TRA-4157 fix ws auth (#669)

* Update socket_routes.go, user_controller.go, and 2 more files... * Update user_controller.go * Switch to http-only cookies for more security
2025-08-13 14:17:54 +00:00 · 2022-01-20 14:10:25 +02:00 · 2022-01-20 14:10:25 +02:00 · 676e50b0b1
commit 676e50b0b1
parent 6bab381280
4 changed files with 50 additions and 37 deletions
--- a/agent/pkg/api/socket_routes.go
+++ b/agent/pkg/api/socket_routes.go
@ -47,9 +47,9 @@ func init() {
 }

 func WebSocketRoutes(app *gin.Engine, eventHandlers EventHandlers, startTime int64) {
-	app.GET("/ws", func(c *gin.Context) {
+	app.GET("/ws", middlewares.RequiresAuth(), func(c *gin.Context) {
 		websocketHandler(c.Writer, c.Request, eventHandlers, false, startTime)
-	}, middlewares.RequiresAuth())
+	})

 	app.GET("/wsTapper", func(c *gin.Context) { // TODO: add m2m authentication to this route
 		websocketHandler(c.Writer, c.Request, eventHandlers, true, startTime)
--- a/agent/pkg/controllers/user_controller.go
+++ b/agent/pkg/controllers/user_controller.go
@ -1,7 +1,9 @@
 package controllers

 import (
+	"errors"
 	"mizuserver/pkg/providers"
+	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/up9inc/mizu/shared/logger"
@ -11,20 +13,44 @@ func Login(c *gin.Context) {
 	if token, err := providers.PerformLogin(c.PostForm("username"), c.PostForm("password"), c.Request.Context()); err != nil {
 		c.AbortWithStatusJSON(401, gin.H{"error": "bad login"})
 	} else {
-		c.JSON(200, gin.H{"token": token})
+		c.SetSameSite(http.SameSiteLaxMode)
+		c.SetCookie("x-session-token", *token, 3600, "/", "", false, true)
+		c.JSON(200, "")
 	}
 }

 func Logout(c *gin.Context) {
-	token := c.GetHeader("x-session-token")
-	if err := providers.Logout(token, c.Request.Context()); err != nil {
+	token, err := c.Cookie("x-session-token")
+	if err != nil {
+		if errors.Is(err, http.ErrNoCookie) {
+			c.AbortWithStatusJSON(401, gin.H{"error": "could not find session cookie"})
+		} else {
+			logger.Log.Errorf("error reading cookie in logout %s", err)
+			c.AbortWithStatusJSON(500, gin.H{"error": "error occured while logging out, the session might still be valid"})
+		}
+
+		return
+	}
+
+	if err = providers.Logout(token, c.Request.Context()); err != nil {
 		c.AbortWithStatusJSON(500, gin.H{"error": "error occured while logging out, the session might still be valid"})
 	} else {
+		c.SetCookie("x-session-token", "", -1, "/", "", false, true)
 		c.JSON(200, "")
 	}
 }

 func Register(c *gin.Context) {
+	// only allow one user to be created without authentication
+	if IsInstallNeeded, err := providers.IsInstallNeeded(); err != nil {
+		logger.Log.Errorf("unknown internal while checking if install is needed %s", err)
+		c.AbortWithStatusJSON(500, gin.H{"error": "internal error occured while checking if install is needed"})
+		return
+	} else if !IsInstallNeeded {
+		c.AbortWithStatusJSON(401, gin.H{"error": "cannot register when install is not needed"})
+		return
+	}
+
 	if token, _, err, formErrorMessages := providers.RegisterUser(c.PostForm("username"), c.PostForm("password"), c.Request.Context()); err != nil {
 		if formErrorMessages != nil {
 			logger.Log.Infof("user attempted to register but had form errors %v %v", formErrorMessages, err)
@ -34,6 +60,8 @@ func Register(c *gin.Context) {
 			c.AbortWithStatusJSON(500, gin.H{"error": "internal error occured while registering"})
 		}
 	} else {
-		c.JSON(200, gin.H{"token": token})
+		c.SetSameSite(http.SameSiteLaxMode)
+		c.SetCookie("x-session-token", *token, 3600, "/", "", false, true)
+		c.JSON(200, "")
 	}
 }
--- a/agent/pkg/middlewares/requiresAuth.go
+++ b/agent/pkg/middlewares/requiresAuth.go
@ -1,49 +1,51 @@
 package middlewares

 import (
+	"errors"
 	"mizuserver/pkg/config"
 	"mizuserver/pkg/providers"
-	"time"
+	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/patrickmn/go-cache"
 	"github.com/up9inc/mizu/shared/logger"
 )

-const cachedValidTokensRetainmentTime = time.Minute * 1
-
-var cachedValidTokens = cache.New(cachedValidTokensRetainmentTime, cachedValidTokensRetainmentTime)
+const errorMessage = "unknown authentication error occured"

 func RequiresAuth() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// auth is irrelevant for ephermeral mizu
+		// authentication is irrelevant for ephermeral mizu
 		if !config.Config.StandaloneMode {
 			c.Next()
 			return
 		}

-		token := c.GetHeader("x-session-token")
-		if token == "" {
-			c.AbortWithStatusJSON(401, gin.H{"error": "token header is empty"})
+		token, err := c.Cookie("x-session-token")
+		if err != nil {
+			if errors.Is(err, http.ErrNoCookie) {
+				c.AbortWithStatusJSON(401, gin.H{"error": "could not find session cookie"})
+			} else {
+				logger.Log.Errorf("error reading cookie %s", err)
+				c.AbortWithStatusJSON(500, gin.H{"error": errorMessage})
+			}
+
 			return
 		}

-		if _, isTokenCached := cachedValidTokens.Get(token); isTokenCached {
-			c.Next()
+		if token == "" {
+			c.AbortWithStatusJSON(401, gin.H{"error": "token cookie is empty"})
 			return
 		}

 		if isTokenValid, err := providers.VerifyToken(token, c.Request.Context()); err != nil {
 			logger.Log.Errorf("error verifying token %s", err)
-			c.AbortWithStatusJSON(401, gin.H{"error": "unknown auth error occured"})
+			c.AbortWithStatusJSON(500, gin.H{"error": errorMessage})
 			return
 		} else if !isTokenValid {
 			c.AbortWithStatusJSON(401, gin.H{"error": "invalid token"})
 			return
 		}

-		cachedValidTokens.Set(token, true, cachedValidTokensRetainmentTime)
-
 		c.Next()
 	}
 }
--- a/ui/src/helpers/api.js
+++ b/ui/src/helpers/api.js
@ -22,8 +22,6 @@ export default class Api {
    }

    constructor() {
-        this.token = localStorage.getItem("token");
-
        this.client = this.getAxiosClient();
        this.source = null;
    }
@ -143,7 +141,6 @@ export default class Api {

        try {
            const response = await this.client.post(`/user/register`, form);
-            this.persistToken(response.data.token);
            return response;
        } catch (e) {
            if (e.response.status === 400) {
@ -164,32 +161,18 @@ export default class Api {
        form.append('password', password);

        const response = await this.client.post(`/user/login`, form);
-        if (response.status >= 200 && response.status < 300) {
-            this.persistToken(response.data.token);
-        }

        return response;
    }

-    persistToken = (token) => {
-        this.token = token;
-        this.client = this.getAxiosClient();
-        localStorage.setItem('token', token);
-    }
-
    logout = async () => {
        await this.client.post(`/user/logout`);
-        this.persistToken(null);
    }

    getAxiosClient = () => {
        const headers = {
            Accept: "application/json"
        }
-
-        if (this.token) {
-            headers['x-session-token'] = `${this.token}`; // we use `x-session-token` instead of `Authorization` because the latter is reserved by kubectl proxy, making mizu view not work
-        }
        return axios.create({
            baseURL: apiURL,
            timeout: 31000,