StrafesNET/maps-service
5
Fork 0
Code Issues15 Pull Requests1 Packages Projects Releases Wiki Activity

Do Not Implicitly Validate Session Cookie #36

Merged
Quaternions merged 3 commits from validate into staging 2025-03-27 03:59:33 +00:00
Conversation 0 Commits 3 Files Changed 4 +84 -12
4 changed files with 84 additions and 12 deletions

1
openapi.yaml

@ -61,7 +61,6 @@ paths:
operationId: sessionValidate operationId: sessionValidate
tags: tags:
- Session - Session
security: []
responses: responses:
"200": "200":
description: Successful response description: Successful response

33
pkg/api/oas_client_gen.go

@ -2947,6 +2947,39 @@ func (c *Client) sendSessionValidate(ctx context.Context) (res bool, err error)
return res, errors.Wrap(err, "create request") return res, errors.Wrap(err, "create request")
} }
{
type bitset = [1]uint8
var satisfied bitset
{
stage = "Security:CookieAuth"
switch err := c.securityCookieAuth(ctx, SessionValidateOperation, r); {
case err == nil: // if NO error
satisfied[0] |= 1 << 0
case errors.Is(err, ogenerrors.ErrSkipClientSecurity):
// Skip this security.
default:
return res, errors.Wrap(err, "security \"CookieAuth\"")
}
}
if ok := func() bool {
nextRequirement:
for _, requirement := range []bitset{
{0b00000001},
} {
for i, mask := range requirement {
if satisfied[i]&mask != mask {
continue nextRequirement
}
}
return true
}
return false
}(); !ok {
return res, ogenerrors.ErrSecurityRequirementIsNotSatisfied
}
}
stage = "SendRequest" stage = "SendRequest"
resp, err := c.cfg.Client.Do(r) resp, err := c.cfg.Client.Do(r)
if err != nil { if err != nil {

52
pkg/api/oas_handlers_gen.go

@ -4138,8 +4138,58 @@ func (s *Server) handleSessionValidateRequest(args [0]string, argsEscaped bool,
s.errors.Add(ctx, 1, metric.WithAttributes(attrs...)) s.errors.Add(ctx, 1, metric.WithAttributes(attrs...))
} }
err error err error
opErrContext = ogenerrors.OperationContext{
Name: SessionValidateOperation,
ID: "sessionValidate",
}
) )
{
type bitset = [1]uint8
var satisfied bitset
{
sctx, ok, err := s.securityCookieAuth(ctx, SessionValidateOperation, r)
if err != nil {
err = &ogenerrors.SecurityError{
OperationContext: opErrContext,
Security: "CookieAuth",
Err: err,
}
if encodeErr := encodeErrorResponse(s.h.NewError(ctx, err), w, span); encodeErr != nil {
defer recordError("Security:CookieAuth", err)
}
return
}
if ok {
satisfied[0] |= 1 << 0
ctx = sctx
}
}
if ok := func() bool {
nextRequirement:
for _, requirement := range []bitset{
{0b00000001},
} {
for i, mask := range requirement {
if satisfied[i]&mask != mask {
continue nextRequirement
}
}
return true
}
return false
}(); !ok {
err = &ogenerrors.SecurityError{
OperationContext: opErrContext,
Err: ogenerrors.ErrSecurityRequirementIsNotSatisfied,
}
if encodeErr := encodeErrorResponse(s.h.NewError(ctx, err), w, span); encodeErr != nil {
defer recordError("Security", err)
}
return
}
}
var response bool var response bool
if m := s.cfg.Middleware; m != nil { if m := s.cfg.Middleware; m != nil {

10
pkg/service/security.go

@ -159,16 +159,6 @@ func (svc SecurityHandler) HandleCookieAuth(ctx context.Context, operationName a
return nil, ErrMissingSessionID return nil, ErrMissingSessionID
} }
validate, err := svc.Client.ValidateSession(ctx, &auth.IdMessage{
SessionID: sessionId,
})
if err != nil {
return nil, err
}
if !validate.Valid {
return nil, ErrInvalidSession
}
newCtx := context.WithValue(ctx, "UserInfo", UserInfoHandle{ newCtx := context.WithValue(ctx, "UserInfo", UserInfoHandle{
svc: &svc, svc: &svc,
ctx: &ctx, ctx: &ctx,