Abstract out the code that creates the application name so it can be …

…used in multiple places. Do a similar check in the javascript to get the cookie name.
transcom · Feb 1, 2019 · 8f863db · 8f863db
1 parent 15a33a8
commit 8f863db
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 25 deletions.
diff --git a/cmd/webserver/main.go b/cmd/webserver/main.go
@@ -751,7 +751,7 @@ func main() {
 
 	// Session management and authentication middleware
 	noSessionTimeout := v.GetBool("no-session-timeout")
-	sessionCookieMiddleware := auth.SessionCookieMiddleware(zapLogger, clientAuthSecretKey, noSessionTimeout)
+	sessionCookieMiddleware := auth.SessionCookieMiddleware(zapLogger, clientAuthSecretKey, noSessionTimeout, myHostname, officeHostname, tspHostname)
 	maskedCSRFMiddleware := auth.MaskedCSRFMiddleware(zapLogger, noSessionTimeout)
 	appDetectionMiddleware := auth.DetectorMiddleware(zapLogger, myHostname, officeHostname, tspHostname)
 	userAuthMiddleware := authentication.UserAuthMiddleware(zapLogger)

diff --git a/pkg/auth/app_detector.go b/pkg/auth/app_detector.go
@@ -5,18 +5,20 @@ import (
 	"strings"
 
 	"github.com/honeycombio/beeline-go"
+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 )
 
-type application string
+// Application describes the application name
+type Application string
 
 const (
 	// TspApp indicates tsp.move.mil
-	TspApp application = "TSP"
+	TspApp Application = "TSP"
 	// OfficeApp indicates office.move.mil
-	OfficeApp application = "OFFICE"
+	OfficeApp Application = "OFFICE"
 	// MyApp indicates my.move.mil
-	MyApp application = "MY"
+	MyApp Application = "MY"
 )
 
 // IsTspApp returns true iff the request is for the office.move.mil host
@@ -34,6 +36,19 @@ func (s *Session) IsMyApp() bool {
 	return s.ApplicationName == MyApp
 }
 
+// ApplicationName returns the application name given the hostname
+func ApplicationName(hostname, myHostname, officeHostname, tspHostname string) (Application, error) {
+	var appName Application
+	if strings.EqualFold(hostname, myHostname) {
+		return MyApp, nil
+	} else if strings.EqualFold(hostname, officeHostname) {
+		return OfficeApp, nil
+	} else if strings.EqualFold(hostname, tspHostname) {
+		return TspApp, nil
+	}
+	return appName, errors.New("Bad hostname")
+}
+
 // DetectorMiddleware detects which application we are serving based on the hostname
 func DetectorMiddleware(logger *zap.Logger, myHostname string, officeHostname string, tspHostname string) func(next http.Handler) http.Handler {
 	logger.Info("Creating host detector", zap.String("myHost", myHostname), zap.String("officeHost", officeHostname), zap.String("tspHost", tspHostname))
@@ -44,21 +59,15 @@ func DetectorMiddleware(logger *zap.Logger, myHostname string, officeHostname st
 
 			session := SessionFromRequestContext(r)
 
-			parts := strings.Split(r.Host, ":")
-			var appName application
-			if strings.EqualFold(parts[0], myHostname) {
-				appName = MyApp
-			} else if strings.EqualFold(parts[0], officeHostname) {
-				appName = OfficeApp
-			} else if strings.EqualFold(parts[0], tspHostname) {
-				appName = TspApp
-			} else {
+			// Split the hostname from the port
+			hostname := strings.Split(r.Host, ":")[0]
+			appName, err := ApplicationName(hostname, myHostname, officeHostname, tspHostname)
+			if err != nil {
 				logger.Error("Bad hostname", zap.String("hostname", r.Host))
 				http.Error(w, http.StatusText(400), http.StatusBadRequest)
-				return
 			}
 			session.ApplicationName = appName
-			session.Hostname = strings.ToLower(parts[0])
+			session.Hostname = strings.ToLower(hostname)
 
 			span.AddTraceField("auth.application_name", session.ApplicationName)
 			span.AddTraceField("auth.hostname", session.Hostname)

diff --git a/pkg/auth/cookie.go b/pkg/auth/cookie.go
@@ -60,10 +60,9 @@ func signTokenStringWithUserInfo(expiry time.Time, session *Session, secret stri
 	return ss, err
 }
 
-func sessionClaimsFromRequest(logger *zap.Logger, secret string, r *http.Request) (claims *SessionClaims, ok bool) {
+func sessionClaimsFromRequest(logger *zap.Logger, secret string, appName Application, r *http.Request) (claims *SessionClaims, ok bool) {
 	// Name the cookie with the host name, use the same method as in the DetectorMiddleware
-	appName := strings.Split(strings.Split(r.Host, ":")[0], ".")[0]
-	cookieName := fmt.Sprintf("%s_%s", strings.ToLower(appName), UserSessionCookieName)
+	cookieName := fmt.Sprintf("%s_%s", strings.ToLower(string(appName)), UserSessionCookieName)
 	cookie, err := r.Cookie(cookieName)
 	if err != nil {
 		// No cookie set on client
@@ -127,7 +126,7 @@ func MaskedCSRFMiddleware(logger *zap.Logger, noSessionTimeout bool) func(next h
 func WriteSessionCookie(w http.ResponseWriter, session *Session, secret string, noSessionTimeout bool, logger *zap.Logger) {
 
 	// Delete the cookie
-	cookieName := fmt.Sprintf("%s_%s", strings.Split(string(session.Hostname), "."), UserSessionCookieName)
+	cookieName := fmt.Sprintf("%s_%s", strings.ToLower(string(session.ApplicationName)), UserSessionCookieName)
 	cookie := http.Cookie{
 		Name:    cookieName,
 		Value:   "blank",
@@ -164,11 +163,18 @@ func WriteSessionCookie(w http.ResponseWriter, session *Session, secret string,
 }
 
 // SessionCookieMiddleware handle serializing and de-serializing the session between the user_session cookie and the request context
-func SessionCookieMiddleware(logger *zap.Logger, secret string, noSessionTimeout bool) func(next http.Handler) http.Handler {
+func SessionCookieMiddleware(logger *zap.Logger, secret string, noSessionTimeout bool, myHostname, officeHostname, tspHostname string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		mw := func(w http.ResponseWriter, r *http.Request) {
 			session := Session{}
-			claims, ok := sessionClaimsFromRequest(logger, secret, r)
+
+			hostname := strings.Split(r.Host, ":")[0]
+			appName, err := ApplicationName(hostname, myHostname, officeHostname, tspHostname)
+			if err != nil {
+				logger.Error("Bad hostname", zap.String("hostname", r.Host))
+				http.Error(w, http.StatusText(400), http.StatusBadRequest)
+			}
+			claims, ok := sessionClaimsFromRequest(logger, secret, appName, r)
 			if ok {
 				session = claims.SessionValue
 			}

diff --git a/pkg/auth/session.go b/pkg/auth/session.go
@@ -13,7 +13,7 @@ const sessionContextKey authSessionKey = "session"
 
 // Session stores information about the currently logged in session
 type Session struct {
-	ApplicationName application
+	ApplicationName Application
 	Hostname        string
 	IDToken         string
 	UserID          uuid.UUID

diff --git a/src/shared/User/ducks.js b/src/shared/User/ducks.js
@@ -1,7 +1,7 @@
 import * as Cookies from 'js-cookie';
 import * as decode from 'jwt-decode';
 import * as helpers from 'shared/ReduxHelpers';
-import { hostname } from 'shared/constants';
+import { isMilmoveSite, isOfficeSite, isTspSite } from 'shared/constants';
 import { GetLoggedInUser } from './api.js';
 import { normalize } from 'normalizr';
 import { pick } from 'lodash';
@@ -72,7 +72,8 @@ const loggedOutUser = {
 };
 
 function getUserInfo() {
-  const cookieName = hostname + '_session_token';
+  let cookiePrefix = (isMilmoveSite && 'my') || (isOfficeSite && 'office') || (isTspSite && 'tsp') || '';
+  const cookieName = cookiePrefix + '_session_token';
   const cookie = Cookies.get(cookieName);
   if (!cookie) return loggedOutUser;
   const jwt = decode(cookie);

diff --git a/src/shared/constants.js b/src/shared/constants.js
@@ -11,6 +11,7 @@ export const ppmInfoPacket = '/downloads/ppm_info_sheet.pdf';
 export const hhgInfoPacket = '/downloads/hhg_info_sheet.pdf';
 
 export const hostname = window && window.location && window.location.hostname;
+export const isMilmoveSite = hostname.startsWith('my') || hostname.startsWith('mil') || '';
 export const isOfficeSite = hostname.startsWith('office') || '';
 export const isTspSite = hostname.startsWith('tsp') || '';