSession(http.ResponseWriter, *http.Request, *SessionState) error
}

SessionStore has the functions for setting, getting, and clearing the Session cookie

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL