Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handle 401 when checking cookie session #300

Closed
wants to merge 1 commit into from
Closed

handle 401 when checking cookie session #300

wants to merge 1 commit into from

Conversation

paulbdavis
Copy link
Contributor

Related issue

#298

Proposed changes

Handles 401 errors when attempting to check a cookie session rather than masking it as a 403 error

Checklist

  • I have read the contributing guidelines
  • I have read the security policy
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)
  • I have documented my changes in the
    developer guide (if appropriate)

aeneasr
aeneasr reviewed Nov 18, 2019
View reviewed changes
pipeline/authn/authenticator_cookie_session.go
@@ -115,10 +115,12 @@ func forwardRequestToSessionStore(r *http.Request, checkSessionURL string) (json
if res.StatusCode == 200 {
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return json.RawMessage{}, err
return json.RawMessage{}, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
Copy link
Member

@aeneasr aeneasr Nov 18, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Why would you consider the inability to read the response body a 403 error? Wouldn't it make more sense to return more error details here? I believe this will be incredibly hard to handle. I understand that this was the case before, but since we're working on this patch we can address it straight away.
  • .WithTrace() adds the stack trace from the upstream error to the error context. stdlib errors do not implement stack trace functionality, therefore WithTrace() on a stdlib doesn't have an effect.
  • Without errors.WithStack() it's not possible to get the error trace. What was your thinking behind omitting that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added that here because the function that called forwardRequestToSessionStore was previously wrapping all the errors in a 403, so I added this to maintain the existing behavior for all of the other error cases, though I would say this should probably be a 500 error instead

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so let's return instead:

Suggested change
return json.RawMessage{}, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
return json.RawMessage{}, errors.WithStack(helper.ErrForbidden.WithReasonf("Unable to fetch cookie session context from remote: %+v", err))

aeneasr
aeneasr reviewed Nov 18, 2019
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I think this patch can be reduced to one or two line changes, see my comments :)

pipeline/authn/authenticator_cookie_session.go
}

return json.RawMessage{}, errors.WithStack(helper.ErrUnauthorized)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes do not do a lot except changing some errors.WithStack() behavior, which should not have any effect.

@aeneasr
Copy link
Member

aeneasr commented Nov 25, 2019

Are you still up for these changes? :)

@paulbdavis
Copy link
Contributor Author

I think the change makes sense in general, but I'm not using the cookie auth anymore since the patch to use cookies for oauth was merged, so it's not a priority for me anymore.

aeneasr added a commit that referenced this pull request Dec 17, 2019
@aeneasr
authn: Improve session endpoint debugability
cb09b9d 
Closes #300
@aeneasr aeneasr mentioned this pull request Dec 17, 2019
Merged
@aeneasr aeneasr closed this in #315 Dec 17, 2019
aeneasr added a commit that referenced this pull request Dec 17, 2019
@aeneasr
authn: Improve session endpoint debugability (#315)
2718639 
Closes #300
pike1212 pushed a commit to pike1212/oathkeeper that referenced this pull request Dec 18, 2019
@aeneasr @pike1212
authn: Improve session endpoint debugability (ory#315)
fa99dfe 
Closes ory#300
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@paulbdavis @aeneasr