From 0b29a5a4ca71870ab138687e2fc71d6bce2754db Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 16 Apr 2025 17:01:39 -0600 Subject: refactor: verify the id token on every request --- pkg/web/middleware/unpack_token.go | 13 +++++++------ pkg/web/middleware/unpack_token_test.go | 17 ++++++++++++----- 2 files changed, 19 insertions(+), 11 deletions(-) (limited to 'pkg/web') diff --git a/pkg/web/middleware/unpack_token.go b/pkg/web/middleware/unpack_token.go index b53d5d3..f3d20a0 100644 --- a/pkg/web/middleware/unpack_token.go +++ b/pkg/web/middleware/unpack_token.go @@ -1,16 +1,14 @@ package middleware import ( + "fmt" "net/http" - "github.com/xlgmokha/x/pkg/context" "github.com/xlgmokha/x/pkg/log" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc" ) -var IDTokenContextKey context.Key[*oidc.IDToken] = context.Key[*oidc.IDToken]("id_token") - -func UnpackToken() func(http.Handler) http.Handler { +func UnpackToken(cfg *oidc.OpenID) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { cookies := r.CookiesNamed("session") @@ -21,8 +19,11 @@ func UnpackToken() func(http.Handler) http.Handler { return } - idToken, err := tokens.ParseIDToken() + ctx := r.Context() + verifier := cfg.Provider.VerifierContext(ctx, cfg.OIDCConfig) + idToken, err := verifier.Verify(ctx, tokens.IDToken) if err != nil { + fmt.Printf("%v\n", err) next.ServeHTTP(w, r) return } @@ -30,7 +31,7 @@ func UnpackToken() func(http.Handler) http.Handler { log.WithFields(r.Context(), log.Fields{"id_token": idToken}) next.ServeHTTP( w, - r.WithContext(IDTokenContextKey.With(r.Context(), idToken)), + r.WithContext(oidc.IDTokenKey.With(r.Context(), idToken)), ) } else { next.ServeHTTP(w, r) diff --git a/pkg/web/middleware/unpack_token_test.go b/pkg/web/middleware/unpack_token_test.go index a6f591e..ac3d50c 100644 --- a/pkg/web/middleware/unpack_token_test.go +++ b/pkg/web/middleware/unpack_token_test.go @@ -1,6 +1,7 @@ package middleware import ( + "context" "net/http" "testing" "time" @@ -14,7 +15,13 @@ import ( ) func TestUnpackToken(t *testing.T) { - middleware := UnpackToken() + srv := test.OIDCServer() + defer srv.Close() + + openID, err := oidc.New(context.Background(), srv.URL, "client_id", "client_secret", "https://example.com/oauth/callback") + require.NoError(t, err) + + middleware := UnpackToken(openID) t.Run("when an active session cookie is provided", func(t *testing.T) { t.Run("attaches the token to the request context", func(t *testing.T) { @@ -22,9 +29,9 @@ func TestUnpackToken(t *testing.T) { encoded := x.Must(tokens.ToBase64String()) server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - token := IDTokenContextKey.From(r.Context()) + token := oidc.IDTokenKey.From(r.Context()) require.NotNil(t, token) - assert.Equal(t, "root", token.Nickname) + assert.Equal(t, "root", token.Issuer) w.WriteHeader(http.StatusTeapot) })) @@ -43,7 +50,7 @@ func TestUnpackToken(t *testing.T) { t.Run("when an invalid session cookie is provided", func(t *testing.T) { t.Run("forwards the request", func(t *testing.T) { server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - require.Nil(t, IDTokenContextKey.From(r.Context())) + require.Nil(t, oidc.IDTokenKey.From(r.Context())) w.WriteHeader(http.StatusTeapot) })) @@ -62,7 +69,7 @@ func TestUnpackToken(t *testing.T) { t.Run("when no cookies are provided", func(t *testing.T) { t.Run("forwards the request", func(t *testing.T) { server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - require.Nil(t, IDTokenContextKey.From(r.Context())) + require.Nil(t, oidc.IDTokenKey.From(r.Context())) w.WriteHeader(http.StatusTeapot) })) -- cgit v1.2.3