Merge pull request #263 from nextsux/nexus/stable-session-secret

* feat: specify stable session cookie secret for HA setup
freifunkMUC · Nov 15, 2022 · 7f7460b · 7f7460b
2 parents cca5398 + 0f84cb3
commit 7f7460b
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/docs/4-auth.md b/docs/4-auth.md
@@ -40,6 +40,10 @@ adminPassword: "<admin password>"
 adminUsername: "admin"
 # Configure zero or more authentication backends
 auth:
+  sessionStore:
+    # 32 random bytes in hexadecimal encoding (64 chars) used to sign session cookies. It's generated randomly
+    # if not present. Need to be set when running in HA setup (more than one replica)
+    secret: "<session store secret>"
   simple:
     # Users is a list of htpasswd encoded username:password pairs
     # supports BCrypt, Sha, Ssha, Md5

diff --git a/pkg/authnz/authconfig/authconfig.go b/pkg/authnz/authconfig/authconfig.go
@@ -5,10 +5,15 @@ import (
 )
 
 type AuthConfig struct {
-	OIDC   *OIDCConfig       `yaml:"oidc"`
-	Gitlab *GitlabConfig     `yaml:"gitlab"`
-	Basic  *BasicAuthConfig  `yaml:"basic"`
-	Simple *SimpleAuthConfig `yaml:"simple"`
+	SessionStore *SessionStoreConfig `yaml:"sessionStore"`
+	OIDC         *OIDCConfig         `yaml:"oidc"`
+	Gitlab       *GitlabConfig       `yaml:"gitlab"`
+	Basic        *BasicAuthConfig    `yaml:"basic"`
+	Simple       *SimpleAuthConfig   `yaml:"simple"`
+}
+
+type SessionStoreConfig struct {
+	Secret string `yaml:"secret"`
 }
 
 func (c *AuthConfig) IsEnabled() bool {

diff --git a/pkg/authnz/router.go b/pkg/authnz/router.go
@@ -1,6 +1,7 @@
 package authnz
 
 import (
+	"encoding/hex"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -26,7 +27,20 @@ type AuthMiddleware struct {
 
 func New(config authconfig.AuthConfig, claimsMiddleware authsession.ClaimsMiddleware) (*AuthMiddleware, error) {
 	router := mux.NewRouter()
-	store := sessions.NewCookieStore([]byte(authutil.RandomString(32)))
+	var storeSecret []byte
+	if config.SessionStore.Secret == "" {
+		storeSecret = []byte(authutil.RandomString(32))
+	} else {
+		var err error
+		storeSecret, err = hex.DecodeString(config.SessionStore.Secret)
+		if err != nil {
+			return nil, err
+		}
+		if len(storeSecret) != 32 {
+			return nil, errors.New("session store secret must be 32 bytes long")
+		}
+	}
+	store := sessions.NewCookieStore(storeSecret)
 	runtime := authruntime.NewProviderRuntime(store)
 	providers := config.Providers()