writefreely/session.go

/*
 * Copyright © 2018-2019 Musing Studio LLC.
 *
 * This file is part of WriteFreely.
 *
 * WriteFreely is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, included
 * in the LICENSE file in this source code package.
 */

package writefreely

import (
	"encoding/gob"
	"github.com/gorilla/sessions"
	"github.com/writeas/web-core/log"
	"net/http"
	"strings"
)

const (
	day           = 86400
	sessionLength = 180 * day

	userEmailCookieName = "ue"
	userEmailCookieVal  = "email"

	cookieName    = "wfu"
	cookieUserVal = "u"

	blogPassCookieName = "ub"
)

// InitSession creates the cookie store. It depends on the keychain already
// being loaded.
func (app *App) InitSession() {
	// Register complex data types we'll be storing in cookies
	gob.Register(&User{})

	// Create the cookie store
	store := sessions.NewCookieStore(app.keys.CookieAuthKey, app.keys.CookieKey)
	store.Options = &sessions.Options{
		Path:     "/",
		MaxAge:   sessionLength,
		HttpOnly: true,
		Secure:   strings.HasPrefix(app.cfg.App.Host, "https://"),
	}
	if store.Options.Secure {
		store.Options.SameSite = http.SameSiteNoneMode
	}
	app.sessionStore = store
}

func getSessionFlashes(app *App, w http.ResponseWriter, r *http.Request, session *sessions.Session) ([]string, error) {
	var err error
	if session == nil {
		session, err = app.sessionStore.Get(r, cookieName)
		if err != nil {
			return nil, err
		}
	}

	f := []string{}
	if flashes := session.Flashes(); len(flashes) > 0 {
		for _, flash := range flashes {
			if str, ok := flash.(string); ok {
				f = append(f, str)
			}
		}
	}
	saveUserSession(app, r, w)

	return f, nil
}

func addSessionFlash(app *App, w http.ResponseWriter, r *http.Request, m string, session *sessions.Session) error {
	var err error
	if session == nil {
		session, err = app.sessionStore.Get(r, cookieName)
	}

	if err != nil {
		log.Error("Unable to add flash '%s': %v", m, err)
		return err
	}

	session.AddFlash(m)
	saveUserSession(app, r, w)
	return nil
}

func getUserAndSession(app *App, r *http.Request) (*User, *sessions.Session) {
	session, err := app.sessionStore.Get(r, cookieName)
	if err == nil {
		// Got the currently logged-in user
		val := session.Values[cookieUserVal]
		var u = &User{}
		var ok bool
		if u, ok = val.(*User); ok {
			return u, session
		}
	}

	return nil, nil
}

func getUserSession(app *App, r *http.Request) *User {
	u, _ := getUserAndSession(app, r)
	return u
}

func saveUserSession(app *App, r *http.Request, w http.ResponseWriter) error {
	session, err := app.sessionStore.Get(r, cookieName)
	if err != nil {
		return ErrInternalCookieSession
	}

	// Extend the session
	session.Options.MaxAge = int(sessionLength)

	// Remove any information that accidentally got added
	// FIXME: find where Plan information is getting saved to cookie.
	val := session.Values[cookieUserVal]
	var u = &User{}
	var ok bool
	if u, ok = val.(*User); ok {
		session.Values[cookieUserVal] = u.Cookie()
	}

	err = session.Save(r, w)
	if err != nil {
		log.Error("Couldn't saveUserSession: %v", err)
	}
	return err
}

func getFullUserSession(app *App, r *http.Request) (*User, error) {
	u := getUserSession(app, r)
	if u == nil {
		return nil, nil
	}

	var err error
	u, err = app.db.GetUserByID(u.ID)
	return u, err
}
Add copyright / license notices to .go files 2018-12-24 18:45:15 +01:00			`/*`
Change copyright notices to Musing Studio LLC A Bunch Tell is now Musing Studio. 2022-11-11 05:49:16 +01:00			`* Copyright © 2018-2019 Musing Studio LLC.`
Add copyright / license notices to .go files 2018-12-24 18:45:15 +01:00			`*`
			`* This file is part of WriteFreely.`
			`*`
			`* WriteFreely is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, included`
			`* in the LICENSE file in this source code package.`
			`*/`
Fix spacing around copyright notices 2018-12-31 07:05:26 +01:00
Add web session management 2018-10-17 02:30:38 +02:00			`package writefreely`

			`import (`
			`"encoding/gob"`
			`"github.com/gorilla/sessions"`
			`"github.com/writeas/web-core/log"`
			`"net/http"`
			`"strings"`
			`)`

			`const (`
			`day = 86400`
			`sessionLength = 180 * day`
Support email subscriptions (base) This adds beginning email subscription functionality, with only MySQL support, Mailgun support, and incomplete support for private instances. It includes database changes, so run: writefreely db migrate to use this feature. Ref T856 2021-06-22 00:24:40 +02:00
			`userEmailCookieName = "ue"`
			`userEmailCookieVal = "email"`

Add web session management 2018-10-17 02:30:38 +02:00			`cookieName = "wfu"`
			`cookieUserVal = "u"`
Add collection handlers, routes, feeds, sitemaps 2018-11-08 07:19:03 +01:00
			`blogPassCookieName = "ub"`
Add web session management 2018-10-17 02:30:38 +02:00			`)`

Break functionality out of Serve() func - Adds a new interface, Apper, that enables loading and persisting instance-level data in new ways - Converts some initialization funcs to methods - Exports funcs and methods needed for intialization - In general, moves a ton of stuff around Overall, this should maintain all existing functionality, but with the ability to now better manage a WF instance. Ref T613 2019-06-14 00:50:23 +02:00			`// InitSession creates the cookie store. It depends on the keychain already`
Add web session management 2018-10-17 02:30:38 +02:00			`// being loaded.`
Break functionality out of Serve() func - Adds a new interface, Apper, that enables loading and persisting instance-level data in new ways - Converts some initialization funcs to methods - Exports funcs and methods needed for intialization - In general, moves a ton of stuff around Overall, this should maintain all existing functionality, but with the ability to now better manage a WF instance. Ref T613 2019-06-14 00:50:23 +02:00			`func (app *App) InitSession() {`
Add web session management 2018-10-17 02:30:38 +02:00			`// Register complex data types we'll be storing in cookies`
			`gob.Register(&User{})`

			`// Create the cookie store`
Move key generation and Keychain to key pkg Ref T613 2019-06-13 16:14:35 +02:00			`store := sessions.NewCookieStore(app.keys.CookieAuthKey, app.keys.CookieKey)`
Add web session management 2018-10-17 02:30:38 +02:00			`store.Options = &sessions.Options{`
			`Path: "/",`
			`MaxAge: sessionLength,`
			`HttpOnly: true,`
Move Host config value from Server -> App 2018-10-27 23:02:40 +02:00			`Secure: strings.HasPrefix(app.cfg.App.Host, "https://"),`
Only use SameSite=None on Secure site This fixes logging in when developing on newer versions of Chrome. 2021-04-30 17:03:42 +02:00			`}`
			`if store.Options.Secure {`
			`store.Options.SameSite = http.SameSiteNoneMode`
Add web session management 2018-10-17 02:30:38 +02:00			`}`
Break functionality out of Serve() func - Adds a new interface, Apper, that enables loading and persisting instance-level data in new ways - Converts some initialization funcs to methods - Exports funcs and methods needed for intialization - In general, moves a ton of stuff around Overall, this should maintain all existing functionality, but with the ability to now better manage a WF instance. Ref T613 2019-06-14 00:50:23 +02:00			`app.sessionStore = store`
Add web session management 2018-10-17 02:30:38 +02:00			`}`

Make App struct public 2019-05-12 22:55:30 +02:00			`func getSessionFlashes(app App, w http.ResponseWriter, r http.Request, session *sessions.Session) ([]string, error) {`
Add web session management 2018-10-17 02:30:38 +02:00			`var err error`
			`if session == nil {`
			`session, err = app.sessionStore.Get(r, cookieName)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`

			`f := []string{}`
			`if flashes := session.Flashes(); len(flashes) > 0 {`
			`for _, flash := range flashes {`
			`if str, ok := flash.(string); ok {`
			`f = append(f, str)`
			`}`
			`}`
			`}`
			`saveUserSession(app, r, w)`

			`return f, nil`
			`}`

Make App struct public 2019-05-12 22:55:30 +02:00			`func addSessionFlash(app App, w http.ResponseWriter, r http.Request, m string, session *sessions.Session) error {`
Add web session management 2018-10-17 02:30:38 +02:00			`var err error`
			`if session == nil {`
			`session, err = app.sessionStore.Get(r, cookieName)`
			`}`

			`if err != nil {`
			`log.Error("Unable to add flash '%s': %v", m, err)`
			`return err`
			`}`

			`session.AddFlash(m)`
			`saveUserSession(app, r, w)`
			`return nil`
			`}`

Make App struct public 2019-05-12 22:55:30 +02:00			`func getUserAndSession(app App, r http.Request) (User, sessions.Session) {`
Add web session management 2018-10-17 02:30:38 +02:00			`session, err := app.sessionStore.Get(r, cookieName)`
			`if err == nil {`
			`// Got the currently logged-in user`
			`val := session.Values[cookieUserVal]`
			`var u = &User{}`
			`var ok bool`
			`if u, ok = val.(*User); ok {`
			`return u, session`
			`}`
			`}`

			`return nil, nil`
			`}`

Make App struct public 2019-05-12 22:55:30 +02:00			`func getUserSession(app App, r http.Request) *User {`
Add web session management 2018-10-17 02:30:38 +02:00			`u, _ := getUserAndSession(app, r)`
			`return u`
			`}`

Make App struct public 2019-05-12 22:55:30 +02:00			`func saveUserSession(app App, r http.Request, w http.ResponseWriter) error {`
Add web session management 2018-10-17 02:30:38 +02:00			`session, err := app.sessionStore.Get(r, cookieName)`
			`if err != nil {`
			`return ErrInternalCookieSession`
			`}`

			`// Extend the session`
			`session.Options.MaxAge = int(sessionLength)`

			`// Remove any information that accidentally got added`
			`// FIXME: find where Plan information is getting saved to cookie.`
			`val := session.Values[cookieUserVal]`
			`var u = &User{}`
			`var ok bool`
			`if u, ok = val.(*User); ok {`
			`session.Values[cookieUserVal] = u.Cookie()`
			`}`

			`err = session.Save(r, w)`
			`if err != nil {`
			`log.Error("Couldn't saveUserSession: %v", err)`
			`}`
			`return err`
			`}`

Log user out when authenticated as deleted user Now when we check for the user at certain times and find that the user doesn't exist in the database, we log them out and send them back to the home page. 2021-06-27 23:57:07 +02:00			`func getFullUserSession(app App, r http.Request) (*User, error) {`
Add web session management 2018-10-17 02:30:38 +02:00			`u := getUserSession(app, r)`
			`if u == nil {`
Log user out when authenticated as deleted user Now when we check for the user at certain times and find that the user doesn't exist in the database, we log them out and send them back to the home page. 2021-06-27 23:57:07 +02:00			`return nil, nil`
Add web session management 2018-10-17 02:30:38 +02:00			`}`

Log user out when authenticated as deleted user Now when we check for the user at certain times and find that the user doesn't exist in the database, we log them out and send them back to the home page. 2021-06-27 23:57:07 +02:00			`var err error`
			`u, err = app.db.GetUserByID(u.ID)`
			`return u, err`
Add web session management 2018-10-17 02:30:38 +02:00			`}`