Created
August 3, 2018 15:24
-
-
Save triblondon/27debba1b24b11375d0ca18a7d336841 to your computer and use it in GitHub Desktop.
Fiddle workshop snippets (exercise 7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| table auth_config { | |
| "secret": "my-super-secret-string", | |
| "sessionTTL": "3600" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Declare some locally-scoped variables to help us with the | |
| # processing of the authentication cookie | |
| declare local var.authCookie STRING; | |
| declare local var.toSign STRING; | |
| declare local var.expectedSig STRING; | |
| declare local var.sigOK BOOL; | |
| declare local var.timeOK BOOL; | |
| # Prevent these headers being sent from the untrusted client | |
| unset req.http.User-Name; | |
| unset req.http.User-ID; | |
| unset req.http.User-Level; | |
| unset req.http.User-Groups; | |
| # If the user has sent a cookie, try to validate it | |
| if (req.http.Cookie:auth) { | |
| set var.authCookie = req.http.Cookie:auth; | |
| log "Found an auth cookie: " var.authCookie; | |
| set var.toSign = querystring.filter(var.authCookie, "sig"); | |
| set var.expectedSig = digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.toSign); | |
| set var.sigOK = (urldecode(subfield(var.authCookie, "sig", "&")) == var.expectedSig); | |
| set var.timeOK = time.is_after( | |
| std.integer2time(std.atoi( | |
| subfield(var.authCookie, "expires", "&") | |
| )), | |
| now | |
| ); | |
| if (var.timeOK && var.sigOK) { | |
| set var.authCookie = regsub(var.authCookie, "^\?", ""); | |
| set req.http.User-Name = urldecode(subfield(var.authCookie, "name", "&")); | |
| set req.http.User-Level = urldecode(subfield(var.authCookie, "level", "&")); | |
| set req.http.User-ID = urldecode(subfield(var.authCookie, "id", "&")); | |
| set req.http.User-Groups = urldecode(subfield(var.authCookie, "groups", "&")); | |
| log "Cookie is good. Adding user data to headers"; | |
| } else { | |
| if (!var.timeOK) { | |
| log "Cookie expired at " subfield(var.authCookie, "expires", "&") " (current time: " now.sec ")"; | |
| } | |
| if (!var.sigOK) { | |
| log "Signature is bad, expecting " var.expectedSig ", got " urldecode(subfield(var.authCookie, "sig", "&")); | |
| } | |
| } | |
| } | |
| # Remove the cookie header to ensure that the origin server uses | |
| # the decoded auth headers rather than reimplementing | |
| unset req.http.Cookie; | |
| # If the user is not authenticated and accessing a protected URL, | |
| # redirect to the login page | |
| if (!req.http.User-ID && req.url ~ "^/article(/.*)?$") { | |
| error 901; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| declare local var.authCookie STRING; | |
| if (resp.http.User-ID) { | |
| set var.authCookie = ""; | |
| set var.authCookie = querystring.add(var.authCookie, "id", resp.http.User-ID); | |
| set var.authCookie = querystring.add(var.authCookie, "name", resp.http.User-Name); | |
| set var.authCookie = querystring.add(var.authCookie, "level", resp.http.User-Level); | |
| set var.authCookie = querystring.add(var.authCookie, "groups", resp.http.User-Groups); | |
| set var.authCookie = querystring.add(var.authCookie, "expires", strftime({"%s"}, time.add(now, std.integer2time(std.atoi(table.lookup(auth_config, "sessionTTL")))))); | |
| log "Signing this string " var.authCookie; | |
| set var.authCookie = querystring.add(var.authCookie, "sig", digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.authCookie)); | |
| unset resp.http.User-ID; | |
| unset resp.http.User-Name; | |
| unset resp.http.User-Level; | |
| unset resp.http.User-Groups; | |
| set resp.http.Set-Cookie = "auth=" var.authCookie "; path=/; max-age=" table.lookup(auth_config, "sessionTTL") "; secure; httponly;"; | |
| set resp.http.Cache-Control = "no-store, private"; | |
| log "Setting the auth cookie: " var.authCookie; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (obj.status == 901) { | |
| set obj.status = 307; | |
| set obj.response = "Temporary redirect"; | |
| set obj.http.Location = "/login?redir=" urlencode(req.url); | |
| return (deliver); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment