closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6707 Commits
2 Branches
178 MiB
Tree: d7ca839c67
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd7ca839c67'
${ noResults }
gitea/vendor/github.com/gorilla/sessions/sessions.go

241 lines
6.3 KiB
Raw Normal View History

Oauth2 consumer (#679) * initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
7 years ago
 
  1. // Copyright 2012 The Gorilla Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package sessions
  6. 

  7. import (
  8. 	"encoding/gob"
  9. 	"fmt"
  10. 	"net/http"
  11. 	"time"
  12. 

  13. 	"github.com/gorilla/context"
  14. )
  15. 

  16. // Default flashes key.

  17. const flashesKey = "_flash"
  18. 

  19. // Options --------------------------------------------------------------------

  20. 

  21. // Options stores configuration for a session or session store.

  22. //

  23. // Fields are a subset of http.Cookie fields.

  24. type Options struct {
  25. 	Path   string
  26. 	Domain string
  27. 	// MaxAge=0 means no 'Max-Age' attribute specified.

  28. 	// MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'.

  29. 	// MaxAge>0 means Max-Age attribute present and given in seconds.

  30. 	MaxAge   int
  31. 	Secure   bool
  32. 	HttpOnly bool
  33. }
  34. 

  35. // Session --------------------------------------------------------------------

  36. 

  37. // NewSession is called by session stores to create a new session instance.

  38. func NewSession(store Store, name string) *Session {
  39. 	return &Session{
  40. 		Values: make(map[interface{}]interface{}),
  41. 		store:  store,
  42. 		name:   name,
  43. 	}
  44. }
  45. 

  46. // Session stores the values and optional configuration for a session.

  47. type Session struct {
  48. 	// The ID of the session, generated by stores. It should not be used for

  49. 	// user data.

  50. 	ID string
  51. 	// Values contains the user-data for the session.

  52. 	Values  map[interface{}]interface{}
  53. 	Options *Options
  54. 	IsNew   bool
  55. 	store   Store
  56. 	name    string
  57. }
  58. 

  59. // Flashes returns a slice of flash messages from the session.

  60. //

  61. // A single variadic argument is accepted, and it is optional: it defines

  62. // the flash key. If not defined "_flash" is used by default.

  63. func (s *Session) Flashes(vars ...string) []interface{} {
  64. 	var flashes []interface{}
  65. 	key := flashesKey
  66. 	if len(vars) > 0 {
  67. 		key = vars[0]
  68. 	}
  69. 	if v, ok := s.Values[key]; ok {
  70. 		// Drop the flashes and return it.

  71. 		delete(s.Values, key)
  72. 		flashes = v.([]interface{})
  73. 	}
  74. 	return flashes
  75. }
  76. 

  77. // AddFlash adds a flash message to the session.

  78. //

  79. // A single variadic argument is accepted, and it is optional: it defines

  80. // the flash key. If not defined "_flash" is used by default.

  81. func (s *Session) AddFlash(value interface{}, vars ...string) {
  82. 	key := flashesKey
  83. 	if len(vars) > 0 {
  84. 		key = vars[0]
  85. 	}
  86. 	var flashes []interface{}
  87. 	if v, ok := s.Values[key]; ok {
  88. 		flashes = v.([]interface{})
  89. 	}
  90. 	s.Values[key] = append(flashes, value)
  91. }
  92. 

  93. // Save is a convenience method to save this session. It is the same as calling

  94. // store.Save(request, response, session). You should call Save before writing to

  95. // the response or returning from the handler.

  96. func (s *Session) Save(r *http.Request, w http.ResponseWriter) error {
  97. 	return s.store.Save(r, w, s)
  98. }
  99. 

  100. // Name returns the name used to register the session.

  101. func (s *Session) Name() string {
  102. 	return s.name
  103. }
  104. 

  105. // Store returns the session store used to register the session.

  106. func (s *Session) Store() Store {
  107. 	return s.store
  108. }
  109. 

  110. // Registry -------------------------------------------------------------------

  111. 

  112. // sessionInfo stores a session tracked by the registry.

  113. type sessionInfo struct {
  114. 	s *Session
  115. 	e error
  116. }
  117. 

  118. // contextKey is the type used to store the registry in the context.

  119. type contextKey int
  120. 

  121. // registryKey is the key used to store the registry in the context.

  122. const registryKey contextKey = 0
  123. 

  124. // GetRegistry returns a registry instance for the current request.

  125. func GetRegistry(r *http.Request) *Registry {
  126. 	registry := context.Get(r, registryKey)
  127. 	if registry != nil {
  128. 		return registry.(*Registry)
  129. 	}
  130. 	newRegistry := &Registry{
  131. 		request:  r,
  132. 		sessions: make(map[string]sessionInfo),
  133. 	}
  134. 	context.Set(r, registryKey, newRegistry)
  135. 	return newRegistry
  136. }
  137. 

  138. // Registry stores sessions used during a request.

  139. type Registry struct {
  140. 	request  *http.Request
  141. 	sessions map[string]sessionInfo
  142. }
  143. 

  144. // Get registers and returns a session for the given name and session store.

  145. //

  146. // It returns a new session if there are no sessions registered for the name.

  147. func (s *Registry) Get(store Store, name string) (session *Session, err error) {
  148. 	if !isCookieNameValid(name) {
  149. 		return nil, fmt.Errorf("sessions: invalid character in cookie name: %s", name)
  150. 	}
  151. 	if info, ok := s.sessions[name]; ok {
  152. 		session, err = info.s, info.e
  153. 	} else {
  154. 		session, err = store.New(s.request, name)
  155. 		session.name = name
  156. 		s.sessions[name] = sessionInfo{s: session, e: err}
  157. 	}
  158. 	session.store = store
  159. 	return
  160. }
  161. 

  162. // Save saves all sessions registered for the current request.

  163. func (s *Registry) Save(w http.ResponseWriter) error {
  164. 	var errMulti MultiError
  165. 	for name, info := range s.sessions {
  166. 		session := info.s
  167. 		if session.store == nil {
  168. 			errMulti = append(errMulti, fmt.Errorf(
  169. 				"sessions: missing store for session %q", name))
  170. 		} else if err := session.store.Save(s.request, w, session); err != nil {
  171. 			errMulti = append(errMulti, fmt.Errorf(
  172. 				"sessions: error saving session %q -- %v", name, err))
  173. 		}
  174. 	}
  175. 	if errMulti != nil {
  176. 		return errMulti
  177. 	}
  178. 	return nil
  179. }
  180. 

  181. // Helpers --------------------------------------------------------------------

  182. 

  183. func init() {
  184. 	gob.Register([]interface{}{})
  185. }
  186. 

  187. // Save saves all sessions used during the current request.

  188. func Save(r *http.Request, w http.ResponseWriter) error {
  189. 	return GetRegistry(r).Save(w)
  190. }
  191. 

  192. // NewCookie returns an http.Cookie with the options set. It also sets

  193. // the Expires field calculated based on the MaxAge value, for Internet

  194. // Explorer compatibility.

  195. func NewCookie(name, value string, options *Options) *http.Cookie {
  196. 	cookie := &http.Cookie{
  197. 		Name:     name,
  198. 		Value:    value,
  199. 		Path:     options.Path,
  200. 		Domain:   options.Domain,
  201. 		MaxAge:   options.MaxAge,
  202. 		Secure:   options.Secure,
  203. 		HttpOnly: options.HttpOnly,
  204. 	}
  205. 	if options.MaxAge > 0 {
  206. 		d := time.Duration(options.MaxAge) * time.Second
  207. 		cookie.Expires = time.Now().Add(d)
  208. 	} else if options.MaxAge < 0 {
  209. 		// Set it to the past to expire now.

  210. 		cookie.Expires = time.Unix(1, 0)
  211. 	}
  212. 	return cookie
  213. }
  214. 

  215. // Error ----------------------------------------------------------------------

  216. 

  217. // MultiError stores multiple errors.

  218. //

  219. // Borrowed from the App Engine SDK.

  220. type MultiError []error
  221. 

  222. func (m MultiError) Error() string {
  223. 	s, n := "", 0
  224. 	for _, e := range m {
  225. 		if e != nil {
  226. 			if n == 0 {
  227. 				s = e.Error()
  228. 			}
  229. 			n++
  230. 		}
  231. 	}
  232. 	switch n {
  233. 	case 0:
  234. 		return "(0 errors)"
  235. 	case 1:
  236. 		return s
  237. 	case 2:
  238. 		return s + " (and 1 other error)"
  239. 	}
  240. 	return fmt.Sprintf("%s (and %d other errors)", s, n-1)
  241. }