outposts/proxy: fix session not expiring correctly due to miscalculation
closes #1976 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
parent
8a60a7e26f
commit
3c048a1921
|
|
@ -81,7 +81,8 @@ func NewAPIController(akURL url.URL, token string) *APIController {
|
||||||
}
|
}
|
||||||
log.Debug("Fetched global configuration")
|
log.Debug("Fetched global configuration")
|
||||||
|
|
||||||
doGlobalSetup(outpost, akConfig)
|
// doGlobalSetup is called by the OnRefresh handler, which ticks on start
|
||||||
|
// doGlobalSetup(outpost, akConfig)
|
||||||
|
|
||||||
ac := &APIController{
|
ac := &APIController{
|
||||||
Client: apiClient,
|
Client: apiClient,
|
||||||
|
|
|
||||||
|
|
@ -194,12 +194,7 @@ func (ac *APIController) startWSHealth() {
|
||||||
func (ac *APIController) startIntervalUpdater() {
|
func (ac *APIController) startIntervalUpdater() {
|
||||||
logger := ac.logger.WithField("loop", "interval-updater")
|
logger := ac.logger.WithField("loop", "interval-updater")
|
||||||
ticker := time.NewTicker(5 * time.Minute)
|
ticker := time.NewTicker(5 * time.Minute)
|
||||||
initial := false
|
|
||||||
for ; true; <-ticker.C {
|
for ; true; <-ticker.C {
|
||||||
if !initial {
|
|
||||||
initial = true
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
logger.Debug("Running interval update")
|
logger.Debug("Running interval update")
|
||||||
err := ac.OnRefresh()
|
err := ac.OnRefresh()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@ package application
|
||||||
import (
|
import (
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/gorilla/securecookie"
|
"github.com/gorilla/securecookie"
|
||||||
"goauthentik.io/internal/outpost/proxyv2/constants"
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
||||||
|
|
@ -49,7 +50,7 @@ func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
s.Options.MaxAge = claims.Exp / 1000
|
s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
|
||||||
s.Values[constants.SessionClaims] = &claims
|
s.Values[constants.SessionClaims] = &claims
|
||||||
err = s.Save(r, rw)
|
err = s.Save(r, rw)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
|
|
@ -19,11 +19,13 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
rs.SetMaxLength(math.MaxInt64)
|
rs.SetMaxLength(math.MaxInt)
|
||||||
if p.TokenValidity.IsSet() {
|
if p.TokenValidity.IsSet() {
|
||||||
t := p.TokenValidity.Get()
|
t := p.TokenValidity.Get()
|
||||||
// Add one to the validity to ensure we don't have a session with indefinite length
|
// Add one to the validity to ensure we don't have a session with indefinite length
|
||||||
rs.Options.MaxAge = int(*t) + 1
|
rs.SetMaxAge(int(*t) + 1)
|
||||||
|
} else {
|
||||||
|
rs.SetMaxAge(0)
|
||||||
}
|
}
|
||||||
rs.Options.Domain = *p.CookieDomain
|
rs.Options.Domain = *p.CookieDomain
|
||||||
a.log.Info("using redis session backend")
|
a.log.Info("using redis session backend")
|
||||||
|
|
@ -31,19 +33,21 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
|
||||||
} else {
|
} else {
|
||||||
dir := os.TempDir()
|
dir := os.TempDir()
|
||||||
cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret))
|
cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret))
|
||||||
cs.Options.Domain = *p.CookieDomain
|
|
||||||
// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
|
// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
|
||||||
// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
|
// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
|
||||||
// securecookie: the value is too long
|
// securecookie: the value is too long
|
||||||
// when using OpenID Connect , since this can contain a large amount of extra information in the id_token
|
// when using OpenID Connect , since this can contain a large amount of extra information in the id_token
|
||||||
|
|
||||||
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
|
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
|
||||||
cs.MaxLength(math.MaxInt64)
|
cs.MaxLength(math.MaxInt)
|
||||||
if p.TokenValidity.IsSet() {
|
if p.TokenValidity.IsSet() {
|
||||||
t := p.TokenValidity.Get()
|
t := p.TokenValidity.Get()
|
||||||
// Add one to the validity to ensure we don't have a session with indefinite length
|
// Add one to the validity to ensure we don't have a session with indefinite length
|
||||||
cs.Options.MaxAge = int(*t) + 1
|
cs.MaxAge(int(*t) + 1)
|
||||||
|
} else {
|
||||||
|
cs.MaxAge(0)
|
||||||
}
|
}
|
||||||
|
cs.Options.Domain = *p.CookieDomain
|
||||||
a.log.WithField("dir", dir).Info("using filesystem session backend")
|
a.log.WithField("dir", dir).Info("using filesystem session backend")
|
||||||
store = cs
|
store = cs
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Reference in New Issue