commit 38618c69a313f27e2a6abcb22e410713e18c681e
parent 0a24c08c3e23ef7f9a05529d9c7c72792e0618e1
Author: Vetle Haflan <vetle@haflan.dev>
Date: Sat, 12 Feb 2022 18:41:00 +0100
wip: more work on making redis-session into usable auth server
Diffstat:
3 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/go/redis-session/cmd/auth-server/main.go b/go/redis-session/cmd/auth-server/main.go
@@ -12,6 +12,14 @@ import (
)
var sessionIDSize = 32
+var domain string
+
+func init() {
+ domain = os.Getenv("AUTH_TOP_DOMAIN")
+ if domain == "" {
+ domain = "local.test"
+ }
+}
func getRand() (string, error) {
sidBytes := make([]byte, sessionIDSize)
@@ -43,14 +51,12 @@ func postIndex(w http.ResponseWriter, r *http.Request) {
Name: "sess_id",
Value: sid,
// Setting this includes subdomains
- Domain: "local.test",
+ Domain: domain,
+ // Without this the browser will refuse to work with the cookie
+ SameSite: http.SameSiteNoneMode,
}
http.SetCookie(w, c)
- gotoURL := r.URL.Query().Get("goto")
- if gotoURL != "" {
- fmt.Println(gotoURL)
- http.Redirect(w, r, gotoURL, http.StatusPermanentRedirect)
- }
+ // TODO: 2FA
}
func getIndex(w http.ResponseWriter, r *http.Request) {
@@ -60,7 +66,8 @@ func getIndex(w http.ResponseWriter, r *http.Request) {
}
func handleIndex(w http.ResponseWriter, r *http.Request) {
- fmt.Println(r.Method)
+ w.Header().Add("Access-Control-Allow-Origin", "http://login.local.test")
+ w.Header().Add("Access-Control-Allow-Credentials", "true")
switch r.Method {
case http.MethodPost:
postIndex(w, r)
diff --git a/go/redis-session/login.html b/go/redis-session/login.html
@@ -12,8 +12,10 @@
fetch('/' + location.search, {
method: 'POST',
mode: 'cors',
- credentials: 'same-origin',
+ credentials: 'include',
body: JSON.stringify(data)
+ }).then(r => {
+ console.log(r.status)
})
}
</script>
diff --git a/go/redis-session/notes.adoc b/go/redis-session/notes.adoc
@@ -0,0 +1,20 @@
+== Configuration
+CORS will impact whether cookies set by server will actually be set / used by the browser.
+There are several pitfalls when configuring a single sign on mechanism like in this experiment,
+e.g. when setting cookies or auth headers, `Access-Control-Allow-Origin` can *not* be a wildcard.
+Here's what works and why:
+
+.Client-side (fetch)
+- Set `credentials: 'include'` to signify that the server will send cookies
+- Set `mode: 'cors'` to allow Cross-Origin Resource (Sharing)
+
+.Server-side
+- Set headers:
+ * `Access-Control-Allow-Origin` to the login server, e.g. `http://login.example.com`
+ (to avoid the browser accessing the credentials if requested from wrong origin, _I think_)
+ * `Access-Control-Allow-Credentials` to `true` (to tell the browser that it's safe to use
+ the credentials, _I think_)
+- When generating the cookie, set:
+ * `Domain` to the domain to to highest level to be supported, e.g. `example.com`
+ * `SameSite` to `None`, otherwise the browser will refuse to work with it
+
