Skip to content

Commit

Permalink
core: resolve session referencing issue (#125)
Browse files Browse the repository at this point in the history
  • Loading branch information
arekkas authored Nov 17, 2016
1 parent 4c4507f commit 81a3229
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 4 deletions.
6 changes: 6 additions & 0 deletions HISTORY.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
This is a list of breaking changes. As long as `1.0.0` is not released, breaking changes will be addressed as minor version
bumps (`0.1.0` -> `0.2.0`).

## 0.6.0

A bug related to refresh tokens was found. To mitigate it, a `Clone()` method has been introduced to the `fosite.Session` interface.
If you use a custom session object, this will be a breaking change. Fosite's default sessions have been upgraded and no additional
work should be required. If you use your own session struct, we encourage using package `gob/encoding` to deep-copy it in `Clone()`.

## 0.5.0

Breaking changes:
Expand Down
2 changes: 1 addition & 1 deletion handler/oauth2/flow_refresh.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
return errors.Wrap(fosite.ErrInvalidRequest, "Client ID mismatch")
}

request.SetSession(originalRequest.GetSession())
request.SetSession(originalRequest.GetSession().Clone())
request.SetRequestedScopes(originalRequest.GetRequestedScopes())
for _, scope := range originalRequest.GetGrantedScopes() {
request.GrantScope(scope)
Expand Down
2 changes: 1 addition & 1 deletion handler/oauth2/flow_refresh_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
}, nil)
},
expect: func() {
assert.Equal(t, sess, areq.Session)
assert.NotEqual(t, sess, areq.Session)
assert.NotEqual(t, time.Now().Add(-time.Hour).Round(time.Hour), areq.RequestedAt)
assert.Equal(t, fosite.Arguments{"foo", "offline"}, areq.GrantedScopes)
assert.Equal(t, fosite.Arguments{"foo", "bar"}, areq.Scopes)
Expand Down
12 changes: 12 additions & 0 deletions handler/oauth2/strategy_jwt_session.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"github.com/ory-am/fosite"
"github.com/ory-am/fosite/token/jwt"
"time"
"bytes"
"encoding/gob"
)

type JWTSessionContainer interface {
Expand Down Expand Up @@ -71,3 +73,13 @@ func (s *JWTSession) GetSubject() string {

return s.Subject
}

func (s *JWTSession) Clone() fosite.Session {
var clone JWTSession
var mod bytes.Buffer
enc := gob.NewEncoder(&mod)
dec := gob.NewDecoder(&mod)
_ = enc.Encode(s)
_ = dec.Decode(&clone)
return &clone
}
14 changes: 13 additions & 1 deletion handler/openid/strategy_jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@ package openid

import (
"net/http"

"encoding/gob"
"time"

"github.com/ory-am/fosite"
"github.com/ory-am/fosite/token/jwt"
"github.com/pkg/errors"
"golang.org/x/net/context"
"bytes"
)

const defaultExpiryTime = time.Hour
Expand Down Expand Up @@ -36,6 +37,17 @@ func NewDefaultSession() *DefaultSession {
}
}

func (s *DefaultSession) Clone() fosite.Session {
var clone DefaultSession
var mod bytes.Buffer
enc := gob.NewEncoder(&mod)
dec := gob.NewDecoder(&mod)
_ = enc.Encode(s)
_ = dec.Decode(&clone)
return &clone
}


func (s *DefaultSession) SetExpiresAt(key fosite.TokenType, exp time.Time) {
if s.ExpiresAt == nil {
s.ExpiresAt = make(map[fosite.TokenType]time.Time)
Expand Down
19 changes: 18 additions & 1 deletion session.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
package fosite

import "time"
import (
"time"
"bytes"
"encoding/gob"
)

// Session is an interface that is used to store session data between OAuth2 requests. It can be used to look up
// when a session expires or what the subject's name was.
Expand All @@ -20,6 +24,9 @@ type Session interface {

// GetSubject returns the subject, if set. This is optional and only used during token introspection.
GetSubject() string

// Clone clones the session.
Clone() Session
}

// DefaultSession is a default implementation of the session interface.
Expand Down Expand Up @@ -61,3 +68,13 @@ func (s *DefaultSession) GetSubject() string {

return s.Subject
}

func (s *DefaultSession) Clone() Session {
var clone DefaultSession
var mod bytes.Buffer
enc := gob.NewEncoder(&mod)
dec := gob.NewDecoder(&mod)
_ = enc.Encode(s)
_ = dec.Decode(&clone)
return &clone
}

0 comments on commit 81a3229

Please sign in to comment.