cookie: revamp internal handling of revocations

cmd/whawty-nginx-sso/web.go

@@ -166,7 +166,7 @@ func (h *HandlerContext) handleLoginPost(c *gin.Context) {
 func (h *HandlerContext) handleLogout(c *gin.Context) {
 	id, session, err := h.verifyCookie(c)
 	if err == nil {
-		if err = h.cookies.Revoke(session.Username, id); err != nil {
+		if err = h.cookies.Revoke(id, *session); err != nil {
 			// TODO: render error page!
 			c.JSON(http.StatusInternalServerError, WebError{err.Error()})
 			return

cookie/backend_in-memory.go

@@ -55,14 +55,14 @@ func NewInMemoryBackend(conf *InMemoryBackendConfig) (*InMemoryBackend, error) {
 	return m, nil
 }
 
-func (b *InMemoryBackend) Save(username string, id ulid.ULID, session Session) error {
+func (b *InMemoryBackend) Save(id ulid.ULID, session Session) error {
 	b.mutex.Lock()
 	defer b.mutex.Unlock()
 
-	sessions, exists := b.sessions[username]
+	sessions, exists := b.sessions[session.Username]
 	if !exists {
 		sessions = make(InMemorySessionList)
-		b.sessions[username] = sessions
+		b.sessions[session.Username] = sessions
 	}
 	if _, exists = sessions[id]; exists {
 		return fmt.Errorf("session '%v' already exists!", id)
@@ -80,24 +80,17 @@ func (b *InMemoryBackend) ListUser(username string) (list StoredSessionList, err
 		return
 	}
 	for id, session := range sessions {
-		list = append(list, StoredSession{ID: id, Session: session})
+		if _, revoked := b.revoked[id]; !revoked {
+			list = append(list, StoredSession{ID: id, Session: session})
+		}
 	}
 	return
 }
 
-func (b *InMemoryBackend) Revoke(username string, id ulid.ULID) error {
+func (b *InMemoryBackend) Revoke(id ulid.ULID, session Session) error {
 	b.mutex.Lock()
 	defer b.mutex.Unlock()
 
-	sessions, exists := b.sessions[username]
-	if !exists {
-		return fmt.Errorf("session '%v' does not exist", id)
-	}
-	session, exists := sessions[id]
-	if !exists {
-		return fmt.Errorf("session '%v' does not exist", id)
-	}
-	delete(sessions, id)
 	b.revoked[id] = session
 	return nil
 }
@@ -120,6 +113,16 @@ func (b *InMemoryBackend) ListRevoked() (list StoredSessionList, err error) {
 	return
 }
 
+func (b *InMemoryBackend) LoadRevocations(list StoredSessionList) (err error) {
+	b.mutex.Lock()
+	defer b.mutex.Unlock()
+
+	for _, session := range list {
+		b.revoked[session.ID] = session.Session
+	}
+	return
+}
+
 func (b *InMemoryBackend) CollectGarbage() (uint, error) {
 	b.mutex.Lock()
 	defer b.mutex.Unlock()

cookie/store.go

@@ -100,11 +100,12 @@ type SignedRevocationList struct {
 }
 
 type StoreBackend interface {
-	Save(username string, id ulid.ULID, session Session) error
+	Save(id ulid.ULID, session Session) error
 	ListUser(username string) (StoredSessionList, error)
-	Revoke(username string, id ulid.ULID) error
+	Revoke(id ulid.ULID, session Session) error
 	IsRevoked(id ulid.ULID) (bool, error)
 	ListRevoked() (StoredSessionList, error)
+	LoadRevocations(StoredSessionList) error
 	CollectGarbage() (uint, error)
 }
 
@@ -284,7 +285,7 @@ func (st *Store) New(s Session) (value string, opts Options, err error) {
 		return
 	}
 
-	if err = st.backend.Save(s.Username, id, s); err != nil {
+	if err = st.backend.Save(id, s); err != nil {
 		return
 	}
 	st.dbgLog.Printf("successfully generated new session('%v'): %+v", id, s)
@@ -344,12 +345,12 @@ func (st *Store) ListUser(username string) (StoredSessionList, error) {
 	return st.backend.ListUser(username)
 }
 
-func (st *Store) Revoke(username, id string) error {
+func (st *Store) Revoke(id string, session Session) error {
 	toRevoke, err := ulid.ParseStrict(id)
 	if err != nil {
 		return err
 	}
-	if err = st.backend.Revoke(username, toRevoke); err != nil {
+	if err = st.backend.Revoke(toRevoke, session); err != nil {
 		return err
 	}
 	st.dbgLog.Printf("successfully revoked session('%v')", id)