feat: configurable session cookie key (#58)

hailey.at / cocoon

fork atom

An atproto PDS written in Go

fork atom

* feat: configurable session cookie key

* chore: fmt

authored by shi.gg and committed by

GitHub 1 month ago 0908053f 43b90560

+30 -20

8 changed files

expand all

unified split

.env.example

cmd

cocoon

main.go

plc

client.go

types.go

server

handle_account_signin.go

handle_account_signout.go

server.go

service_auth.go

.env.example

··· 8 8 COCOON_ADMIN_PASSWORD= 9 9 # Generate with `openssl rand -hex 32` 10 10 COCOON_SESSION_SECRET= 11 + # Optional: Change the session cookie name (default: session) 12 + # COCOON_SESSION_COOKIE_KEY=cocoon_session

cmd/cocoon/main.go

··· 147 147 EnvVars: []string{"COCOON_SESSION_SECRET"}, 148 148 }, 149 149 &cli.StringFlag{ 150 + Name: "session-cookie-key", 151 + EnvVars: []string{"COCOON_SESSION_COOKIE_KEY"}, 152 + Value: "session", 153 + }, 154 + &cli.StringFlag{ 150 155 Name: "blockstore-variant", 151 156 EnvVars: []string{"COCOON_BLOCKSTORE_VARIANT"}, 152 157 Value: "sqlite", ··· 215 220 CDNUrl: cmd.String("s3-cdn-url"), 216 221 }, 217 222 SessionSecret: cmd.String("session-secret"), 223 + SessionCookieKey: cmd.String("session-cookie-key"), 218 224 BlockstoreVariant: server.MustReturnBlockstoreVariant(cmd.String("blockstore-variant")), 219 225 FallbackProxy: cmd.String("fallback-proxy"), 220 226 })

+5 -5

plc/client.go

··· 61 61 } 62 62 63 63 op := Operation{ 64 - Type: "plc_operation", 64 + Type: "plc_operation", 65 65 VerificationMethods: creds.VerificationMethods, 66 - RotationKeys: creds.RotationKeys, 67 - AlsoKnownAs: creds.AlsoKnownAs, 68 - Services: creds.Services, 69 - Prev: nil, 66 + RotationKeys: creds.RotationKeys, 67 + AlsoKnownAs: creds.AlsoKnownAs, 68 + Services: creds.Services, 69 + Prev: nil, 70 70 } 71 71 72 72 if err := c.SignOp(sigkey, &op); err != nil {

-1

plc/types.go

··· 8 8 cbg "github.com/whyrusleeping/cbor-gen" 9 9 ) 10 10 11 - 12 11 type DidCredentials struct { 13 12 VerificationMethods map[string]string `json:"verificationMethods"` 14 13 RotationKeys []string `json:"rotationKeys"`

+2 -2

server/handle_account_signin.go

··· 26 26 func (s *Server) getSessionRepoOrErr(e echo.Context) (*models.RepoActor, *sessions.Session, error) { 27 27 ctx := e.Request().Context() 28 28 29 - sess, err := session.Get("session", e) 29 + sess, err := session.Get(s.config.SessionCookieKey, e) 30 30 if err != nil { 31 31 return nil, nil, err 32 32 } ··· 75 75 return helpers.ServerError(e, nil) 76 76 } 77 77 78 - sess, _ := session.Get("session", e) 78 + sess, _ := session.Get(s.config.SessionCookieKey, e) 79 79 80 80 req.Username = strings.ToLower(req.Username) 81 81 var idtype string

+1 -1

server/handle_account_signout.go

··· 7 7 ) 8 8 9 9 func (s *Server) handleAccountSignout(e echo.Context) error { 10 - sess, err := session.Get("session", e) 10 + sess, err := session.Get(s.config.SessionCookieKey, e) 11 11 if err != nil { 12 12 return err 13 13 }

+4 -1

server/server.go

··· 115 115 116 116 S3Config *S3Config 117 117 118 - SessionSecret string 118 + SessionSecret string 119 + SessionCookieKey string 119 120 120 121 BlockstoreVariant BlockstoreVariant 121 122 FallbackProxy string ··· 132 133 RequireInvite bool 133 134 SmtpEmail string 134 135 SmtpName string 136 + SessionCookieKey string 135 137 BlockstoreVariant BlockstoreVariant 136 138 FallbackProxy string 137 139 } ··· 392 394 RequireInvite: args.RequireInvite, 393 395 SmtpName: args.SmtpName, 394 396 SmtpEmail: args.SmtpEmail, 397 + SessionCookieKey: args.SessionCookieKey, 395 398 BlockstoreVariant: args.BlockstoreVariant, 396 399 FallbackProxy: args.FallbackProxy, 397 400 },

+10 -10

server/service_auth.go

··· 44 44 45 45 parsedToken, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) { 46 46 did := syntax.DID(token.Claims.(jwt.MapClaims)["iss"].(string)) 47 - didDoc, err := s.passport.FetchDoc(ctx, did.String()); 47 + didDoc, err := s.passport.FetchDoc(ctx, did.String()) 48 48 if err != nil { 49 49 return nil, fmt.Errorf("unable to resolve did %s: %s", did, err) 50 50 } ··· 52 52 verificationMethods := make([]atproto_identity.DocVerificationMethod, len(didDoc.VerificationMethods)) 53 53 for i, verificationMethod := range didDoc.VerificationMethods { 54 54 verificationMethods[i] = atproto_identity.DocVerificationMethod{ 55 - ID: verificationMethod.Id, 56 - Type: verificationMethod.Type, 55 + ID: verificationMethod.Id, 56 + Type: verificationMethod.Type, 57 57 PublicKeyMultibase: verificationMethod.PublicKeyMultibase, 58 - Controller: verificationMethod.Controller, 58 + Controller: verificationMethod.Controller, 59 59 } 60 60 } 61 61 services := make([]atproto_identity.DocService, len(didDoc.Service)) 62 62 for i, service := range didDoc.Service { 63 63 services[i] = atproto_identity.DocService{ 64 - ID: service.Id, 65 - Type: service.Type, 64 + ID: service.Id, 65 + Type: service.Type, 66 66 ServiceEndpoint: service.ServiceEndpoint, 67 67 } 68 68 } 69 69 parsedIdentity := atproto_identity.ParseIdentity(&identity.DIDDocument{ 70 - DID: did, 71 - AlsoKnownAs: didDoc.AlsoKnownAs, 70 + DID: did, 71 + AlsoKnownAs: didDoc.AlsoKnownAs, 72 72 VerificationMethod: verificationMethods, 73 - Service: services, 73 + Service: services, 74 74 }) 75 75 76 76 key, err := parsedIdentity.PublicKey() ··· 88 88 return "", fmt.Errorf("bad jwt lexicon method (\"lxm\"). must match: %s", nsid) 89 89 } 90 90 return claims["iss"].(string), nil 91 - } 91 + }