summaryrefslogtreecommitdiff
path: root/pkg/web
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-04-16 17:01:39 -0600
committermo khan <mo@mokhan.ca>2025-04-16 17:01:39 -0600
commit0b29a5a4ca71870ab138687e2fc71d6bce2754db (patch)
tree0c8897d6efd734b620eab22e8f86e7e9b4d202ea /pkg/web
parent9e83b4b2e95254ba51c66ed15f400d3bec5712f1 (diff)
refactor: verify the id token on every request
Diffstat (limited to 'pkg/web')
-rw-r--r--pkg/web/middleware/unpack_token.go13
-rw-r--r--pkg/web/middleware/unpack_token_test.go17
2 files changed, 19 insertions, 11 deletions
diff --git a/pkg/web/middleware/unpack_token.go b/pkg/web/middleware/unpack_token.go
index b53d5d3..f3d20a0 100644
--- a/pkg/web/middleware/unpack_token.go
+++ b/pkg/web/middleware/unpack_token.go
@@ -1,16 +1,14 @@
package middleware
import (
+ "fmt"
"net/http"
- "github.com/xlgmokha/x/pkg/context"
"github.com/xlgmokha/x/pkg/log"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
)
-var IDTokenContextKey context.Key[*oidc.IDToken] = context.Key[*oidc.IDToken]("id_token")
-
-func UnpackToken() func(http.Handler) http.Handler {
+func UnpackToken(cfg *oidc.OpenID) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
cookies := r.CookiesNamed("session")
@@ -21,8 +19,11 @@ func UnpackToken() func(http.Handler) http.Handler {
return
}
- idToken, err := tokens.ParseIDToken()
+ ctx := r.Context()
+ verifier := cfg.Provider.VerifierContext(ctx, cfg.OIDCConfig)
+ idToken, err := verifier.Verify(ctx, tokens.IDToken)
if err != nil {
+ fmt.Printf("%v\n", err)
next.ServeHTTP(w, r)
return
}
@@ -30,7 +31,7 @@ func UnpackToken() func(http.Handler) http.Handler {
log.WithFields(r.Context(), log.Fields{"id_token": idToken})
next.ServeHTTP(
w,
- r.WithContext(IDTokenContextKey.With(r.Context(), idToken)),
+ r.WithContext(oidc.IDTokenKey.With(r.Context(), idToken)),
)
} else {
next.ServeHTTP(w, r)
diff --git a/pkg/web/middleware/unpack_token_test.go b/pkg/web/middleware/unpack_token_test.go
index a6f591e..ac3d50c 100644
--- a/pkg/web/middleware/unpack_token_test.go
+++ b/pkg/web/middleware/unpack_token_test.go
@@ -1,6 +1,7 @@
package middleware
import (
+ "context"
"net/http"
"testing"
"time"
@@ -14,7 +15,13 @@ import (
)
func TestUnpackToken(t *testing.T) {
- middleware := UnpackToken()
+ srv := test.OIDCServer()
+ defer srv.Close()
+
+ openID, err := oidc.New(context.Background(), srv.URL, "client_id", "client_secret", "https://example.com/oauth/callback")
+ require.NoError(t, err)
+
+ middleware := UnpackToken(openID)
t.Run("when an active session cookie is provided", func(t *testing.T) {
t.Run("attaches the token to the request context", func(t *testing.T) {
@@ -22,9 +29,9 @@ func TestUnpackToken(t *testing.T) {
encoded := x.Must(tokens.ToBase64String())
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- token := IDTokenContextKey.From(r.Context())
+ token := oidc.IDTokenKey.From(r.Context())
require.NotNil(t, token)
- assert.Equal(t, "root", token.Nickname)
+ assert.Equal(t, "root", token.Issuer)
w.WriteHeader(http.StatusTeapot)
}))
@@ -43,7 +50,7 @@ func TestUnpackToken(t *testing.T) {
t.Run("when an invalid session cookie is provided", func(t *testing.T) {
t.Run("forwards the request", func(t *testing.T) {
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- require.Nil(t, IDTokenContextKey.From(r.Context()))
+ require.Nil(t, oidc.IDTokenKey.From(r.Context()))
w.WriteHeader(http.StatusTeapot)
}))
@@ -62,7 +69,7 @@ func TestUnpackToken(t *testing.T) {
t.Run("when no cookies are provided", func(t *testing.T) {
t.Run("forwards the request", func(t *testing.T) {
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- require.Nil(t, IDTokenContextKey.From(r.Context()))
+ require.Nil(t, oidc.IDTokenKey.From(r.Context()))
w.WriteHeader(http.StatusTeapot)
}))
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 03:40:26 +0000