mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-23 09:08:26 +01:00
Generate new session ID after login
This commit mitigates the Session Fixation issue by making sure a new session ID is generated each time user logs in to Harbor Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
parent
c360e71d51
commit
07dd14d3b5
@ -18,6 +18,7 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/goharbor/harbor/src/common/models"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"github.com/ghodss/yaml"
|
"github.com/ghodss/yaml"
|
||||||
@ -37,6 +38,7 @@ import (
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
yamlFileContentType = "application/x-yaml"
|
yamlFileContentType = "application/x-yaml"
|
||||||
|
userSessionKey = "user"
|
||||||
)
|
)
|
||||||
|
|
||||||
// the managers/controllers used globally
|
// the managers/controllers used globally
|
||||||
@ -168,6 +170,12 @@ func (b *BaseController) WriteYamlData(object interface{}) {
|
|||||||
_, _ = w.Write(yData)
|
_, _ = w.Write(yData)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PopulateUserSession generates a new session ID and fill the user model in parm to the session
|
||||||
|
func (b *BaseController) PopulateUserSession(u models.User) {
|
||||||
|
b.SessionRegenerateID()
|
||||||
|
b.SetSession(userSessionKey, u)
|
||||||
|
}
|
||||||
|
|
||||||
// Init related objects/configurations for the API controllers
|
// Init related objects/configurations for the API controllers
|
||||||
func Init() error {
|
func Init() error {
|
||||||
registerHealthCheckers()
|
registerHealthCheckers()
|
||||||
|
@ -17,6 +17,7 @@ package controllers
|
|||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
|
"github.com/goharbor/harbor/src/core/api"
|
||||||
"html/template"
|
"html/template"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
@ -38,11 +39,9 @@ import (
|
|||||||
"github.com/goharbor/harbor/src/core/filter"
|
"github.com/goharbor/harbor/src/core/filter"
|
||||||
)
|
)
|
||||||
|
|
||||||
const userKey = "user"
|
|
||||||
|
|
||||||
// CommonController handles request from UI that doesn't expect a page, such as /SwitchLanguage /logout ...
|
// CommonController handles request from UI that doesn't expect a page, such as /SwitchLanguage /logout ...
|
||||||
type CommonController struct {
|
type CommonController struct {
|
||||||
beego.Controller
|
api.BaseController
|
||||||
i18n.Locale
|
i18n.Locale
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -51,6 +50,9 @@ func (cc *CommonController) Render() error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Prepare overwrites the Prepare func in api.BaseController to ignore unnecessary steps
|
||||||
|
func (cc *CommonController) Prepare() {}
|
||||||
|
|
||||||
type messageDetail struct {
|
type messageDetail struct {
|
||||||
Hint string
|
Hint string
|
||||||
URL string
|
URL string
|
||||||
@ -111,7 +113,7 @@ func (cc *CommonController) Login() {
|
|||||||
if user == nil {
|
if user == nil {
|
||||||
cc.CustomAbort(http.StatusUnauthorized, "")
|
cc.CustomAbort(http.StatusUnauthorized, "")
|
||||||
}
|
}
|
||||||
cc.SetSession(userKey, *user)
|
cc.PopulateUserSession(*user)
|
||||||
}
|
}
|
||||||
|
|
||||||
// LogOut Habor UI
|
// LogOut Habor UI
|
||||||
|
@ -148,7 +148,7 @@ func (oc *OIDCController) Callback() {
|
|||||||
oc.SendInternalServerError(err)
|
oc.SendInternalServerError(err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
oc.SetSession(userKey, *u)
|
oc.PopulateUserSession(*u)
|
||||||
oc.Controller.Redirect("/", http.StatusFound)
|
oc.Controller.Redirect("/", http.StatusFound)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -219,8 +219,8 @@ func (oc *OIDCController) Onboard() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
user.OIDCUserMeta = nil
|
user.OIDCUserMeta = nil
|
||||||
oc.SetSession(userKey, user)
|
|
||||||
oc.DelSession(userInfoKey)
|
oc.DelSession(userInfoKey)
|
||||||
|
oc.PopulateUserSession(user)
|
||||||
}
|
}
|
||||||
|
|
||||||
func secretAndToken(tokenBytes []byte) (string, string, error) {
|
func secretAndToken(tokenBytes []byte) (string, string, error) {
|
||||||
|
Loading…
Reference in New Issue
Block a user