commit d5d5524c2a176c6203227f6b29a6ab201da420b2
parent 05ff2ee61274739ae745ad598458d532d04b25c6
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Sun, 4 Dec 2022 00:15:39 -0500
cleanup hardcoded cookie names
Diffstat:
5 files changed, 43 insertions(+), 35 deletions(-)
diff --git a/pkg/template/templates.go b/pkg/template/templates.go
@@ -2,6 +2,7 @@ package template
import (
"dkforest/pkg/global"
+ hutils "dkforest/pkg/web/handlers/utils"
"fmt"
"html/template"
"io"
@@ -99,7 +100,7 @@ func (t *Templates) Render(w io.Writer, name string, data any, c echo.Context) e
if d.AuthUser != nil {
d.SSETopics = strings.Join(GetBaseSSETopics(c), ",")
var sessionToken string
- if authCookie, err := c.Cookie("auth-token"); err == nil {
+ if authCookie, err := c.Cookie(hutils.AuthCookieName); err == nil {
sessionToken = authCookie.Value
}
d.InboxCount = global.GetUserNotificationCount(d.AuthUser.ID, sessionToken)
diff --git a/pkg/web/handlers/api/v1/handlers.go b/pkg/web/handlers/api/v1/handlers.go
@@ -70,7 +70,7 @@ var cRgx = regexp.MustCompile(`^/pm ` + optAtGUser + ` /c\s?(move)?$`)
// ChatMessagesHandler room messages iframe handler
// The chat messages iframe use this endpoint to get the messages for a room.
func ChatMessagesHandler(c echo.Context) error {
- authCookie, _ := c.Cookie("auth-token")
+ authCookie, _ := c.Cookie(hutils.AuthCookieName)
authUser := c.Get("authUser").(*database.User)
roomName := c.Param("roomName")
@@ -354,7 +354,7 @@ func DeleteNotificationHandler(c echo.Context) error {
}
func DeleteSessionNotificationHandler(c echo.Context) error {
- authCookie, _ := c.Cookie("auth-token")
+ authCookie, _ := c.Cookie(hutils.AuthCookieName)
sessionNotificationID := utils.DoParseInt64(c.Param("sessionNotificationID"))
var msg database.SessionNotification
if err := database.DB.Where("ID = ? AND session_token = ?", sessionNotificationID, authCookie.Value).First(&msg).Error; err != nil {
@@ -382,7 +382,7 @@ func ChatInboxDeleteMessageHandler(c echo.Context) error {
}
func ChatInboxDeleteAllMessageHandler(c echo.Context) error {
- authCookie, _ := c.Cookie("auth-token")
+ authCookie, _ := c.Cookie(hutils.AuthCookieName)
authUser := c.Get("authUser").(*database.User)
if err := database.DeleteAllChatInbox(authUser.ID); err != nil {
logrus.Error(err)
diff --git a/pkg/web/handlers/handlers.go b/pkg/web/handlers/handlers.go
@@ -375,7 +375,7 @@ func LoginCompletedHandler(c echo.Context) error {
// SessionsGpgTwoFactorHandler ...
func SessionsGpgTwoFactorHandler(c echo.Context) error {
- partialAuthCookie, err := c.Cookie("partial-auth-token")
+ partialAuthCookie, err := c.Cookie(hutils.PartialAuthCookieName)
if err != nil {
return c.Redirect(http.StatusFound, "/")
}
@@ -414,7 +414,7 @@ func SessionsGpgTwoFactorHandler(c echo.Context) error {
}
pgpTokenCache.Delete(user.ID)
partialAuthCache.Delete(partialAuthCookie.Value)
- c.SetCookie(hutils.DeleteCookie("partial-auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.PartialAuthCookieName))
if string(user.TwoFactorSecret) != "" {
token := utils.GenerateToken32()
@@ -433,7 +433,7 @@ func SessionsGpgTwoFactorHandler(c echo.Context) error {
// SessionsGpgSignTwoFactorHandler ...
func SessionsGpgSignTwoFactorHandler(c echo.Context) error {
- partialAuthCookie, err := c.Cookie("partial-auth-token")
+ partialAuthCookie, err := c.Cookie(hutils.PartialAuthCookieName)
if err != nil {
return c.Redirect(http.StatusFound, "/")
}
@@ -468,7 +468,7 @@ func SessionsGpgSignTwoFactorHandler(c echo.Context) error {
}
pgpTokenCache.Delete(user.ID)
partialAuthCache.Delete(partialAuthCookie.Value)
- c.SetCookie(hutils.DeleteCookie("partial-auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.PartialAuthCookieName))
if string(user.TwoFactorSecret) != "" {
token := utils.GenerateToken32()
@@ -487,7 +487,7 @@ func SessionsGpgSignTwoFactorHandler(c echo.Context) error {
// SessionsTwoFactorHandler ...
func SessionsTwoFactorHandler(c echo.Context) error {
- partialAuthCookie, err := c.Cookie("partial-auth-token")
+ partialAuthCookie, err := c.Cookie(hutils.PartialAuthCookieName)
if err != nil {
return c.Redirect(http.StatusFound, "/")
}
@@ -511,7 +511,7 @@ func SessionsTwoFactorHandler(c echo.Context) error {
}
partialAuthCache.Delete(partialAuthCookie.Value)
- c.SetCookie(hutils.DeleteCookie("partial-auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.PartialAuthCookieName))
return completeLogin(c, user, c.RealIP())
}
@@ -520,7 +520,7 @@ func SessionsTwoFactorHandler(c echo.Context) error {
// SessionsTwoFactorRecoveryHandler ...
func SessionsTwoFactorRecoveryHandler(c echo.Context) error {
- partialAuthCookie, err := c.Cookie("partial-auth-token")
+ partialAuthCookie, err := c.Cookie(hutils.PartialAuthCookieName)
if err != nil {
return c.Redirect(http.StatusFound, "/")
}
@@ -543,7 +543,7 @@ func SessionsTwoFactorRecoveryHandler(c echo.Context) error {
}
partialAuthCache.Delete(partialAuthCookie.Value)
- c.SetCookie(hutils.DeleteCookie("partial-auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.PartialAuthCookieName))
return completeLogin(c, user, c.RealIP())
}
@@ -553,7 +553,7 @@ func SessionsTwoFactorRecoveryHandler(c echo.Context) error {
// LogoutHandler for logout route
func LogoutHandler(ctx echo.Context) error {
authUser := ctx.Get("authUser").(*database.User)
- c, _ := ctx.Cookie("auth-token")
+ c, _ := ctx.Cookie(hutils.AuthCookieName)
if err := database.DeleteSessionByToken(c.Value); err != nil {
logrus.Error("Failed to remove session from DB : ", err)
}
@@ -564,7 +564,7 @@ func LogoutHandler(ctx echo.Context) error {
}
}
database.CreateSecurityLog(authUser.ID, database.LogoutSecurityLog)
- ctx.SetCookie(hutils.DeleteCookie("auth-token"))
+ ctx.SetCookie(hutils.DeleteCookie(hutils.AuthCookieName))
managers.ActiveUsers.RemoveUser(authUser.ID)
if authUser.Temp {
if err := database.DB.Where("id = ?", authUser.ID).Unscoped().Delete(&database.User{}).Error; err != nil {
@@ -575,23 +575,23 @@ func LogoutHandler(ctx echo.Context) error {
}
func createPartialRecoveryCookie(value string) *http.Cookie {
- return hutils.CreateCookie("partial-recovery-token", value, 10*utils.OneMinuteSecs)
+ return hutils.CreateCookie(hutils.PartialRecoveryCookieName, value, 10*utils.OneMinuteSecs)
}
func createPartialRecovery2Cookie(value string) *http.Cookie {
- return hutils.CreateCookie("partial-recovery2-token", value, 10*utils.OneMinuteSecs)
+ return hutils.CreateCookie(hutils.PartialRecovery2CookieName, value, 10*utils.OneMinuteSecs)
}
func createPartialSessionCookie(value string) *http.Cookie {
- return hutils.CreateCookie("partial-auth-token", value, 10*utils.OneMinuteSecs)
+ return hutils.CreateCookie(hutils.PartialAuthCookieName, value, 10*utils.OneMinuteSecs)
}
func createSessionCookie(value string) *http.Cookie {
- return hutils.CreateCookie("auth-token", value, utils.OneMonthSecs)
+ return hutils.CreateCookie(hutils.AuthCookieName, value, utils.OneMonthSecs)
}
func createSignupCookie(value string, maxAge int64) *http.Cookie {
- return hutils.CreateCookie("signup-token", value, maxAge)
+ return hutils.CreateCookie(hutils.SignupCookieName, value, maxAge)
}
// FlashResponse ...
@@ -772,7 +772,7 @@ func SignupHandler(c echo.Context) error {
func signupHandler(c echo.Context) error {
start := time.Now().UnixNano()
var signupToken string
- if cc, err := c.Cookie("signup-token"); err == nil {
+ if cc, err := c.Cookie(hutils.SignupCookieName); err == nil {
valB64 := cc.Value
val, err := base64.URLEncoding.DecodeString(valB64)
if err != nil {
@@ -878,7 +878,7 @@ func signupHandler(c echo.Context) error {
// If SignupFakeEnabled is enabled, we always say the account was created, but we do not create it.
if config.SignupFakeEnabled.IsTrue() {
- c.SetCookie(hutils.DeleteCookie("signup-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.SignupCookieName))
return c.Render(http.StatusOK, "flash", FlashResponse{"Your account has been created", "/login", "alert-success"})
}
@@ -927,7 +927,7 @@ func signupHandler(c echo.Context) error {
}
}
- c.SetCookie(hutils.DeleteCookie("signup-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.SignupCookieName))
return c.Render(http.StatusOK, "flash", FlashResponse{"Your account has been created", "/login", "alert-success"})
}
@@ -1030,7 +1030,7 @@ func ForgotPasswordHandler(c echo.Context) error {
data.Step = 2
// Step2 is guarded by the "partial-recovery-token" cookie that must be valid
- partialRecoveryCookie, err := c.Cookie("partial-recovery-token")
+ partialRecoveryCookie, err := c.Cookie(hutils.PartialRecoveryCookieName)
if err != nil {
return c.Redirect(http.StatusFound, "/")
}
@@ -1064,7 +1064,7 @@ func ForgotPasswordHandler(c echo.Context) error {
pgpTokenCache.Delete(userID)
partialRecoveryCache.Delete(partialRecoveryCookie.Value)
- c.SetCookie(hutils.DeleteCookie("partial-recovery-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.PartialRecoveryCookieName))
token2 := utils.GenerateToken32()
partialRecovery2Cache.Set(token2, userID, cache1.DefaultExpiration)
@@ -1078,7 +1078,7 @@ func ForgotPasswordHandler(c echo.Context) error {
data.Step = 3
// Step3 is guarded by the "partial-recovery2-token" cookie that must be valid
- partialRecovery2Cookie, err := c.Cookie("partial-recovery2-token")
+ partialRecovery2Cookie, err := c.Cookie(hutils.PartialRecovery2CookieName)
if err != nil {
return c.Redirect(http.StatusFound, "/")
}
@@ -1108,7 +1108,7 @@ func ForgotPasswordHandler(c echo.Context) error {
database.CreateSecurityLog(user.ID, database.PasswordRecoverySecurityLog)
partialRecovery2Cache.Delete(partialRecovery2Cookie.Value)
- c.SetCookie(hutils.DeleteCookie("partial-recovery2-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.PartialRecovery2CookieName))
return c.Render(http.StatusFound, "flash", FlashResponse{Message: "Password reset done", Redirect: "/login"})
}
@@ -2706,7 +2706,7 @@ func SettingsPrivateNotesHandler(c echo.Context) error {
}
func SettingsInboxHandler(c echo.Context) error {
- authCookie, _ := c.Cookie("auth-token")
+ authCookie, _ := c.Cookie(hutils.AuthCookieName)
authUser := c.Get("authUser").(*database.User)
var data settingsInboxData
data.ActiveTab = "inbox"
@@ -2774,7 +2774,7 @@ func SettingsSessionsHandler(c echo.Context) error {
var data settingsSessionsData
data.ActiveTab = "sessions"
sessions := database.GetActiveUserSessions(authUser.ID)
- authCookie, _ := c.Cookie("auth-token")
+ authCookie, _ := c.Cookie(hutils.AuthCookieName)
for _, session := range sessions {
s := WrapperSession{Session: session}
if authCookie.Value == s.Token {
@@ -3168,7 +3168,7 @@ func changePasswordForm(c echo.Context, data settingsPasswordData) error {
if err := authUser.ChangePassword(hashedPassword); err != nil {
logrus.Error(err)
}
- c.SetCookie(hutils.DeleteCookie("auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.AuthCookieName))
database.CreateSecurityLog(authUser.ID, database.ChangePasswordSecurityLog)
return c.Render(http.StatusFound, "flash", FlashResponse{Message: "Password changed successfully", Redirect: "/login"})
}
@@ -3205,7 +3205,7 @@ func changeDuressPasswordForm(c echo.Context, data settingsPasswordData) error {
if err := authUser.ChangeDuressPassword(hashedPassword); err != nil {
logrus.Error(err)
}
- c.SetCookie(hutils.DeleteCookie("auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.AuthCookieName))
database.CreateSecurityLog(authUser.ID, database.ChangeDuressPasswordSecurityLog)
return c.Render(http.StatusFound, "flash", FlashResponse{Message: "Password changed successfully", Redirect: "/login"})
}
@@ -3516,7 +3516,7 @@ func GpgTwoFactorAuthenticationToggleHandler(c echo.Context) error {
if err := database.DeleteUserSessions(authUser.ID); err != nil {
logrus.Error(err)
}
- c.SetCookie(hutils.DeleteCookie("auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.AuthCookieName))
authUser.GpgTwoFactorEnabled = true
authUser.GpgTwoFactorMode = utils.DoParseBool(c.Request().PostFormValue("gpg_two_factor_mode"))
authUser.DoSave()
@@ -3569,7 +3569,7 @@ func TwoFactorAuthenticationVerifyHandler(c echo.Context) error {
if err := database.DeleteUserSessions(authUser.ID); err != nil {
logrus.Error(err)
}
- c.SetCookie(hutils.DeleteCookie("auth-token"))
+ c.SetCookie(hutils.DeleteCookie(hutils.AuthCookieName))
authUser.TwoFactorSecret = database.EncryptedString(twoFactor.key.Secret())
authUser.TwoFactorRecovery = string(h)
if err := authUser.Save(); err != nil {
diff --git a/pkg/web/handlers/utils/utils.go b/pkg/web/handlers/utils/utils.go
@@ -12,7 +12,14 @@ import (
"github.com/labstack/echo"
)
-const HBCookieName = "dkft" // dkf troll
+const (
+ HBCookieName = "dkft" // dkf troll
+ SignupCookieName = "signup-token"
+ AuthCookieName = "auth-token"
+ PartialAuthCookieName = "partial-auth-token"
+ PartialRecoveryCookieName = "partial-recovery-token"
+ PartialRecovery2CookieName = "partial-recovery2-token"
+)
func CreateCookie(name, value string, maxAge int64) *http.Cookie {
cookie := &http.Cookie{
diff --git a/pkg/web/middlewares/middlewares.go b/pkg/web/middlewares/middlewares.go
@@ -238,7 +238,7 @@ func SetUserMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
ctx.Set("authUser", &user)
return next(ctx)
}
- } else if authCookie, err := ctx.Cookie("auth-token"); err == nil {
+ } else if authCookie, err := ctx.Cookie(hutils.AuthCookieName); err == nil {
// Login using auth cookie
if err := database.GetUserBySessionKey(&user, authCookie.Value); err == nil {
ctx.Set("authUser", &user)
@@ -392,7 +392,7 @@ func AprilFoolMiddleware() echo.MiddlewareFunc {
func DdosMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
config.RpsCounter.Incr()
- if authCookie, err := c.Cookie("auth-token"); err == nil {
+ if authCookie, err := c.Cookie(hutils.AuthCookieName); err == nil {
if len(authCookie.Value) > 64 {
if conn, ok := c.Request().Context().Value("conn").(net.Conn); ok {
config.ConnMap.Close(conn)
