make repsonses from auth subsystem more consistent

416e584b · Christian Pointner · b973f62f · 416e584b · 416e584b · 416e584b
Commit 416e584b authored 6 years ago by Christian Pointner
--- a/api/v1/utils.go
+++ b/api/v1/utils.go
@@ -110,6 +110,6 @@ func authorizeRequest(w http.ResponseWriter, r *http.Request, showID string) (bo
 			return true, s
 		}
 	}
-	http.Error(w, "you are not allowed to access show: "+showID, http.StatusForbidden)
+	sendWebResponse(w, http.StatusForbidden, ErrorResponse{Error: "you are not allowed to access show: " + showID})
 	return false, s
 }
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -25,6 +25,7 @@
 package auth
 import (
+	"encoding/json"
 	"net/http"
 	"strings"
@@ -45,6 +46,7 @@ func Init(c *Config) (err error) {
 		return
 	}
 	auth.config = c
 	if auth.sessions, err = NewSessionManager(); err != nil {
 		return
 	}
@@ -54,7 +56,6 @@ func Init(c *Config) (err error) {
 			return
 		}
 	}
 	return
 }
@@ -63,14 +64,14 @@ func login(w http.ResponseWriter, r *http.Request) {
 	switch strings.ToLower(method) {
 	case "oidc":
 		if auth.oidc == nil {
-			http.Error(w, "OIDC authentication is not configured", http.StatusBadRequest)
+			sendHTTPResponse(w, http.StatusBadRequest, HTTPResponse{Error: "OIDC authentication is not configured"})
 			return
 		}
 		auth.oidc.HandleLogin(w, r)
 	case "":
-		http.Error(w, "default/fallback authentication method has not been implemented yet!", http.StatusNotImplemented)
+		sendHTTPResponse(w, http.StatusNotImplemented, HTTPResponse{Error: "default/fallback authentication method has not been implemented yet"})
 	default:
-		http.Error(w, "invalid authentication method: "+method, http.StatusBadRequest)
+		sendHTTPResponse(w, http.StatusBadRequest, HTTPResponse{Error: "invalid authentication method: " + method})
 	}
 }
@@ -78,15 +79,27 @@ func logout(w http.ResponseWriter, r *http.Request) {
 	sid, s := getSessionFromCookie(r)
 	invalidateSessionCookie(w)
 	if s == nil {
-		http.Error(w, "Request does not contain a valid session cookie or session is already expired.", http.StatusUnauthorized)
+		sendHTTPResponseInvalidSession(w)
 		return
 	}
 	auth.sessions.remove(sid)
-	http.Error(w, "You are now logged out.", http.StatusOK)
+	sendHTTPResponse(w, http.StatusOK, HTTPResponse{Message: "you are now logged out"})
+}
+func whoami(w http.ResponseWriter, r *http.Request) {
+	_, s := getSessionFromCookie(r)
+	if s == nil {
+		sendHTTPResponseInvalidSession(w)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(s)
 }
 func disabled(w http.ResponseWriter, r *http.Request) {
-	http.Error(w, "authentication is disabled", http.StatusNotAcceptable)
+	sendHTTPResponse(w, http.StatusBadRequest, HTTPResponse{Error: "authentication is disabled"})
 }
 func InstallHTTPHandler(r *mux.Router) {
@@ -97,6 +110,7 @@ func InstallHTTPHandler(r *mux.Router) {
 	r.HandleFunc("/login", login)
 	r.HandleFunc("/logout", logout)
+	r.HandleFunc("/whoami", whoami)
 	if auth.oidc != nil {
 		r.Handle("/oidc/callback", auth.oidc.CallbackHandler())
 	}
@@ -112,7 +126,7 @@ func Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		_, s := getSessionFromCookie(r)
 		if s == nil {
-			http.Error(w, "Request does not contain a valid session cookie or session is already expired.", http.StatusUnauthorized)
+			sendHTTPResponseInvalidSession(w)
 			return
 		}
 		next.ServeHTTP(w, attachSessionToRequest(r, s))

--- a/auth/oidc.go
+++ b/auth/oidc.go
@@ -26,7 +26,6 @@ package auth
 import (
 	"context"
-	"encoding/json"
 	"net/http"
 	"time"
@@ -95,24 +94,24 @@ func (b *OIDCBackend) HandleLogin(w http.ResponseWriter, r *http.Request) {
 	if s != nil {
 		msg := ""
 		if s.Username != "" {
-			msg = "You are still logged in, please logout first."
+			msg = "You are still logged in, please logout first"
 		} else if s.oidc == nil {
 			msg = "This is not an OIDC session."
 		} else {
 			msg = "OIDC login already in progress, retry later."
 		}
-		http.Error(w, msg, http.StatusConflict)
+		sendHTTPResponse(w, http.StatusConflict, HTTPResponse{Error: msg})
 		return
 	}
 	os, err := NewOIDCSession()
 	if err != nil {
-		http.Error(w, "Failed to generate new OIDC session: "+err.Error(), http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "Failed to generate new OIDC session: " + err.Error()})
 		return
 	}
 	s = &Session{oidc: os, Expires: time.Now().Add(time.Minute)}
 	if sid, err = auth.sessions.insert(s); err != nil {
-		http.Error(w, "Failed to generate new session: "+err.Error(), http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "Failed to generate new session: " + err.Error()})
 		return
 	}
 	setSessionCookie(w, sid)
@@ -127,20 +126,20 @@ func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	sid, s := getSessionFromCookie(r)
 	if s == nil {
 		invalidateSessionCookie(w)
-		http.Error(w, "Request does not contain a valid session cookie or session is already expired.", http.StatusUnauthorized)
+		sendHTTPResponseInvalidSession(w)
 		return
 	}
 	if s.oidc == nil {
-		http.Error(w, "This is not an OIDC session.", http.StatusConflict)
+		sendHTTPResponse(w, http.StatusConflict, HTTPResponse{Error: "This is not an OIDC session."})
 		return
 	}
 	if s.Username != "" {
-		http.Error(w, "This session is already logged in.", http.StatusConflict)
+		sendHTTPResponse(w, http.StatusConflict, HTTPResponse{Error: "This session is already logged in."})
 		return
 	}
 	if r.URL.Query().Get("state") != s.oidc.State {
-		http.Error(w, "OIDC verification failed: state did not match", http.StatusBadRequest)
+		sendHTTPResponse(w, http.StatusBadRequest, HTTPResponse{Error: "OIDC verification failed: state did not match"})
 		return
 	}
@@ -148,14 +147,14 @@ func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		invalidateSessionCookie(w)
 		auth.sessions.remove(sid)
-		http.Error(w, "OAuth2 token exchange failed: "+err.Error(), http.StatusBadRequest)
+		sendHTTPResponse(w, http.StatusBadRequest, HTTPResponse{Error: "OAuth2 token exchange failed: " + err.Error()})
 		return
 	}
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
 		invalidateSessionCookie(w)
 		auth.sessions.remove(sid)
-		http.Error(w, "OIDC verification failed: no id_token field in oauth2 token.", http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusBadRequest, HTTPResponse{Error: "OIDC verification failed: no id_token field in oauth2 token."})
 		return
 	}
@@ -164,13 +163,13 @@ func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		invalidateSessionCookie(w)
 		auth.sessions.remove(sid)
-		http.Error(w, "OAuth2 ID token verification failed: "+err.Error(), http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "OAuth2 ID token verification failed: " + err.Error()})
 		return
 	}
 	if idToken.Nonce != s.oidc.Nonce {
 		invalidateSessionCookie(w)
 		auth.sessions.remove(sid)
-		http.Error(w, "OAuth2 ID token  verification failed: invalid nonce", http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "OAuth2 ID token verification failed: invalid nonce"})
 		return
 	}
@@ -178,30 +177,29 @@ func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		invalidateSessionCookie(w)
 		auth.sessions.remove(sid)
-		http.Error(w, "Fetching OIDC UserInfo failed: "+err.Error(), http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "Fetching OIDC UserInfo failed: " + err.Error()})
 		return
 	}
 	newS := &Session{}
 	if err := userInfo.Claims(newS); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "Parsing OIDC UserInfo failed: " + err.Error()})
 		return
 	}
 	maxAge := defaultAge
 	if auth.config.Sessions.MaxAge > 0 {
 		maxAge = auth.config.Sessions.MaxAge
 	}
-	newS.Expires = time.Now().Add(maxAge * time.Second)
+	newS.Expires = time.Now().Add(maxAge)
 	newS.oidc = &OIDCSession{State: s.oidc.State, Nonce: s.oidc.Nonce}
 	newS.oidc.token = oauth2Token
 	if err = auth.sessions.update(sid, newS); err != nil {
 		invalidateSessionCookie(w)
 		auth.sessions.remove(sid)
-		http.Error(w, "Updating session failed: "+err.Error(), http.StatusInternalServerError)
+		sendHTTPResponse(w, http.StatusInternalServerError, HTTPResponse{Error: "Updating session failed: " + err.Error()})
 		return
 	}
-	setSessionCookie(w, sid) // reset the cookie to update max-age
+	setSessionCookie(w, sid) // re-set the cookie to update max-age
-	data, _ := json.MarshalIndent(newS, "", "    ")
+	sendHTTPResponse(w, http.StatusOK, HTTPResponse{Message: "You are now logged in as: " + newS.Username})
-	w.Write(data)
 }
--- a/auth/utils.go
+++ b/auth/utils.go
@@ -27,6 +27,8 @@ package auth
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/json"
+	"net/http"
 )
 type contextKey int
@@ -42,3 +44,19 @@ func generateRandomString(len int) (string, error) {
 	}
 	return base64.RawURLEncoding.EncodeToString(b[:]), nil
 }
+type HTTPResponse struct {
+	Message string `json:"message,omitempty"`
+	Error   string `json:"error,omitempty"`
+}
+func sendHTTPResponse(w http.ResponseWriter, status int, resp HTTPResponse) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	json.NewEncoder(w).Encode(resp) // TODO: Error Handling?
+}
+func sendHTTPResponseInvalidSession(w http.ResponseWriter) {
+	resp := HTTPResponse{Error: "Request does not contain a valid session cookie or session is already expired."}
+	sendHTTPResponse(w, http.StatusUnauthorized, resp)
+}