diff --git a/src/main/main.go b/src/main/main.go index 49b8cda..6136f3c 100644 --- a/src/main/main.go +++ b/src/main/main.go @@ -13,22 +13,27 @@ import ( "time" "astraltech.xyz/accountmanager/src/logging" - "astraltech.xyz/accountmanager/src/worker" + "astraltech.xyz/accountmanager/src/session" ) var ( ldapServer *LDAPServer ldapServerMutex sync.Mutex serverConfig *ServerConfig + sessionManager *session.SessionManager ) type UserData struct { isAuth bool - Username string DisplayName string Email string } +var ( + userData = make(map[string]UserData) + userDataMutex sync.RWMutex +) + var ( photoCreatedTimestamp = make(map[string]time.Time) photoCreatedMutex sync.Mutex @@ -83,14 +88,13 @@ func authenticateUser(username, password string) (UserData, error) { entry := userSearch.LDAPSearch.Entries[0] user := UserData{ isAuth: true, - Username: username, DisplayName: entry.GetAttributeValue("displayName"), Email: entry.GetAttributeValue("mail"), } photoData := entry.GetRawAttributeValue("jpegphoto") if len(photoData) > 0 { - createUserPhoto(user.Username, photoData) + createUserPhoto(username, photoData) } return user, nil } @@ -119,15 +123,19 @@ func loginHandler(w http.ResponseWriter, r *http.Request) { password := r.FormValue("password") logging.Infof("New Login request for %s\n", username) - userData, err := authenticateUser(username, password) + newUserData, err := authenticateUser(username, password) + userDataMutex.Lock() + userData[username] = newUserData + userDataMutex.Unlock() if err != nil { log.Print(err) tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""}) } else { - if userData.isAuth == true { - cookie := createSession(&userData) - if cookie == nil { - http.Error(w, "Session error", 500) + if newUserData.isAuth == true { + cookie, err := sessionManager.CreateSession(username) + if err != nil { + logging.Error(err.Error()) + http.Error(w, "Session error", http.StatusInternalServerError) return } http.SetCookie(w, cookie) @@ -148,20 +156,23 @@ type ProfileData struct { func profileHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/html; charset=utf-8") - exist, sessionData := validateSession(r) - if !exist { + sessionData, err := sessionManager.GetSession(r) + if err != nil { + logging.Error(err.Error()) http.Redirect(w, r, "/login", http.StatusSeeOther) return } if r.Method == http.MethodGet { tmpl := template.Must(template.ParseFiles("src/pages/profile_page.html")) + userDataMutex.RLock() tmpl.Execute(w, ProfileData{ - Username: sessionData.data.Username, - Email: sessionData.data.Email, - DisplayName: sessionData.data.DisplayName, + Username: sessionData.UserID, + Email: userData[sessionData.UserID].Email, + DisplayName: userData[sessionData.UserID].DisplayName, CSRFToken: sessionData.CSRFToken, }) + userDataMutex.RUnlock() return } } @@ -225,27 +236,29 @@ func logoutHandler(w http.ResponseWriter, r *http.Request) { } token := cookie.Value - exist, sessionData := validateSession(r) - if exist { - if r.FormValue("csrf_token") != sessionData.CSRFToken { - http.Error(w, "Unable to log user out", http.StatusForbidden) - logging.Debugf("%s attempted to logout with invalid csrf token", sessionData.data.Username) - return - } + sessionData, err := sessionManager.GetSession(r) + if err != nil { + logging.Error(err.Error()) } - logging.Infof("handling logout event for %s", sessionData.data.Username) + if r.FormValue("csrf_token") != sessionData.CSRFToken { + http.Error(w, "Unable to log user out", http.StatusForbidden) + logging.Debugf("%s attempted to logout with invalid csrf token", sessionData.UserID) + return + } + logging.Infof("handling logout event for %s", sessionData.UserID) - deleteSession(hashSession(token)) + sessionManager.DeleteSession(token) http.Redirect(w, r, "/login", http.StatusSeeOther) } func uploadPhotoHandler(w http.ResponseWriter, r *http.Request) { - exist, sessionData := validateSession(r) - if !exist { + sessionData, err := sessionManager.GetSession(r) + if err != nil { + logging.Error(err.Error()) http.Redirect(w, r, "/login", http.StatusSeeOther) return } - err := r.ParseMultipartForm(10 << 20) // 10MB limit + err = r.ParseMultipartForm(10 << 20) // 10MB limit if err != nil { http.Error(w, "Bad request", http.StatusBadRequest) return @@ -273,11 +286,11 @@ func uploadPhotoHandler(w http.ResponseWriter, r *http.Request) { http.Error(w, "Failed to read file", http.StatusInternalServerError) return } - userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", sessionData.data.Username, serverConfig.LDAPConfig.BaseDN) + userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", sessionData.UserID, serverConfig.LDAPConfig.BaseDN) ldapServerMutex.Lock() defer ldapServerMutex.Unlock() modifyLDAPAttribute(ldapServer, userDN, "jpegphoto", []string{string(data)}) - createUserPhoto(sessionData.data.Username, data) + createUserPhoto(sessionData.UserID, data) } func faviconHandler(w http.ResponseWriter, r *http.Request) { @@ -293,14 +306,15 @@ func logoHandler(w http.ResponseWriter, r *http.Request) { func changePasswordHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") - exist, sessionData := validateSession(r) - if !exist { + sessionData, err := sessionManager.GetSession(r) + if err != nil { + logging.Error(err.Error()) w.WriteHeader(http.StatusUnauthorized) w.Write([]byte(`{"success": false, "error": "Not authenticated"}`)) return } - err := r.ParseMultipartForm(10 << 20) + err = r.ParseMultipartForm(10 << 20) if err != nil { w.WriteHeader(http.StatusBadRequest) w.Write([]byte(`{"success": false, "error": "Bad request"}`)) @@ -325,7 +339,7 @@ func changePasswordHandler(w http.ResponseWriter, r *http.Request) { userDN := fmt.Sprintf( "uid=%s,cn=users,cn=accounts,%s", - sessionData.data.Username, + sessionData.UserID, serverConfig.LDAPConfig.BaseDN, ) @@ -349,6 +363,7 @@ func changePasswordHandler(w http.ResponseWriter, r *http.Request) { func main() { logging.Info("Starting the server") + sessionManager = session.CreateSessionManager(session.InMemory) var err error = nil blankPhotoData, err = ReadFile("static/blank_profile.jpg") @@ -366,7 +381,6 @@ func main() { ldapServerMutex.Unlock() defer closeLDAPServer(ldapServer) - worker.CreateWorker(time.Minute*5, cleanupSessions) HandleFunc("/favicon.ico", faviconHandler) HandleFunc("/logo", logoHandler) diff --git a/src/main/session.go b/src/main/session.go deleted file mode 100644 index e2cf239..0000000 --- a/src/main/session.go +++ /dev/null @@ -1,124 +0,0 @@ -package main - -import ( - "crypto/rand" - "crypto/sha256" - "encoding/base64" - "net/http" - "sync" - "time" - - "astraltech.xyz/accountmanager/src/logging" -) - -type SessionData struct { - loggedIn bool - data *UserData - timeCreated time.Time - CSRFToken string -} - -var ( - sessions = make(map[string]*SessionData) - sessionMutex sync.Mutex -) - -func GenerateSessionToken(length int) (string, error) { - b := make([]byte, length) - _, err := rand.Read(b) - if err != nil { - return "", err - } - token := base64.RawURLEncoding.EncodeToString(b) - return token, nil -} - -func createSession(userData *UserData) *http.Cookie { - logging.Debugf("Creating a new session for %s", userData.Username) - token, err := GenerateSessionToken(32) // Use crypto/rand for this - if err != nil { - logging.Error(err.Error()) - return nil - } - CSRFToken, err := GenerateSessionToken(32) - if err != nil { - logging.Error(err.Error()) - return nil - } - - encodedToken := hashSession(token) - - sessionMutex.Lock() - defer sessionMutex.Unlock() - loggedIn := false - if userData != nil { - loggedIn = true - } - sessions[encodedToken] = &SessionData{ - data: userData, - timeCreated: time.Now(), - CSRFToken: CSRFToken, - loggedIn: loggedIn, - } - cookie := &http.Cookie{ - Name: "session_token", - Value: token, - Path: "/", - HttpOnly: true, // Essential: prevents JS access - Secure: true, // Set to TRUE in production (HTTPS) - SameSite: http.SameSiteLaxMode, - MaxAge: 3600, // 1 hour - } - return cookie -} - -func validateSession(r *http.Request) (bool, *SessionData) { - logging.Debugf("Validating session") - cookie, err := r.Cookie("session_token") - if err != nil { - logging.Error(err.Error()) - return false, &SessionData{} - } - token := cookie.Value - token = hashSession(token) - - sessionMutex.Lock() - sessionData, exists := sessions[token] - sessionMutex.Unlock() - if !exists || !sessionData.loggedIn { - return false, &SessionData{} - } - logging.Infof("Validated session for %s", sessionData.data.Username) - return true, sessionData -} - -func hashSession(session_id string) string { - tokenEncoded := sha256.Sum256([]byte(session_id)) - return base64.RawURLEncoding.EncodeToString(tokenEncoded[:]) -} - -func cleanupSessions() { - logging.Debug("Cleaning up stale session\n") - - sessionMutex.Lock() - sessions_to_delete := []string{} - for session_token, session_data := range sessions { - timeUntilRemoval := time.Minute * 5 - if session_data.loggedIn { - timeUntilRemoval = time.Hour - } - if time.Since(session_data.timeCreated) > timeUntilRemoval { - sessions_to_delete = append(sessions_to_delete, session_token) - } - } - sessionMutex.Unlock() - for _, session_id := range sessions_to_delete { - deleteSession(session_id) - } -} - -func deleteSession(session_id string) { - sessionMutex.Lock() - delete(sessions, session_id) - sessionMutex.Unlock() -} diff --git a/src/session/session_manager.go b/src/session/session_manager.go index c7081ec..51119e1 100644 --- a/src/session/session_manager.go +++ b/src/session/session_manager.go @@ -79,3 +79,7 @@ func (manager *SessionManager) GetSession(r *http.Request) (*SessionData, error) } return data, nil } + +func (manager *SessionManager) DeleteSession(sessionId string) error { + return manager.store.Delete(sessionId) +}