session.go (3319B)
1 // GoToSocial 2 // Copyright (C) GoToSocial Authors admin@gotosocial.org 3 // SPDX-License-Identifier: AGPL-3.0-or-later 4 // 5 // This program is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Affero General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // This program is distributed in the hope that it will be useful, 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Affero General Public License for more details. 14 // 15 // You should have received a copy of the GNU Affero General Public License 16 // along with this program. If not, see <http://www.gnu.org/licenses/>. 17 18 package middleware 19 20 import ( 21 "fmt" 22 "net/http" 23 "net/url" 24 "strings" 25 26 "github.com/gin-contrib/sessions" 27 "github.com/gin-contrib/sessions/memstore" 28 "github.com/gin-gonic/gin" 29 "github.com/superseriousbusiness/gotosocial/internal/config" 30 "github.com/superseriousbusiness/gotosocial/internal/log" 31 "golang.org/x/net/idna" 32 ) 33 34 // SessionOptions returns the standard set of options to use for each session. 35 func SessionOptions() sessions.Options { 36 var samesite http.SameSite 37 switch strings.TrimSpace(strings.ToLower(config.GetAdvancedCookiesSamesite())) { 38 case "lax": 39 samesite = http.SameSiteLaxMode 40 case "strict": 41 samesite = http.SameSiteStrictMode 42 default: 43 log.Warnf(nil, "%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), config.GetAdvancedCookiesSamesite()) 44 samesite = http.SameSiteLaxMode 45 } 46 47 return sessions.Options{ 48 Path: "/", 49 Domain: config.GetHost(), 50 // 2 minutes 51 MaxAge: 120, 52 // only set secure over https 53 Secure: config.GetProtocol() == "https", 54 // forbid javascript from inspecting cookie 55 HttpOnly: true, 56 // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 57 SameSite: samesite, 58 } 59 } 60 61 // SessionName is a utility function that derives an appropriate session name from the hostname. 62 func SessionName() (string, error) { 63 // parse the protocol + host 64 protocol := config.GetProtocol() 65 host := config.GetHost() 66 u, err := url.Parse(fmt.Sprintf("%s://%s", protocol, host)) 67 if err != nil { 68 return "", err 69 } 70 71 // take the hostname without any port attached 72 strippedHostname := u.Hostname() 73 if strippedHostname == "" { 74 return "", fmt.Errorf("could not derive hostname without port from %s://%s", protocol, host) 75 } 76 77 // make sure IDNs are converted to punycode or the cookie library breaks: 78 // see https://en.wikipedia.org/wiki/Punycode 79 punyHostname, err := idna.New().ToASCII(strippedHostname) 80 if err != nil { 81 return "", fmt.Errorf("could not convert %s to punycode: %s", strippedHostname, err) 82 } 83 84 return fmt.Sprintf("gotosocial-%s", punyHostname), nil 85 } 86 87 // Session returns a new gin middleware that implements session cookies using the given 88 // sessionName, authentication key, and encryption key. Session name can be derived from the 89 // SessionName utility function in this package. 90 func Session(sessionName string, auth []byte, crypt []byte) gin.HandlerFunc { 91 store := memstore.NewStore(auth, crypt) 92 store.Options(SessionOptions()) 93 return sessions.Sessions(sessionName, store) 94 }