TRA-4157 fix ws auth (#669)

* Update socket_routes.go, user_controller.go, and 2 more files... * Update user_controller.go * Switch to http-only cookies for more security
2025-09-06 21:11:11 +00:00 · 2022-01-20 14:10:25 +02:00
parent 6bab381280
commit 676e50b0b1
4 changed files with 50 additions and 37 deletions
--- a/agent/pkg/api/socket_routes.go
+++ b/agent/pkg/api/socket_routes.go
@@ -47,9 +47,9 @@ func init() {
 }

 func WebSocketRoutes(app *gin.Engine, eventHandlers EventHandlers, startTime int64) {
-	app.GET("/ws", func(c *gin.Context) {
+	app.GET("/ws", middlewares.RequiresAuth(), func(c *gin.Context) {
 		websocketHandler(c.Writer, c.Request, eventHandlers, false, startTime)
-	}, middlewares.RequiresAuth())
+	})

 	app.GET("/wsTapper", func(c *gin.Context) { // TODO: add m2m authentication to this route
 		websocketHandler(c.Writer, c.Request, eventHandlers, true, startTime)
--- a/agent/pkg/controllers/user_controller.go
+++ b/agent/pkg/controllers/user_controller.go
@@ -1,7 +1,9 @@
 package controllers

 import (
+	"errors"
 	"mizuserver/pkg/providers"
+	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/up9inc/mizu/shared/logger"
@@ -11,20 +13,44 @@ func Login(c *gin.Context) {
 	if token, err := providers.PerformLogin(c.PostForm("username"), c.PostForm("password"), c.Request.Context()); err != nil {
 		c.AbortWithStatusJSON(401, gin.H{"error": "bad login"})
 	} else {
-		c.JSON(200, gin.H{"token": token})
+		c.SetSameSite(http.SameSiteLaxMode)
+		c.SetCookie("x-session-token", *token, 3600, "/", "", false, true)
+		c.JSON(200, "")
 	}
 }

 func Logout(c *gin.Context) {
-	token := c.GetHeader("x-session-token")
-	if err := providers.Logout(token, c.Request.Context()); err != nil {
+	token, err := c.Cookie("x-session-token")
+	if err != nil {
+		if errors.Is(err, http.ErrNoCookie) {
+			c.AbortWithStatusJSON(401, gin.H{"error": "could not find session cookie"})
+		} else {
+			logger.Log.Errorf("error reading cookie in logout %s", err)
+			c.AbortWithStatusJSON(500, gin.H{"error": "error occured while logging out, the session might still be valid"})
+		}
+
+		return
+	}
+
+	if err = providers.Logout(token, c.Request.Context()); err != nil {
 		c.AbortWithStatusJSON(500, gin.H{"error": "error occured while logging out, the session might still be valid"})
 	} else {
+		c.SetCookie("x-session-token", "", -1, "/", "", false, true)
 		c.JSON(200, "")
 	}
 }

 func Register(c *gin.Context) {
+	// only allow one user to be created without authentication
+	if IsInstallNeeded, err := providers.IsInstallNeeded(); err != nil {
+		logger.Log.Errorf("unknown internal while checking if install is needed %s", err)
+		c.AbortWithStatusJSON(500, gin.H{"error": "internal error occured while checking if install is needed"})
+		return
+	} else if !IsInstallNeeded {
+		c.AbortWithStatusJSON(401, gin.H{"error": "cannot register when install is not needed"})
+		return
+	}
+
 	if token, _, err, formErrorMessages := providers.RegisterUser(c.PostForm("username"), c.PostForm("password"), c.Request.Context()); err != nil {
 		if formErrorMessages != nil {
 			logger.Log.Infof("user attempted to register but had form errors %v %v", formErrorMessages, err)
@@ -34,6 +60,8 @@ func Register(c *gin.Context) {
 			c.AbortWithStatusJSON(500, gin.H{"error": "internal error occured while registering"})
 		}
 	} else {
-		c.JSON(200, gin.H{"token": token})
+		c.SetSameSite(http.SameSiteLaxMode)
+		c.SetCookie("x-session-token", *token, 3600, "/", "", false, true)
+		c.JSON(200, "")
 	}
 }
--- a/agent/pkg/middlewares/requiresAuth.go
+++ b/agent/pkg/middlewares/requiresAuth.go
@@ -1,49 +1,51 @@
 package middlewares

 import (
+	"errors"
 	"mizuserver/pkg/config"
 	"mizuserver/pkg/providers"
-	"time"
+	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/patrickmn/go-cache"
 	"github.com/up9inc/mizu/shared/logger"
 )

-const cachedValidTokensRetainmentTime = time.Minute * 1
-
-var cachedValidTokens = cache.New(cachedValidTokensRetainmentTime, cachedValidTokensRetainmentTime)
+const errorMessage = "unknown authentication error occured"

 func RequiresAuth() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// auth is irrelevant for ephermeral mizu
+		// authentication is irrelevant for ephermeral mizu
 		if !config.Config.StandaloneMode {
 			c.Next()
 			return
 		}

-		token := c.GetHeader("x-session-token")
-		if token == "" {
-			c.AbortWithStatusJSON(401, gin.H{"error": "token header is empty"})
+		token, err := c.Cookie("x-session-token")
+		if err != nil {
+			if errors.Is(err, http.ErrNoCookie) {
+				c.AbortWithStatusJSON(401, gin.H{"error": "could not find session cookie"})
+			} else {
+				logger.Log.Errorf("error reading cookie %s", err)
+				c.AbortWithStatusJSON(500, gin.H{"error": errorMessage})
+			}
+
 			return
 		}

-		if _, isTokenCached := cachedValidTokens.Get(token); isTokenCached {
-			c.Next()
+		if token == "" {
+			c.AbortWithStatusJSON(401, gin.H{"error": "token cookie is empty"})
 			return
 		}

 		if isTokenValid, err := providers.VerifyToken(token, c.Request.Context()); err != nil {
 			logger.Log.Errorf("error verifying token %s", err)
-			c.AbortWithStatusJSON(401, gin.H{"error": "unknown auth error occured"})
+			c.AbortWithStatusJSON(500, gin.H{"error": errorMessage})
 			return
 		} else if !isTokenValid {
 			c.AbortWithStatusJSON(401, gin.H{"error": "invalid token"})
 			return
 		}

-		cachedValidTokens.Set(token, true, cachedValidTokensRetainmentTime)
-
 		c.Next()
 	}
 }