revocations: add auth token for api endpoint

whawty · Nov 19, 2023 · c61240b · c61240b
1 parent 20acf04
commit c61240b
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 5 deletions.
diff --git a/cmd/whawty-nginx-sso/config.go b/cmd/whawty-nginx-sso/config.go
@@ -47,9 +47,12 @@ type LoginConfig struct {
 }
 
 type WebConfig struct {
-	Listen string               `yaml:"listen"`
-	TLS    *tlsconfig.TLSConfig `yaml:"tls"`
-	Login  LoginConfig          `yaml:"login"`
+	Listen      string               `yaml:"listen"`
+	TLS         *tlsconfig.TLSConfig `yaml:"tls"`
+	Login       LoginConfig          `yaml:"login"`
+	Revocations struct {
+		Tokens []string `yaml:"tokens"`
+	} `yaml:"revocations"`
 }
 
 type Config struct {

diff --git a/cmd/whawty-nginx-sso/web.go b/cmd/whawty-nginx-sso/web.go
@@ -196,7 +196,28 @@ func (h *HandlerContext) handleSessions(c *gin.Context) {
 }
 
 func (h *HandlerContext) handleRevocations(c *gin.Context) {
-	// TODO: add authentication based on bearer tokens!
+	auth_header := c.GetHeader("Authorization")
+	if auth_header == "" {
+		c.JSON(http.StatusUnauthorized, WebError{"no authorization header found"})
+		return
+	}
+	auth_parts := strings.SplitN(auth_header, " ", 2)
+	if len(auth_parts) != 2 || auth_parts[0] != "Bearer" {
+		c.JSON(http.StatusUnauthorized, WebError{"authorization header is invalid"})
+		return
+	}
+	authenticated := false
+	for _, token := range h.conf.Revocations.Tokens {
+		if token == auth_parts[1] {
+			authenticated = true
+			break
+		}
+	}
+	if !authenticated {
+		c.JSON(http.StatusUnauthorized, WebError{"unauthorized token"})
+		return
+	}
+
 	revocations, err := h.cookies.ListRevoked()
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, WebError{err.Error()})

diff --git a/contrib/sample-cfg.yml b/contrib/sample-cfg.yml
@@ -89,6 +89,10 @@ web:
     #### the http base path where the UI is hosted, if left empty the web interface will look for the HTTP header
     #### X-BasePath and if this is empty as well '/' will be used.
     # base-path: /sso/
+  revocations:
+    tokens:
+    - this-is-a-very-secret-token
+    - another-very-secret-token
 
   # tls:
   #   certificate: "/path/to/server-crt.pem"

diff --git a/cookie/backend_in-memory.go b/cookie/backend_in-memory.go
@@ -65,7 +65,6 @@ func (b *InMemoryBackend) Save(username string, id ulid.ULID, session Session) e
 		b.sessions[username] = sessions
 	}
 	if _, exists = sessions[id]; exists {
-		// TODO: this probably should be a panic
 		return fmt.Errorf("session '%v' already exists!", id)
 	}
 	sessions[id] = session