diff --git a/frontend/src/router/index.js b/frontend/src/router/index.js index c21d8c7..1bbc722 100644 --- a/frontend/src/router/index.js +++ b/frontend/src/router/index.js @@ -125,7 +125,7 @@ router.beforeEach(async (to) => { router.afterEach(async (to, from) => { const sec = securityStore() - const csrfPages = ['/login'] + const csrfPages = ['/', '/login'] if (csrfPages.includes(to.path)) { await sec.LoadSecurityProperties() // make sure we have a valid csrf token diff --git a/internal/app/api/core/assets/doc/v0_swagger.json b/internal/app/api/core/assets/doc/v0_swagger.json index 0df928f..7095a02 100644 --- a/internal/app/api/core/assets/doc/v0_swagger.json +++ b/internal/app/api/core/assets/doc/v0_swagger.json @@ -58,7 +58,7 @@ } }, "/auth/logout": { - "get": { + "post": { "produces": [ "application/json" ], @@ -66,15 +66,12 @@ "Authentication" ], "summary": "Get all available external login providers.", - "operationId": "auth_handleLogoutGet", + "operationId": "auth_handleLogoutPost", "responses": { "200": { "description": "OK", "schema": { - "type": "array", - "items": { - "$ref": "#/definitions/model.LoginProviderInfo" - } + "$ref": "#/definitions/model.Error" } } } @@ -1523,23 +1520,23 @@ "model.AuditEntry": { "type": "object", "properties": { + "ContextUser": { + "type": "string" + }, + "Id": { + "type": "integer" + }, "Message": { "type": "string" }, - "ctx_user": { - "type": "string" - }, - "id": { - "type": "integer" - }, - "origin": { + "Origin": { "description": "origin: for example user auth, stats, ...", "type": "string" }, - "severity": { + "Severity": { "type": "string" }, - "timestamp": { + "Timestamp": { "type": "string" } } diff --git a/internal/app/api/core/assets/doc/v0_swagger.yaml b/internal/app/api/core/assets/doc/v0_swagger.yaml index 47943c8..374fd82 100644 --- a/internal/app/api/core/assets/doc/v0_swagger.yaml +++ b/internal/app/api/core/assets/doc/v0_swagger.yaml @@ -2,18 +2,18 @@ basePath: /api/v0 definitions: model.AuditEntry: properties: + ContextUser: + type: string + Id: + type: integer Message: type: string - ctx_user: - type: string - id: - type: integer - origin: + Origin: description: 'origin: for example user auth, stats, ...' type: string - severity: + Severity: type: string - timestamp: + Timestamp: type: string type: object model.ConfigOption-array_string: @@ -496,17 +496,15 @@ paths: tags: - Authentication /auth/logout: - get: - operationId: auth_handleLogoutGet + post: + operationId: auth_handleLogoutPost produces: - application/json responses: "200": description: OK schema: - items: - $ref: '#/definitions/model.LoginProviderInfo' - type: array + $ref: '#/definitions/model.Error' summary: Get all available external login providers. tags: - Authentication diff --git a/internal/app/api/v0/handlers/base.go b/internal/app/api/v0/handlers/base.go index 82c8dfe..38ac024 100644 --- a/internal/app/api/v0/handlers/base.go +++ b/internal/app/api/v0/handlers/base.go @@ -57,9 +57,11 @@ func NewRestApi( return func() (core.ApiVersion, core.GroupSetupFn) { return "v0", func(group *routegroup.Bundle) { csrfMiddleware := csrf.New(func(r *http.Request) string { - return session.GetString(r.Context(), "csrf_token") + return session.GetData(r.Context()).CsrfToken }, func(r *http.Request, token string) { - session.Put(r.Context(), "csrf_token", token) + currentSession := session.GetData(r.Context()) + currentSession.CsrfToken = token + session.SetData(r.Context(), currentSession) }) group.Use(session.LoadAndSave) diff --git a/internal/app/api/v0/handlers/endpoint_authentication.go b/internal/app/api/v0/handlers/endpoint_authentication.go index 16cef2e..56a889b 100644 --- a/internal/app/api/v0/handlers/endpoint_authentication.go +++ b/internal/app/api/v0/handlers/endpoint_authentication.go @@ -295,6 +295,9 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc { } func (e AuthEndpoint) setAuthenticatedUser(r *http.Request, user *domain.User) { + // start a fresh session + e.session.DestroyData(r.Context()) + currentSession := e.session.GetData(r.Context()) currentSession.LoggedIn = true @@ -358,12 +361,12 @@ func (e AuthEndpoint) handleLoginPost() http.HandlerFunc { // handleLogoutPost returns a gorm Handler function. // -// @ID auth_handleLogoutGet +// @ID auth_handleLogoutPost // @Tags Authentication // @Summary Get all available external login providers. // @Produce json -// @Success 200 {object} []model.LoginProviderInfo -// @Router /auth/logout [get] +// @Success 200 {object} model.Error +// @Router /auth/logout [post] func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { currentSession := e.session.GetData(r.Context()) diff --git a/internal/app/api/v0/handlers/web_session.go b/internal/app/api/v0/handlers/web_session.go index 7a1d793..dd4ca6c 100644 --- a/internal/app/api/v0/handlers/web_session.go +++ b/internal/app/api/v0/handlers/web_session.go @@ -43,7 +43,6 @@ type SessionWrapper struct { func NewSessionWrapper(cfg *config.Config) *SessionWrapper { sessionManager := scs.New() sessionManager.Lifetime = 24 * time.Hour - sessionManager.IdleTimeout = 1 * time.Hour sessionManager.Cookie.Name = cfg.Web.SessionIdentifier sessionManager.Cookie.Secure = strings.HasPrefix(cfg.Web.ExternalUrl, "https") sessionManager.Cookie.HttpOnly = true