TRA-4157 fix ws auth (#669)

* Update socket_routes.go, user_controller.go, and 2 more files... * Update user_controller.go * Switch to http-only cookies for more security
2025-09-05 12:33:20 +00:00 · 2022-01-20 14:10:25 +02:00
parent 6bab381280
commit 676e50b0b1
4 changed files with 50 additions and 37 deletions
--- a/agent/pkg/controllers/user_controller.go
+++ b/agent/pkg/controllers/user_controller.go
@@ -1,7 +1,9 @@
 package controllers

 import (
+	"errors"
 	"mizuserver/pkg/providers"
+	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/up9inc/mizu/shared/logger"
@@ -11,20 +13,44 @@ func Login(c *gin.Context) {
 	if token, err := providers.PerformLogin(c.PostForm("username"), c.PostForm("password"), c.Request.Context()); err != nil {
 		c.AbortWithStatusJSON(401, gin.H{"error": "bad login"})
 	} else {
-		c.JSON(200, gin.H{"token": token})
+		c.SetSameSite(http.SameSiteLaxMode)
+		c.SetCookie("x-session-token", *token, 3600, "/", "", false, true)
+		c.JSON(200, "")
 	}
 }

 func Logout(c *gin.Context) {
-	token := c.GetHeader("x-session-token")
-	if err := providers.Logout(token, c.Request.Context()); err != nil {
+	token, err := c.Cookie("x-session-token")
+	if err != nil {
+		if errors.Is(err, http.ErrNoCookie) {
+			c.AbortWithStatusJSON(401, gin.H{"error": "could not find session cookie"})
+		} else {
+			logger.Log.Errorf("error reading cookie in logout %s", err)
+			c.AbortWithStatusJSON(500, gin.H{"error": "error occured while logging out, the session might still be valid"})
+		}
+
+		return
+	}
+
+	if err = providers.Logout(token, c.Request.Context()); err != nil {
 		c.AbortWithStatusJSON(500, gin.H{"error": "error occured while logging out, the session might still be valid"})
 	} else {
+		c.SetCookie("x-session-token", "", -1, "/", "", false, true)
 		c.JSON(200, "")
 	}
 }

 func Register(c *gin.Context) {
+	// only allow one user to be created without authentication
+	if IsInstallNeeded, err := providers.IsInstallNeeded(); err != nil {
+		logger.Log.Errorf("unknown internal while checking if install is needed %s", err)
+		c.AbortWithStatusJSON(500, gin.H{"error": "internal error occured while checking if install is needed"})
+		return
+	} else if !IsInstallNeeded {
+		c.AbortWithStatusJSON(401, gin.H{"error": "cannot register when install is not needed"})
+		return
+	}
+
 	if token, _, err, formErrorMessages := providers.RegisterUser(c.PostForm("username"), c.PostForm("password"), c.Request.Context()); err != nil {
 		if formErrorMessages != nil {
 			logger.Log.Infof("user attempted to register but had form errors %v %v", formErrorMessages, err)
@@ -34,6 +60,8 @@ func Register(c *gin.Context) {
 			c.AbortWithStatusJSON(500, gin.H{"error": "internal error occured while registering"})
 		}
 	} else {
-		c.JSON(200, gin.H{"token": token})
+		c.SetSameSite(http.SameSiteLaxMode)
+		c.SetCookie("x-session-token", *token, 3600, "/", "", false, true)
+		c.JSON(200, "")
 	}
 }