`440f2be`

session: thread session_epoch through middleware + login + password-change

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: 440f2be3c910ee17dc1bbe2e8f840d2a51bab124
Parents: 42e74ce
Tree: 433598a

8 changed files

Status	File	+	-
M	`internal/auth/session/session.go`	14	8
M	`internal/web/auth_wiring.go`	6	4
M	`internal/web/handlers/auth/auth.go`	5	0
M	`internal/web/handlers/auth/auth_test.go`	12	6
M	`internal/web/handlers/auth/password_change.go`	11	0
M	`internal/web/handlers/auth/tokens_test.go`	7	4
M	`internal/web/handlers/auth/twofactor.go`	8	0
M	`internal/web/middleware/auth.go`	25	7

internal/auth/session/session.gomodified

  	UserID       int64 `json:"uid,omitempty"`
  	Pre2FAUserID int64 `json:"p2,omitempty"` // set after password OK, before TOTP step
  	Recent2FAAt  int64 `json:"r2,omitempty"` // unix-seconds of last successful 2FA challenge
 +	// Epoch is the users.session_epoch value at issue time. The session
 +	// loader compares it against the current DB value on every request;
 +	// "log out everywhere" bumps the column, invalidating every cookie
 +	// that still carries the old epoch. Zero is the unbumped baseline
 +	// and matches the migration's column default.
 +	Epoch     int32             `json:"e,omitempty"`
  	CSRFToken string            `json:"csrf,omitempty"`
  	Theme     string            `json:"theme,omitempty"`
  	Flashes   []string          `json:"flashes,omitempty"`

internal/web/auth_wiring.gomodified


 }
 
 // usernameLookup returns the lookup function consumed by middleware.OptionalUser.
-func usernameLookup(pool *pgxpool.Pool) func(context.Context, int64) (string, error) {
+// It resolves both the username and the user's current session_epoch so the
+// auth middleware can refuse stale cookies (bumped by "log out everywhere").
+func usernameLookup(pool *pgxpool.Pool) func(context.Context, int64) (string, int32, error) {
 	q := usersdb.New()
-	return func(ctx context.Context, id int64) (string, error) {
+	return func(ctx context.Context, id int64) (string, int32, error) {
 		u, err := q.GetUserByID(ctx, pool, id)
 		if err != nil {
-			return "", err
+			return "", 0, err
 		}
-		return u.Username, nil
+		return u.Username, u.SessionEpoch, nil
 	}
 }
 

internal/web/handlers/auth/auth.gomodified

  			r.Post("/settings/emails/{id}/remove", h.settingsEmailsRemove)
  			r.Get("/settings/notifications", h.settingsNotificationsForm)
  			r.Post("/settings/notifications", h.settingsNotificationsSubmit)
 +			r.Get("/settings/sessions", h.settingsSessionsList)
 +			r.Post("/settings/sessions/logout-everywhere", h.settingsSessionsLogoutAll)
  			r.Get("/settings/keys", h.sshKeysList)
  			r.Post("/settings/keys", h.sshKeysAdd)
  			r.Post("/settings/keys/{id}/delete", h.sshKeysDelete)
  	// Session-fixation defense: bind user_id and re-issue cookie. The
  	// AEAD store re-encrypts on every Save, producing a fresh ciphertext.
 +	// Epoch snapshotting is what powers "log out everywhere": this cookie
 +	// is invalidated the moment users.session_epoch advances past it.
  	s := middleware.SessionFromContext(r.Context())
  	s.UserID = user.ID
  	s.Pre2FAUserID = 0
 +	s.Epoch = user.SessionEpoch
  	s.IssuedAt = time.Now().Unix()
  	if err := h.d.SessionStore.Save(w, r, s); err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "login: save session", "error", err)

internal/web/handlers/auth/auth_test.gomodified

  	r.Use(middleware.RequestID)
  	r.Use(middleware.RealIP(middleware.RealIPConfig{}))
  	r.Use(middleware.SessionLoader(store, logger))
 -	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (string, error) {
 -		// Cheap username lookup against the test pool — RequireUser only
 -		// checks ID == 0, but settings handlers use the username.
 +	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (string, int32, error) {
 +		// Cheap lookup against the test pool — settings handlers use the
 +		// username, and the epoch comparison enforces log-out-everywhere
 +		// across the same suite.
  		u, err := pool.Acquire(ctx)
  		if err != nil {
 -			return "", err
 +			return "", 0, err
+ 		}
  		defer u.Release()
  		var name string
 -		err = u.QueryRow(ctx, "SELECT username FROM users WHERE id = $1", id).Scan(&name)
 -		return name, err
 +		var epoch int32
 +		err = u.QueryRow(ctx,
 +			"SELECT username, session_epoch FROM users WHERE id = $1", id,
 +		).Scan(&name, &epoch)
 +		return name, epoch, err
  	}))
  	csrf := middleware.CSRF(middleware.CSRFConfig{
  		FailureHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  	apprTpl := `{{ define "page" }}<h1>Appearance</h1>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/appearance" method=POST><input name=csrf_token value="{{.CSRFToken}}">THEME={{.CurrentTheme}};</form>{{ end }}`
  	emailsTpl := `{{ define "page" }}<h1>Emails</h1>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/emails" method=POST><input name=csrf_token value="{{.CSRFToken}}"></form>EMAILS={{ range .Emails }}{{.ID}}:{{.Email}}:p={{.IsPrimary}}:v={{.Verified}};{{ end }}{{ end }}`
  	notifTpl := `{{ define "page" }}<h1>Notifications</h1>{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/notifications" method=POST><input name=csrf_token value="{{.CSRFToken}}">CHANNELS={{ range .Channels }}{{.Key}}:e={{.Enabled}}:r={{.Required}};{{ end }}</form>{{ end }}`
 +	sessTpl := `{{ define "page" }}<h1>Sessions</h1>{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/sessions/logout-everywhere" method=POST><input name=csrf_token value="{{.CSRFToken}}">UA={{.UserAgent}};</form>{{ end }}`
  	errorPage := `{{ define "page" }}<h1>{{.Status}} {{.StatusText}}</h1><p>{{.Message}}</p>{{ end }}`
  	return fstest.MapFS{
  		"_layout.html":                {Data: []byte(layout)},
  		"settings/appearance.html":    {Data: []byte(apprTpl)},
  		"settings/emails.html":        {Data: []byte(emailsTpl)},
  		"settings/notifications.html": {Data: []byte(notifTpl)},
 +		"settings/sessions.html":      {Data: []byte(sessTpl)},
  		"errors/404.html":             {Data: []byte(errorPage)},
  		"errors/403.html":             {Data: []byte(errorPage)},
  		"errors/429.html":             {Data: []byte(errorPage)},

internal/web/handlers/auth/password_change.gomodified

  		h.d.Logger.WarnContext(r.Context(), "password: audit", "error", err)
+ 	}
 +	// Sync the *current* session's epoch with the post-bump value so the
 +	// user staying on this browser doesn't get signed out by their own
 +	// password change.
 +	if epoch, err := h.q.GetUserSessionEpoch(r.Context(), h.d.Pool, user.ID); err == nil {
 +		s := middleware.SessionFromContext(r.Context())
 +		s.Epoch = epoch
 +		if err := h.d.SessionStore.Save(w, r, s); err != nil {
 +			h.d.Logger.WarnContext(r.Context(), "password: re-issue session", "error", err)
 +		}
 +	}
++
  	h.renderPasswordForm(w, r, "", "Password updated. Other sessions have been signed out.")
+ }

internal/web/handlers/auth/tokens_test.gomodified

  	r.Use(middleware.RequestID)
  	r.Use(middleware.RealIP(middleware.RealIPConfig{}))
  	r.Use(middleware.SessionLoader(store, logger))
 -	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (string, error) {
 +	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (string, int32, error) {
  		c, err := pool.Acquire(ctx)
  		if err != nil {
 -			return "", err
 +			return "", 0, err
+ 		}
  		defer c.Release()
  		var name string
 -		err = c.QueryRow(ctx, "SELECT username FROM users WHERE id = $1", id).Scan(&name)
 -		return name, err
 +		var epoch int32
 +		err = c.QueryRow(ctx,
 +			"SELECT username, session_epoch FROM users WHERE id = $1", id,
 +		).Scan(&name, &epoch)
 +		return name, epoch, err
  	}))
  	csrf := middleware.CSRF(middleware.CSRFConfig{
  		FailureHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/web/handlers/auth/twofactor.gomodified

  	// Upgrade session: drop pre-2FA marker, set UserID, reissue.
  	// Recent2FAAt timestamps the just-completed challenge so the recent-
  	// auth gate (PAT creation, etc.) can verify a fresh second factor.
 +	// Epoch snapshot powers "log out everywhere".
 +	epoch, err := h.q.GetUserSessionEpoch(r.Context(), h.d.Pool, userID)
 +	if err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "2fa: load epoch", "error", err)
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		return
 +	}
  	s.Pre2FAUserID = 0
  	s.UserID = userID
 +	s.Epoch = epoch
  	s.Recent2FAAt = time.Now().Unix()
  	s.IssuedAt = time.Now().Unix()
  	if err := h.d.SessionStore.Save(w, r, s); err != nil {

internal/web/middleware/auth.gomodified

  // IsAnonymous reports whether this is an unauthenticated request.
  func (u CurrentUser) IsAnonymous() bool { return u.ID == 0 }
 +// UserLookup resolves a user_id into the data the auth middleware needs.
 +// epoch is the users.session_epoch column; the middleware compares it to
 +// the session's recorded epoch on every request so "log out everywhere"
 +// (which bumps the column) invalidates stale cookies on the next hit.
 +type UserLookup func(ctx context.Context, userID int64) (username string, epoch int32, err error)
++
  // OptionalUser populates CurrentUser into context from the loaded session
  // when present. Does not redirect or reject — pages that don't need a
  // user (homepage, public repo views) just ignore an empty CurrentUser.
  //
 -// Lookup is the function that resolves a user_id to a username. Pass nil
 -// to skip the lookup (CurrentUser.Username will be empty); handlers that
 -// need the username supply Lookup.
 -func OptionalUser(lookup func(ctx context.Context, userID int64) (string, error)) func(http.Handler) http.Handler {
 +// When lookup returns successfully and the user's current session_epoch
 +// does NOT match the session's recorded epoch, the binding is skipped so
 +// the request looks anonymous. The stale cookie itself isn't actively
 +// cleared — RequireUser will redirect the next protected hit to /login,
 +// at which point a fresh session is minted with the current epoch.
 +//
 +// Pass nil to skip the lookup entirely (CurrentUser.Username will be
 +// empty and epoch checks are bypassed).
 +func OptionalUser(lookup UserLookup) func(http.Handler) http.Handler {
  	return func(next http.Handler) http.Handler {
  		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  			ctx := r.Context()
  			s := SessionFromContext(ctx)
  			if s.UserID != 0 {
  				u := CurrentUser{ID: s.UserID}
 +				bind := true
  				if lookup != nil {
 -					if name, err := lookup(ctx, s.UserID); err == nil {
 +					if name, epoch, err := lookup(ctx, s.UserID); err == nil {
 +						if epoch != s.Epoch {
 +							bind = false
 +						} else {
  							u.Username = name
+ 						}
+ 					}
 +				}
 +				if bind {
  					ctx = context.WithValue(ctx, currentUserKey, u)
+ 				}
 +			}
  			next.ServeHTTP(w, r.WithContext(ctx))
  		})
+ 	}

`@@ -42,14 +42,16 @@` func buildAPIHandlers(pool pgxpool.Pool) (apih.Handlers, error) {
42	42	}
43	43
44	44	// usernameLookup returns the lookup function consumed by middleware.OptionalUser.
45		-func usernameLookup(pool *pgxpool.Pool) func(context.Context, int64) (string, error) {
	45	+// It resolves both the username and the user's current session_epoch so the
	46	+// auth middleware can refuse stale cookies (bumped by "log out everywhere").
	47	+func usernameLookup(pool *pgxpool.Pool) func(context.Context, int64) (string, int32, error) {
46	48	q := usersdb.New()
47		- return func(ctx context.Context, id int64) (string, error) {
	49	+ return func(ctx context.Context, id int64) (string, int32, error) {
48	50	u, err := q.GetUserByID(ctx, pool, id)
49	51	if err != nil {
50		- return "", err
	52	+ return "", 0, err
51	53	}
52		- return u.Username, nil
	54	+ return u.Username, u.SessionEpoch, nil
53	55	}
54	56	}
55	57