miniflux/middleware/app_session.go

// Copyright 2018 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.

package middleware // import "miniflux.app/middleware"

import (
	"context"
	"errors"
	"net/http"

	"miniflux.app/http/cookie"
	"miniflux.app/http/request"
	"miniflux.app/http/response/html"
	"miniflux.app/logger"
	"miniflux.app/model"
)

// AppSession handles application session middleware.
func (m *Middleware) AppSession(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		var err error
		session := m.getAppSessionValueFromCookie(r)

		if session == nil {
			logger.Debug("[Middleware:AppSession] Session not found")

			session, err = m.store.CreateSession()
			if err != nil {
				logger.Error("[Middleware:AppSession] %v", err)
				html.ServerError(w, err)
				return
			}

			http.SetCookie(w, cookie.New(cookie.CookieSessionID, session.ID, m.cfg.IsHTTPS, m.cfg.BasePath()))
		} else {
			logger.Debug("[Middleware:AppSession] %s", session)
		}

		if r.Method == "POST" {
			formValue := r.FormValue("csrf")
			headerValue := r.Header.Get("X-Csrf-Token")

			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
				logger.Error(`[Middleware:AppSession] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
				html.BadRequest(w, errors.New("invalid or missing CSRF"))
				return
			}
		}

		ctx := r.Context()
		ctx = context.WithValue(ctx, SessionIDContextKey, session.ID)
		ctx = context.WithValue(ctx, CSRFContextKey, session.Data.CSRF)
		ctx = context.WithValue(ctx, OAuth2StateContextKey, session.Data.OAuth2State)
		ctx = context.WithValue(ctx, FlashMessageContextKey, session.Data.FlashMessage)
		ctx = context.WithValue(ctx, FlashErrorMessageContextKey, session.Data.FlashErrorMessage)
		ctx = context.WithValue(ctx, UserLanguageContextKey, session.Data.Language)
		ctx = context.WithValue(ctx, UserThemeContextKey, session.Data.Theme)
		ctx = context.WithValue(ctx, PocketRequestTokenContextKey, session.Data.PocketRequestToken)
		next.ServeHTTP(w, r.WithContext(ctx))
	})
}

func (m *Middleware) getAppSessionValueFromCookie(r *http.Request) *model.Session {
	cookieValue := request.Cookie(r, cookie.CookieSessionID)
	if cookieValue == "" {
		return nil
	}

	session, err := m.store.Session(cookieValue)
	if err != nil {
		logger.Error("[Middleware:AppSession] %v", err)
		return nil
	}

	return session
}
Use Gorilla middleware (refactoring) 2018-04-27 23:38:46 -04:00			`// Copyright 2018 Frédéric Guillot. All rights reserved.`
First commit 2017-11-20 00:10:04 -05:00			`// Use of this source code is governed by the Apache 2.0`
			`// license that can be found in the LICENSE file.`

Use canonical imports 2018-08-25 00:51:50 -04:00			`package middleware // import "miniflux.app/middleware"`
First commit 2017-11-20 00:10:04 -05:00
			`import (`
			`"context"`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`"errors"`
Add OAuth2 authentication 2017-11-23 01:22:33 -05:00			`"net/http"`

Use canonical imports 2018-08-25 00:51:50 -04:00			`"miniflux.app/http/cookie"`
			`"miniflux.app/http/request"`
			`"miniflux.app/http/response/html"`
			`"miniflux.app/logger"`
			`"miniflux.app/model"`
First commit 2017-11-20 00:10:04 -05:00			`)`

Use Gorilla middleware (refactoring) 2018-04-27 23:38:46 -04:00			`// AppSession handles application session middleware.`
			`func (m *Middleware) AppSession(next http.Handler) http.Handler {`
First commit 2017-11-20 00:10:04 -05:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Session management refactoring 2017-12-16 21:07:53 -05:00			`var err error`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`session := m.getAppSessionValueFromCookie(r)`
First commit 2017-11-20 00:10:04 -05:00
			`if session == nil {`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`logger.Debug("[Middleware:AppSession] Session not found")`

Use Gorilla middleware (refactoring) 2018-04-27 23:38:46 -04:00			`session, err = m.store.CreateSession()`
Session management refactoring 2017-12-16 21:07:53 -05:00			`if err != nil {`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`logger.Error("[Middleware:AppSession] %v", err)`
			`html.ServerError(w, err)`
Session management refactoring 2017-12-16 21:07:53 -05:00			`return`
First commit 2017-11-20 00:10:04 -05:00			`}`
Session management refactoring 2017-12-16 21:07:53 -05:00
Use Gorilla middleware (refactoring) 2018-04-27 23:38:46 -04:00			`http.SetCookie(w, cookie.New(cookie.CookieSessionID, session.ID, m.cfg.IsHTTPS, m.cfg.BasePath()))`
First commit 2017-11-20 00:10:04 -05:00			`} else {`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`logger.Debug("[Middleware:AppSession] %s", session)`
Session management refactoring 2017-12-16 21:07:53 -05:00			`}`
First commit 2017-11-20 00:10:04 -05:00
Session management refactoring 2017-12-16 21:07:53 -05:00			`if r.Method == "POST" {`
			`formValue := r.FormValue("csrf")`
			`headerValue := r.Header.Get("X-Csrf-Token")`

			`if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			logger.Error(`[Middleware:AppSession] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
			`html.BadRequest(w, errors.New("invalid or missing CSRF"))`
Session management refactoring 2017-12-16 21:07:53 -05:00			`return`
			`}`
First commit 2017-11-20 00:10:04 -05:00			`}`

Session management refactoring 2017-12-16 21:07:53 -05:00			`ctx := r.Context()`
			`ctx = context.WithValue(ctx, SessionIDContextKey, session.ID)`
			`ctx = context.WithValue(ctx, CSRFContextKey, session.Data.CSRF)`
			`ctx = context.WithValue(ctx, OAuth2StateContextKey, session.Data.OAuth2State)`
			`ctx = context.WithValue(ctx, FlashMessageContextKey, session.Data.FlashMessage)`
			`ctx = context.WithValue(ctx, FlashErrorMessageContextKey, session.Data.FlashErrorMessage)`
Store language in session to show the login page translated 2018-01-19 00:53:31 -05:00			`ctx = context.WithValue(ctx, UserLanguageContextKey, session.Data.Language)`
Improve themes handling - Store user theme in session - Logged out users will keep their theme - Add theme background color to web manifest and meta tag 2018-07-19 01:30:05 -04:00			`ctx = context.WithValue(ctx, UserThemeContextKey, session.Data.Theme)`
Add Pocket authorization flow in the user interface 2018-05-20 18:29:14 -04:00			`ctx = context.WithValue(ctx, PocketRequestTokenContextKey, session.Data.PocketRequestToken)`
Session management refactoring 2017-12-16 21:07:53 -05:00			`next.ServeHTTP(w, r.WithContext(ctx))`
			`})`
First commit 2017-11-20 00:10:04 -05:00			`}`

Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`func (m Middleware) getAppSessionValueFromCookie(r http.Request) *model.Session {`
			`cookieValue := request.Cookie(r, cookie.CookieSessionID)`
			`if cookieValue == "" {`
First commit 2017-11-20 00:10:04 -05:00			`return nil`
			`}`

Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`session, err := m.store.Session(cookieValue)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`logger.Error("[Middleware:AppSession] %v", err)`
First commit 2017-11-20 00:10:04 -05:00			`return nil`
			`}`

			`return session`
			`}`