Skip to content

Instantly share code, notes, and snippets.

@triblondon
Created August 3, 2018 15:24
Show Gist options
  • Save triblondon/27debba1b24b11375d0ca18a7d336841 to your computer and use it in GitHub Desktop.
Save triblondon/27debba1b24b11375d0ca18a7d336841 to your computer and use it in GitHub Desktop.
Fiddle workshop snippets (exercise 7)
table auth_config {
"secret": "my-super-secret-string",
"sessionTTL": "3600"
}
# Declare some locally-scoped variables to help us with the
# processing of the authentication cookie
declare local var.authCookie STRING;
declare local var.toSign STRING;
declare local var.expectedSig STRING;
declare local var.sigOK BOOL;
declare local var.timeOK BOOL;
# Prevent these headers being sent from the untrusted client
unset req.http.User-Name;
unset req.http.User-ID;
unset req.http.User-Level;
unset req.http.User-Groups;
# If the user has sent a cookie, try to validate it
if (req.http.Cookie:auth) {
set var.authCookie = req.http.Cookie:auth;
log "Found an auth cookie: " var.authCookie;
set var.toSign = querystring.filter(var.authCookie, "sig");
set var.expectedSig = digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.toSign);
set var.sigOK = (urldecode(subfield(var.authCookie, "sig", "&")) == var.expectedSig);
set var.timeOK = time.is_after(
std.integer2time(std.atoi(
subfield(var.authCookie, "expires", "&")
)),
now
);
if (var.timeOK && var.sigOK) {
set var.authCookie = regsub(var.authCookie, "^\?", "");
set req.http.User-Name = urldecode(subfield(var.authCookie, "name", "&"));
set req.http.User-Level = urldecode(subfield(var.authCookie, "level", "&"));
set req.http.User-ID = urldecode(subfield(var.authCookie, "id", "&"));
set req.http.User-Groups = urldecode(subfield(var.authCookie, "groups", "&"));
log "Cookie is good. Adding user data to headers";
} else {
if (!var.timeOK) {
log "Cookie expired at " subfield(var.authCookie, "expires", "&") " (current time: " now.sec ")";
}
if (!var.sigOK) {
log "Signature is bad, expecting " var.expectedSig ", got " urldecode(subfield(var.authCookie, "sig", "&"));
}
}
}
# Remove the cookie header to ensure that the origin server uses
# the decoded auth headers rather than reimplementing
unset req.http.Cookie;
# If the user is not authenticated and accessing a protected URL,
# redirect to the login page
if (!req.http.User-ID && req.url ~ "^/article(/.*)?$") {
error 901;
}
declare local var.authCookie STRING;
if (resp.http.User-ID) {
set var.authCookie = "";
set var.authCookie = querystring.add(var.authCookie, "id", resp.http.User-ID);
set var.authCookie = querystring.add(var.authCookie, "name", resp.http.User-Name);
set var.authCookie = querystring.add(var.authCookie, "level", resp.http.User-Level);
set var.authCookie = querystring.add(var.authCookie, "groups", resp.http.User-Groups);
set var.authCookie = querystring.add(var.authCookie, "expires", strftime({"%s"}, time.add(now, std.integer2time(std.atoi(table.lookup(auth_config, "sessionTTL"))))));
log "Signing this string " var.authCookie;
set var.authCookie = querystring.add(var.authCookie, "sig", digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.authCookie));
unset resp.http.User-ID;
unset resp.http.User-Name;
unset resp.http.User-Level;
unset resp.http.User-Groups;
set resp.http.Set-Cookie = "auth=" var.authCookie "; path=/; max-age=" table.lookup(auth_config, "sessionTTL") "; secure; httponly;";
set resp.http.Cache-Control = "no-store, private";
log "Setting the auth cookie: " var.authCookie;
}
if (obj.status == 901) {
set obj.status = 307;
set obj.response = "Temporary redirect";
set obj.http.Location = "/login?redir=" urlencode(req.url);
return (deliver);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment