now with session store

.github/workflows/ci.yaml

@@ -8,8 +8,7 @@ on:
 
 jobs:
   build:
-    # runs-on: shelmangroup-default
-    runs-on: ubuntu-latest
+    runs-on: shelmangroup-default
     steps:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v22

.github/workflows/release.yaml

@@ -5,10 +5,14 @@ on:
       - "v*"
 jobs:
   goreleaser:
-    # runs-on: shelmangroup-default
-    runs-on: ubuntu-latest
+    runs-on: shelmangroup-default
     steps:
       - uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            flake.lock
+            flake.nix
+            .envrc
 
       - uses: cachix/install-nix-action@v22
         with:
@@ -17,6 +21,8 @@ jobs:
         with:
           use_nix_profile: true
 
+      - uses: actions/checkout@v4
+
       - name: Log in to the Container registry
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
         with:

README.md

@@ -12,7 +12,6 @@ Some of the features it provides:
 
 - Session management
 
-  - Server is stateless, all state is stored encrypted in client cookie data
   - Refreshes expired tokens automatically
 
 - Open Policy Agent chaining request.

authz/authz.go

@@ -27,6 +27,7 @@ import (
 
 	pb "github.com/shelmangroup/envoy-oidc-authserver/internal/gen/session/v1"
 	"github.com/shelmangroup/envoy-oidc-authserver/session"
+	"github.com/shelmangroup/envoy-oidc-authserver/store"
 )
 
 const ServiceName = "envoy-authz"
@@ -36,6 +37,7 @@ type Service struct {
 
 	cfg        *Config
 	secretKey  []byte
+	store      *store.Store
 	authClient authv3connect.AuthorizationClient
 }
 
@@ -66,6 +68,7 @@ func NewService(cfg *Config, opaURL, secretKey string) *Service {
 	return &Service{
 		cfg:        cfg,
 		authClient: c,
+		store:      store.NewStore(),
 		secretKey:  []byte(secretKey),
 	}
 }
@@ -157,7 +160,7 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 
 	// If the request is for the callback URI, then we need to exchange the code for tokens
 	if strings.HasPrefix(requestedURL, provider.CallbackURI+"?") && sessionData.AccessToken == "" {
-		headers, err := s.retriveTokens(ctx, provider, sessionData, requestedURL, sessionCookieName, sessionId)
+		err := s.retriveTokens(ctx, provider, sessionData, requestedURL, sessionCookieName, sessionId)
 		if err != nil {
 			return nil, err
 		}
@@ -167,7 +170,7 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 		return s.authResponse(false, envoy_type.StatusCode_Found, headers, nil, "redirect to requested url"), nil
 	}
 
-	respHeaders, err := s.validateTokens(ctx, provider, sessionData, sessionCookieName, sessionId)
+	err := s.validateTokens(ctx, provider, sessionData, sessionCookieName, sessionId)
 	if err != nil {
 		slog.Warn("couldn't validating tokens", slog.String("err", err.Error()))
 		headers, err := s.newSession(ctx, sourceIP, requestedURL, sessionCookieName, provider)
@@ -179,19 +182,17 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 
 	slog.Debug("setting authorization header to upstream request", slog.String("session_id", sessionId))
 	headers = append(headers, s.setAuthorizationHeader(sessionData.IdToken))
-	return s.authResponse(true, envoy_type.StatusCode_OK, headers, respHeaders, "success"), nil
+	return s.authResponse(true, envoy_type.StatusCode_OK, headers, nil, "success"), nil
 }
 
-func (s *Service) retriveTokens(ctx context.Context, provider *OIDCProvider, sessionData *pb.SessionData, requestedURL, sessionCookieName, sessionId string) ([]*core.HeaderValueOption, error) {
-	headers := []*core.HeaderValueOption{}
-
+func (s *Service) retriveTokens(ctx context.Context, provider *OIDCProvider, sessionData *pb.SessionData, requestedURL, sessionCookieName, sessionId string) error {
 	code, err := s.getCodeQueryParam(requestedURL)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	tokens, err := provider.p.RetriveTokens(ctx, code, sessionData.CodeVerifier)
 	if err != nil {
-		return nil, err
+		return err
 	}
 
 	// Copy the tokens into the session data
@@ -200,45 +201,39 @@ func (s *Service) retriveTokens(ctx context.Context, provider *OIDCProvider, ses
 	sessionData.IdToken = tokens.IDToken
 	sessionData.Expiry = timestamppb.New(tokens.Expiry)
 
-	slog.Debug("successfully acquried tokens, now storing it to session cookie", slog.String("expire", tokens.Expiry.String()))
+	// slog.Debug("successfully acquried tokens, now storing it to session cookie", slog.Any("sessionData", sessionData))
 
 	enc, err := session.EncodeToken(ctx, [32]byte(s.secretKey), sessionData)
 	if err != nil {
 		slog.Error("error encrypting session data", slog.String("err", err.Error()))
-		return nil, err
+		return err
 	}
 	slog.Debug("Encrypted SessionData", slog.Int("byte_len", len(enc)))
 
-	cookie := &http.Cookie{
-		Name:     sessionCookieName,
-		Value:    sessionId + "." + enc,
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   provider.SecureCookie,
-		SameSite: http.SameSiteLaxMode,
+	// store session data in cache
+	if err := s.store.Set(ctx, sessionId, enc); err != nil {
+		return err
 	}
-	headers = append(headers, s.setCookie(cookie)...)
-	return headers, nil
+
+	return nil
 }
 
 // Validates and poteintially refreshes the token
-func (s *Service) validateTokens(ctx context.Context, provider *OIDCProvider, d *pb.SessionData, sessionCookieName, sessionId string) ([]*core.HeaderValueOption, error) {
-	headers := []*core.HeaderValueOption{}
-
+func (s *Service) validateTokens(ctx context.Context, provider *OIDCProvider, d *pb.SessionData, sessionCookieName, sessionId string) error {
 	expired, err := provider.p.VerifyTokens(ctx, d.AccessToken, d.IdToken)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if !expired {
-		return nil, nil
+		return nil
 	}
 
 	if expired && d.RefreshToken == "" {
-		return nil, errors.New("token expired and no refresh token found, add scope=offline_access to the auth request to get a refresh token")
+		return errors.New("token expired and no refresh token found, add scope=offline_access to the auth request to get a refresh token")
 	}
 	t, err := provider.p.RefreshTokens(ctx, d.RefreshToken, d.AccessToken)
 	if err != nil {
-		return nil, err
+		return err
 	}
 
 	d.RefreshToken = t.RefreshToken
@@ -250,20 +245,14 @@ func (s *Service) validateTokens(ctx context.Context, provider *OIDCProvider, d
 	enc, err := session.EncodeToken(ctx, [32]byte(s.secretKey), d)
 	if err != nil {
 		slog.Error("error encrypting session data", slog.String("err", err.Error()))
-		return nil, err
+		return err
 	}
 
-	cookie := &http.Cookie{
-		Name:     sessionCookieName,
-		Value:    sessionId + "." + enc,
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   provider.SecureCookie,
-		SameSite: http.SameSiteLaxMode,
+	if err := s.store.Set(ctx, sessionId, enc); err != nil {
+		return err
 	}
-	headers = append(headers, s.setCookie(cookie)...)
 
-	return headers, nil
+	return nil
 }
 
 func (s *Service) newSession(ctx context.Context, sourceIP, requestedURL, sessionCookieName string, provider *OIDCProvider) ([]*core.HeaderValueOption, error) {
@@ -283,14 +272,18 @@ func (s *Service) newSession(ctx context.Context, sourceIP, requestedURL, sessio
 	if err != nil {
 		return nil, err
 	}
-	slog.Debug("NewSession Encrypted SessionData", slog.Int("byte_len", len(enc)), slog.String("encrypted", enc))
+
+	// store session data in cache
+	if err := s.store.Set(ctx, sessionCookieToken, enc); err != nil {
+		return nil, err
+	}
 
 	idpAuthURL := provider.p.IdpAuthURL(sessionData.CodeChallenge)
 	headers = append(headers, s.setRedirectHeader(idpAuthURL))
 	// set cookie with session id and redirect to Idp
 	cookie := &http.Cookie{
 		Name:     sessionCookieName,
-		Value:    sessionCookieToken + "." + enc,
+		Value:    sessionCookieToken,
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   provider.SecureCookie,
@@ -318,28 +311,28 @@ func (s *Service) getSessionCookieData(ctx context.Context, req *auth.AttributeC
 		return nil, ""
 	}
 
-	// Split cookie value with . delimeter
-	cookieValues := strings.Split(cookie.Value, ".")
-	if len(cookieValues) != 2 {
-		slog.Error("cookie values != 2", slog.Int("values_len", len(cookieValues)))
+	sessionId := cookie.Value
+	slog.Debug("client source ip", slog.String("session_id", sessionId), slog.String("ip", sourceIP))
+
+	d, err := s.store.Cache.Get(ctx, sessionId)
+	if err != nil {
+		slog.Error("error getting session data from cache", slog.String("err", err.Error()))
 		return nil, ""
 	}
 
-	slog.Debug("client source ip", slog.String("session_id", cookieValues[0]), slog.String("ip", sourceIP))
-
-	sessionData, err := session.DecodeToken(ctx, [32]byte(s.secretKey), cookieValues[1])
+	sessionData, err = session.DecodeToken(ctx, [32]byte(s.secretKey), d)
 	if err != nil {
 		slog.Error("error decrypt session data", slog.String("err", err.Error()))
 		return nil, ""
 	}
-	slog.Debug("getting session data from session cookie", slog.String("session_id", cookieValues[0]), slog.String("session_data_expiry", sessionData.Expiry.AsTime().String()))
+	slog.Debug("getting session data from session cookie", slog.String("session_id", sessionId), slog.String("session_data_expiry", sessionData.Expiry.AsTime().String()))
 
 	if sessionData.SourceIp != sourceIP {
-		slog.Warn("source ip missmatch, re-auth needed!", slog.String("session_id", cookieValues[0]), slog.String("session_ip", sessionData.SourceIp), slog.String("req_ip", sourceIP))
+		slog.Warn("source ip missmatch, re-auth needed!", slog.String("session_id", sessionId), slog.String("session_ip", sessionData.SourceIp), slog.String("req_ip", sourceIP))
 		return nil, ""
 	}
 
-	return sessionData, cookieValues[0]
+	return sessionData, sessionId
 }
 
 // parse cookie header string into []*http.Cookie struct
@@ -439,11 +432,11 @@ func (s *Service) authResponse(success bool, httpStatusCode envoy_type.StatusCod
 func realIP(headers map[string]string) string {
 	var ip string
 
-	var trueClientIP = "true-client-ip"
+	var envoyExternalAddress = "x-envoy-external-address"
 	var xForwardedFor = "x-forwarded-for"
 	var xRealIP = "x-real-ip"
 
-	if tcip, ok := headers[trueClientIP]; ok {
+	if tcip, ok := headers[envoyExternalAddress]; ok {
 		ip = tcip
 	} else if xrip, ok := headers[xRealIP]; ok {
 		ip = xrip

authz/authz_test.go

@@ -13,6 +13,7 @@ import (
 	envoy_type "buf.build/gen/go/envoyproxy/envoy/protocolbuffers/go/envoy/type/v3"
 
 	"github.com/shelmangroup/envoy-oidc-authserver/oidc"
+	"github.com/shelmangroup/envoy-oidc-authserver/store"
 )
 
 func initializeMock(cfg *Config) (*Config, error) {
@@ -53,7 +54,7 @@ func TestCheckServiceAuthFlow(t *testing.T) {
 	require.NoError(t, err, "init cfg should not have failed")
 
 	secretKey := []byte("G_TdvPJ9T8C4p&A?Wr3YAUYW$*9vn4?t")
-	authz := Service{cfg: testCfg, secretKey: secretKey}
+	authz := Service{cfg: testCfg, store: store.NewStore(), secretKey: secretKey}
 
 	//1. Check Authorization response without callback and no cookie req.
 	initialRequestedURL := "http://foo.bar/"
@@ -102,10 +103,9 @@ func TestCheckServiceAuthFlow(t *testing.T) {
 	resp, err = authz.Check(context.TODO(), cookieReq)
 	require.NoError(t, err, "check with callback should not have failed")
 	assert.Equal(t, int32(rpc.PERMISSION_DENIED), resp.Msg.Status.Code)
-	assert.Equal(t, initialRequestedURL, resp.Msg.GetDeniedResponse().GetHeaders()[4].GetHeader().GetValue())
+	assert.Equal(t, initialRequestedURL, resp.Msg.GetDeniedResponse().GetHeaders()[0].GetHeader().GetValue())
 
 	//3. Success with Auth header set
-	authCookie := resp.Msg.GetDeniedResponse().GetHeaders()[3].GetHeader().GetValue()
 	successReq := connect.NewRequest(
 		&auth.CheckRequest{
 			Attributes: &auth.AttributeContext{
@@ -116,7 +116,7 @@ func TestCheckServiceAuthFlow(t *testing.T) {
 						Path:   "/",
 						Headers: map[string]string{
 							":authority": "foo.bar",
-							"cookie":     authCookie,
+							"cookie":     cookie,
 						},
 					},
 				},

go.mod

@@ -9,8 +9,10 @@ require (
 	connectrpc.com/grpchealth v1.3.0
 	connectrpc.com/grpcreflect v1.2.0
 	connectrpc.com/otelconnect v0.6.0
+	github.com/eko/gocache/lib/v4 v4.1.5
 	github.com/gogo/googleapis v1.4.1
 	github.com/google/uuid v1.5.0
+	github.com/grokify/go-pkce v0.2.3
 	github.com/peterbourgon/ff/v3 v3.4.0
 	github.com/stretchr/testify v1.8.4
 	github.com/zitadel/oidc/v3 v3.8.1
@@ -26,19 +28,31 @@ require (
 	google.golang.org/grpc v1.60.1
 )
 
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/prometheus/client_golang v1.14.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+)
+
 require (
 	buf.build/gen/go/cncf/xds/protocolbuffers/go v1.32.0-20231212190141-23263dcfaa96.1 // indirect
 	buf.build/gen/go/envoyproxy/protoc-gen-validate/protocolbuffers/go v1.32.0-20231130202533-71881f09a0c5.1 // indirect
+	github.com/allegro/bigcache v1.2.1
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/eko/gocache/store/bigcache/v4 v4.2.1
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/grokify/go-pkce v0.2.3
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/lmittmann/tint v1.0.3
 	github.com/mattn/go-isatty v0.0.20