From 3c048a19210d38f22a881c319a03213931411038 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 21 Dec 2021 13:10:57 +0100 Subject: [PATCH] outposts/proxy: fix session not expiring correctly due to miscalculation closes #1976 Signed-off-by: Jens Langhammer --- internal/outpost/ak/api.go | 3 ++- internal/outpost/ak/api_ws.go | 5 ----- internal/outpost/proxyv2/application/oauth.go | 3 ++- internal/outpost/proxyv2/application/session.go | 14 +++++++++----- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/internal/outpost/ak/api.go b/internal/outpost/ak/api.go index 15c00e899..76faf434f 100644 --- a/internal/outpost/ak/api.go +++ b/internal/outpost/ak/api.go @@ -81,7 +81,8 @@ func NewAPIController(akURL url.URL, token string) *APIController { } log.Debug("Fetched global configuration") - doGlobalSetup(outpost, akConfig) + // doGlobalSetup is called by the OnRefresh handler, which ticks on start + // doGlobalSetup(outpost, akConfig) ac := &APIController{ Client: apiClient, diff --git a/internal/outpost/ak/api_ws.go b/internal/outpost/ak/api_ws.go index fb411e044..e67ec90ad 100644 --- a/internal/outpost/ak/api_ws.go +++ b/internal/outpost/ak/api_ws.go @@ -194,12 +194,7 @@ func (ac *APIController) startWSHealth() { func (ac *APIController) startIntervalUpdater() { logger := ac.logger.WithField("loop", "interval-updater") ticker := time.NewTicker(5 * time.Minute) - initial := false for ; true; <-ticker.C { - if !initial { - initial = true - continue - } logger.Debug("Running interval update") err := ac.OnRefresh() if err != nil { diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go index c898dfa36..b747e8182 100644 --- a/internal/outpost/proxyv2/application/oauth.go +++ b/internal/outpost/proxyv2/application/oauth.go @@ -3,6 +3,7 @@ package application import ( "encoding/base64" "net/http" + "time" "github.com/gorilla/securecookie" "goauthentik.io/internal/outpost/proxyv2/constants" @@ -49,7 +50,7 @@ func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) { } return } - s.Options.MaxAge = claims.Exp / 1000 + s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds()) s.Values[constants.SessionClaims] = &claims err = s.Save(r, rw) if err != nil { diff --git a/internal/outpost/proxyv2/application/session.go b/internal/outpost/proxyv2/application/session.go index 2407a7577..390d0f246 100644 --- a/internal/outpost/proxyv2/application/session.go +++ b/internal/outpost/proxyv2/application/session.go @@ -19,11 +19,13 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store { if err != nil { panic(err) } - rs.SetMaxLength(math.MaxInt64) + rs.SetMaxLength(math.MaxInt) if p.TokenValidity.IsSet() { t := p.TokenValidity.Get() // Add one to the validity to ensure we don't have a session with indefinite length - rs.Options.MaxAge = int(*t) + 1 + rs.SetMaxAge(int(*t) + 1) + } else { + rs.SetMaxAge(0) } rs.Options.Domain = *p.CookieDomain a.log.Info("using redis session backend") @@ -31,19 +33,21 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store { } else { dir := os.TempDir() cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret)) - cs.Options.Domain = *p.CookieDomain // https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7 // set the maxLength of the cookies stored on the disk to a larger number to prevent issues with: // securecookie: the value is too long // when using OpenID Connect , since this can contain a large amount of extra information in the id_token // Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk - cs.MaxLength(math.MaxInt64) + cs.MaxLength(math.MaxInt) if p.TokenValidity.IsSet() { t := p.TokenValidity.Get() // Add one to the validity to ensure we don't have a session with indefinite length - cs.Options.MaxAge = int(*t) + 1 + cs.MaxAge(int(*t) + 1) + } else { + cs.MaxAge(0) } + cs.Options.Domain = *p.CookieDomain a.log.WithField("dir", dir).Info("using filesystem session backend") store = cs }