triblondon/1. INIT

## 1. INIT
table auth_config {
  "secret": "my-super-secret-string",
  "sessionTTL": "3600"
}

## 2. RECV
# Declare some locally-scoped variables to help us with the
# processing of the authentication cookie
declare local var.authCookie STRING;
declare local var.toSign STRING;
declare local var.expectedSig STRING;
declare local var.sigOK BOOL;
declare local var.timeOK BOOL;

# Prevent these headers being sent from the untrusted client
unset req.http.User-Name;
unset req.http.User-ID;
unset req.http.User-Level;
unset req.http.User-Groups;

# If the user has sent a cookie, try to validate it
if (req.http.Cookie:auth) {
  set var.authCookie = req.http.Cookie:auth;
  log "Found an auth cookie: " var.authCookie;

  set var.toSign = querystring.filter(var.authCookie, "sig");
  set var.expectedSig = digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.toSign);
  set var.sigOK = (urldecode(subfield(var.authCookie, "sig", "&")) == var.expectedSig);

  set var.timeOK = time.is_after(
    std.integer2time(std.atoi(
      subfield(var.authCookie, "expires", "&")
    )),
    now
  );

  if (var.timeOK && var.sigOK) {
    set var.authCookie = regsub(var.authCookie, "^\?", "");
    set req.http.User-Name = urldecode(subfield(var.authCookie, "name", "&"));
    set req.http.User-Level = urldecode(subfield(var.authCookie, "level", "&"));
    set req.http.User-ID = urldecode(subfield(var.authCookie, "id", "&"));
    set req.http.User-Groups = urldecode(subfield(var.authCookie, "groups", "&"));
    log "Cookie is good.  Adding user data to headers";
  } else {
    if (!var.timeOK) {
      log "Cookie expired at " subfield(var.authCookie, "expires", "&") " (current time: " now.sec ")";
    }
    if (!var.sigOK) {
      log "Signature is bad, expecting " var.expectedSig ", got " urldecode(subfield(var.authCookie, "sig", "&"));
    }
  }
}


# Remove the cookie header to ensure that the origin server uses
# the decoded auth headers rather than reimplementing
unset req.http.Cookie;

# If the user is not authenticated and accessing a protected URL,
# redirect to the login page
if (!req.http.User-ID && req.url ~ "^/article(/.*)?$") {
  error 901;
}

## 3. DELIVER
declare local var.authCookie STRING;
if (resp.http.User-ID) {
  set var.authCookie = "";
  set var.authCookie = querystring.add(var.authCookie, "id", resp.http.User-ID);
  set var.authCookie = querystring.add(var.authCookie, "name", resp.http.User-Name);
  set var.authCookie = querystring.add(var.authCookie, "level", resp.http.User-Level);
  set var.authCookie = querystring.add(var.authCookie, "groups", resp.http.User-Groups);
  set var.authCookie = querystring.add(var.authCookie, "expires", strftime({"%s"}, time.add(now, std.integer2time(std.atoi(table.lookup(auth_config, "sessionTTL"))))));
  log "Signing this string " var.authCookie;
  set var.authCookie = querystring.add(var.authCookie, "sig", digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.authCookie));

  unset resp.http.User-ID;
  unset resp.http.User-Name;
  unset resp.http.User-Level;
  unset resp.http.User-Groups;

  set resp.http.Set-Cookie = "auth=" var.authCookie "; path=/; max-age=" table.lookup(auth_config, "sessionTTL") "; secure; httponly;";
  set resp.http.Cache-Control = "no-store, private";
  log "Setting the auth cookie: " var.authCookie;
}

## 4. ERROR
if (obj.status == 901) {
  set obj.status = 307;
  set obj.response = "Temporary redirect";
  set obj.http.Location = "/login?redir=" urlencode(req.url);
  return (deliver);
}
	table auth_config {
	"secret": "my-super-secret-string",
	"sessionTTL": "3600"
	}
	# Declare some locally-scoped variables to help us with the
	# processing of the authentication cookie
	declare local var.authCookie STRING;
	declare local var.toSign STRING;
	declare local var.expectedSig STRING;
	declare local var.sigOK BOOL;
	declare local var.timeOK BOOL;

	# Prevent these headers being sent from the untrusted client
	unset req.http.User-Name;
	unset req.http.User-ID;
	unset req.http.User-Level;
	unset req.http.User-Groups;

	# If the user has sent a cookie, try to validate it
	if (req.http.Cookie:auth) {
	set var.authCookie = req.http.Cookie:auth;
	log "Found an auth cookie: " var.authCookie;

	set var.toSign = querystring.filter(var.authCookie, "sig");
	set var.expectedSig = digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.toSign);
	set var.sigOK = (urldecode(subfield(var.authCookie, "sig", "&")) == var.expectedSig);

	set var.timeOK = time.is_after(
	std.integer2time(std.atoi(
	subfield(var.authCookie, "expires", "&")
	)),
	now
	);

	if (var.timeOK && var.sigOK) {
	set var.authCookie = regsub(var.authCookie, "^\?", "");
	set req.http.User-Name = urldecode(subfield(var.authCookie, "name", "&"));
	set req.http.User-Level = urldecode(subfield(var.authCookie, "level", "&"));
	set req.http.User-ID = urldecode(subfield(var.authCookie, "id", "&"));
	set req.http.User-Groups = urldecode(subfield(var.authCookie, "groups", "&"));
	log "Cookie is good. Adding user data to headers";
	} else {
	if (!var.timeOK) {
	log "Cookie expired at " subfield(var.authCookie, "expires", "&") " (current time: " now.sec ")";
	}
	if (!var.sigOK) {
	log "Signature is bad, expecting " var.expectedSig ", got " urldecode(subfield(var.authCookie, "sig", "&"));
	}
	}
	}


	# Remove the cookie header to ensure that the origin server uses
	# the decoded auth headers rather than reimplementing
	unset req.http.Cookie;

	# If the user is not authenticated and accessing a protected URL,
	# redirect to the login page
	if (!req.http.User-ID && req.url ~ "^/article(/.*)?$") {
	error 901;
	}
	declare local var.authCookie STRING;
	if (resp.http.User-ID) {
	set var.authCookie = "";
	set var.authCookie = querystring.add(var.authCookie, "id", resp.http.User-ID);
	set var.authCookie = querystring.add(var.authCookie, "name", resp.http.User-Name);
	set var.authCookie = querystring.add(var.authCookie, "level", resp.http.User-Level);
	set var.authCookie = querystring.add(var.authCookie, "groups", resp.http.User-Groups);
	set var.authCookie = querystring.add(var.authCookie, "expires", strftime({"%s"}, time.add(now, std.integer2time(std.atoi(table.lookup(auth_config, "sessionTTL"))))));
	log "Signing this string " var.authCookie;
	set var.authCookie = querystring.add(var.authCookie, "sig", digest.hmac_sha256_base64(table.lookup(auth_config, "secret"), var.authCookie));

	unset resp.http.User-ID;
	unset resp.http.User-Name;
	unset resp.http.User-Level;
	unset resp.http.User-Groups;

	set resp.http.Set-Cookie = "auth=" var.authCookie "; path=/; max-age=" table.lookup(auth_config, "sessionTTL") "; secure; httponly;";
	set resp.http.Cache-Control = "no-store, private";
	log "Setting the auth cookie: " var.authCookie;
	}
	if (obj.status == 901) {
	set obj.status = 307;
	set obj.response = "Temporary redirect";
	set obj.http.Location = "/login?redir=" urlencode(req.url);
	return (deliver);
	}