add .go-version

send access token and pass cookies

.go-version

@@ -0,0 +1 @@
+1.23.2

.traefik.yml

@@ -6,6 +6,7 @@ import: github.com/fosrl/badger
 summary: Middleware auth bouncer for Pangolin
 
 testData:
-    apiBaseUrl: http://localhost:3001/api/v1
+    apiBaseUrl: "http://localhost:3001/api/v1"
-    userSessionCookieName: session
+    userSessionCookieName: "p_session_token"
-    resourceSessionCookieName: resource_session
+    accessTokenQueryParam: "p_token"
+    resourceSessionRequestParam: "p_session_request"

README.md

@@ -8,8 +8,6 @@ This plugin is **required** to be configured alongside [Pangolin](https://github
 
 Learn how to set up [Pangolin](https://github.com/fosrl/pangolin) and Badger in the [Pangolin Documentation](https://github.com/fosrl/pangolin).
 
----
-
 ## Configuration
 
 Badger requires the following configuration parameters to be specified in your [Traefik configuration file](https://doc.traefik.io/traefik/getting-started/configuration-overview/). These coincide with the separate [Pangolin](https://github.com/fosrl/pangolin) configuration file.
@@ -18,18 +16,11 @@ Badger requires the following configuration parameters to be specified in your [
 
 ```yaml
 apiBaseUrl: "http://localhost:3001/api/v1"
-userSessionCookieName: "session"
+userSessionCookieName: "p_session_token"
-resourceSessionCookieName: "resource_session"
+accessTokenQueryParam: "p_token"
+resourceSessionRequestParam: "p_session_request"
 ```
 
----
-
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
-
----
-
-## Contact
-
-Please contact us at [support@fossorial.io](mailto:support@fossorial.io).

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
+
+1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
+2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+
+- Description and location of the vulnerability.
+- Potential impact of the vulnerability.
+- Steps to reproduce the vulnerability.
+- Potential solutions to fix the vulnerability.
+- Your name/handle and a link for recognition (optional).
+
+We aim to address the issue as soon as possible.

main.go

@@ -10,9 +10,19 @@ import (
 )
 
 type Config struct {
-	APIBaseUrl                string `json:"apiBaseUrl"`
+	APIBaseUrl                  string `json:"apiBaseUrl"`
-	UserSessionCookieName     string `json:"userSessionCookieName"`
+	UserSessionCookieName       string `json:"userSessionCookieName"`
-	ResourceSessionCookieName string `json:"resourceSessionCookieName"`
+	AccessTokenQueryParam       string `json:"accessTokenQueryParam"`
+	ResourceSessionRequestParam string `json:"resourceSessionRequestParam"`
+}
+
+type Badger struct {
+	next                        http.Handler
+	name                        string
+	apiBaseUrl                  string
+	userSessionCookieName       string
+	accessTokenQueryParam       string
+	resourceSessionRequestParam string
 }
 
 type VerifyBody struct {
@@ -22,7 +32,9 @@ type VerifyBody struct {
 	RequestHost        *string           `json:"host"`
 	RequestPath        *string           `json:"path"`
 	RequestMethod      *string           `json:"method"`
+	AccessToken        *string           `json:"accessToken,omitempty"`
 	TLS                bool              `json:"tls"`
+	RequestIP          *string           `json:"requestIp,omitempty"`
 }
 
 type VerifyResponse struct {
@@ -32,12 +44,17 @@ type VerifyResponse struct {
 	} `json:"data"`
 }
 
-type Badger struct {
+type ExchangeSessionBody struct {
-	next                      http.Handler
+	RequestToken *string `json:"requestToken"`
-	name                      string
+	RequestHost  *string `json:"host"`
-	apiBaseUrl                string
+	RequestIP    *string `json:"requestIp,omitempty"`
-	userSessionCookieName     string
+}
-	resourceSessionCookieName string
+
+type ExchangeSessionResponse struct {
+	Data struct {
+		Valid  bool    `json:"valid"`
+		Cookie *string `json:"cookie"`
+	} `json:"data"`
 }
 
 func CreateConfig() *Config {
@@ -46,19 +63,77 @@ func CreateConfig() *Config {
 
 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
 	return &Badger{
-		next:                      next,
+		next:                        next,
-		name:                      name,
+		name:                        name,
-		apiBaseUrl:                config.APIBaseUrl,
+		apiBaseUrl:                  config.APIBaseUrl,
-		userSessionCookieName:     config.UserSessionCookieName,
+		userSessionCookieName:       config.UserSessionCookieName,
-		resourceSessionCookieName: config.ResourceSessionCookieName,
+		accessTokenQueryParam:       config.AccessTokenQueryParam,
+		resourceSessionRequestParam: config.ResourceSessionRequestParam,
 	}, nil
 }
 
 func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	cookies := p.extractCookies(req)
 
+	var accessToken *string
+	queryValues := req.URL.Query()
+
+	if sessionRequestValue := queryValues.Get(p.resourceSessionRequestParam); sessionRequestValue != "" {
+		body := ExchangeSessionBody{
+			RequestToken: &sessionRequestValue,
+			RequestHost:  &req.Host,
+			RequestIP:    &req.RemoteAddr,
+		}
+
+		jsonData, err := json.Marshal(body)
+		if err != nil {
+			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		verifyURL := fmt.Sprintf("%s/badger/exchange-session", p.apiBaseUrl)
+		resp, err := http.Post(verifyURL, "application/json", bytes.NewBuffer(jsonData))
+		if err != nil {
+			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+		defer resp.Body.Close()
+
+		var result ExchangeSessionResponse
+		err = json.NewDecoder(resp.Body).Decode(&result)
+		if err != nil {
+			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		if result.Data.Cookie != nil && *result.Data.Cookie != "" {
+			rw.Header().Add("Set-Cookie", *result.Data.Cookie)
+
+			queryValues.Del(p.resourceSessionRequestParam)
+			cleanedQuery := queryValues.Encode()
+			originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.Path)
+			if cleanedQuery != "" {
+				originalRequestURL = fmt.Sprintf("%s?%s", originalRequestURL, cleanedQuery)
+			}
+
+			fmt.Println("Got exchange token, redirecting to", originalRequestURL)
+			http.Redirect(rw, req, originalRequestURL, http.StatusFound)
+			return
+		}
+	}
+
+	if token := queryValues.Get(p.accessTokenQueryParam); token != "" {
+		accessToken = &token
+		queryValues.Del(p.accessTokenQueryParam)
+	}
+
+	cleanedQuery := queryValues.Encode()
+	originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.Path)
+	if cleanedQuery != "" {
+		originalRequestURL = fmt.Sprintf("%s?%s", originalRequestURL, cleanedQuery)
+	}
+
 	verifyURL := fmt.Sprintf("%s/badger/verify-session", p.apiBaseUrl)
-	originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.RequestURI())
 
 	cookieData := VerifyBody{
 		Sessions:           cookies,
@@ -67,7 +142,9 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		RequestHost:        &req.Host,
 		RequestPath:        &req.URL.Path,
 		RequestMethod:      &req.Method,
+		AccessToken:        accessToken,
 		TLS:                req.TLS != nil,
+		RequestIP:          &req.RemoteAddr,
 	}
 
 	jsonData, err := json.Marshal(cookieData)
@@ -83,6 +160,10 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 	defer resp.Body.Close()
 
+	for _, setCookie := range resp.Header["Set-Cookie"] {
+		rw.Header().Add("Set-Cookie", setCookie)
+	}
+
 	if resp.StatusCode != http.StatusOK {
 		http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
 		return
@@ -96,23 +177,29 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	if result.Data.RedirectURL != nil && *result.Data.RedirectURL != "" {
+		fmt.Println("Badger: Redirecting to", *result.Data.RedirectURL)
 		http.Redirect(rw, req, *result.Data.RedirectURL, http.StatusFound)
 		return
 	}
 
-	if !result.Data.Valid {
+	if result.Data.Valid {
-		http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+		fmt.Println("Badger: Valid session")
+		p.next.ServeHTTP(rw, req)
 		return
 	}
 
-	p.next.ServeHTTP(rw, req)
+	http.Error(rw, "Unauthorized", http.StatusUnauthorized)
 }
 
 func (p *Badger) extractCookies(req *http.Request) map[string]string {
 	cookies := make(map[string]string)
+	isSecureRequest := req.TLS != nil
 
 	for _, cookie := range req.Cookies() {
-		if strings.HasPrefix(cookie.Name, p.userSessionCookieName) || strings.HasPrefix(cookie.Name, p.resourceSessionCookieName) {
+		if strings.HasPrefix(cookie.Name, p.userSessionCookieName) {
+			if cookie.Secure && !isSecureRequest {
+				continue
+			}
 			cookies[cookie.Name] = cookie.Value
 		}
 	}