Merge pull request #38 from croessner/features

Refactor code for secrets and session management
croessner · Jun 13, 2024 · a472133 · a472133
2 parents 158f4c9 + 9b76fac
commit a472133
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 20 deletions.
diff --git a/server/config/file.go b/server/config/file.go
@@ -42,10 +42,6 @@ type File struct {
 	RelayDomains            *RelayDomainsSection     `mapstructure:"relay_domains"`
 	BackendServerMonitoring *BackendServerMonitoring `mapstructure:"backend_server_monitoring"`
 	BruteForce              *BruteForceSection       `mapstructure:"brute_force"`
-	CSRFSecret              string                   `mapstructure:"csrf_secret"`
-	CookieStoreAuthKey      string                   `mapstructure:"cookie_store_auth_key"`
-	CookieStoreEncKey       string                   `mapstructure:"cookie_store_encryption_key"`
-	PasswordNonce           string                   `mapstructure:"password_nonce"`
 	Lua                     *LuaSection
 	Oauth2                  *Oauth2Section
 	LDAP                    *LDAPSection
@@ -891,19 +887,21 @@ func (f *File) validateBruteForce() error {
 // - ErrNoPasswordNonce: returned if the PasswordNonce is empty.
 // It returns nil if all secrets are valid.
 func (f *File) validateSecrets() error {
-	if len(f.CSRFSecret) != 32 {
-		return errors.ErrCSRFSecretWrongSize
-	}
+	if f.Server.Frontend.Enabled {
+		if len(f.Server.Frontend.CSRFSecret) != 32 {
+			return errors.ErrCSRFSecretWrongSize
+		}
 
-	if len(f.CookieStoreAuthKey) != 32 {
-		return errors.ErrCookieStoreAuthSize
-	}
+		if len(f.Server.Frontend.CookieStoreAuthKey) != 32 {
+			return errors.ErrCookieStoreAuthSize
+		}
 
-	if !(len(f.CookieStoreEncKey) == 16 || len(f.CookieStoreEncKey) == 24 || len(f.CookieStoreEncKey) == 32) {
-		return errors.ErrCookieStoreEncSize
+		if !(len(f.Server.Frontend.CookieStoreEncKey) == 16 || len(f.Server.Frontend.CookieStoreEncKey) == 24 || len(f.Server.Frontend.CookieStoreEncKey) == 32) {
+			return errors.ErrCookieStoreEncSize
+		}
 	}
 
-	if f.PasswordNonce == "" {
+	if f.Server.Redis.PasswordNonce == "" {
 		return errors.ErrNoPasswordNonce
 	}
 

diff --git a/server/config/server.go b/server/config/server.go
@@ -19,6 +19,7 @@ type ServerSection struct {
 	Insights            Insights    `mapstructure:"insights"`
 	Redis               Redis       `mapstructure:"redis"`
 	MasterUser          MasterUser  `mapstructure:"master_user"`
+	Frontend            Frontend    `mapstructure:"frontend"`
 }
 
 type TLS struct {
@@ -54,6 +55,7 @@ type DNS struct {
 type Redis struct {
 	DatabaseNmuber int       `mapstructure:"database_number"`
 	Prefix         string    `mapstructure:"prefix"`
+	PasswordNonce  string    `mapstructure:"password_nonce"`
 	PoolSize       int       `mapstructure:"pool_size"`
 	IdlePoolSize   int       `mapstructure:"idle_pool_size"`
 	TLS            TLS       `mapstructure:"tls"`
@@ -92,3 +94,10 @@ type MasterUser struct {
 	Enabled   bool   `mapstructure:"enabled"`
 	Delimiter string `mapstructure:"delimiter"`
 }
+
+type Frontend struct {
+	Enabled            bool   `mapstructure:"enabled"`
+	CSRFSecret         string `mapstructure:"csrf_secret"`
+	CookieStoreAuthKey string `mapstructure:"cookie_store_auth_key"`
+	CookieStoreEncKey  string `mapstructure:"cookie_store_encryption_key"`
+}
diff --git a/server/core/http.go b/server/core/http.go
@@ -429,7 +429,7 @@ func setupWebAuthn() (*webauthn.WebAuthn, error) {
 // The function also sets the session options including the path, secure flag, and SameSite mode.
 // The configured session store is then returned.
 func setupSessionStore() sessions.Store {
-	sessionStore := cookie.NewStore([]byte(config.LoadableConfig.CookieStoreAuthKey), []byte(config.LoadableConfig.CookieStoreEncKey))
+	sessionStore := cookie.NewStore([]byte(config.LoadableConfig.Server.Frontend.CookieStoreAuthKey), []byte(config.LoadableConfig.Server.Frontend.CookieStoreEncKey))
 	sessionStore.Options(sessions.Options{
 		Path:     "/",
 		Secure:   true,
@@ -744,13 +744,16 @@ func HTTPApp(ctx context.Context) {
 	// Parse static folder for template files
 	router.LoadHTMLGlob(viper.GetString("html_static_content_path") + "/*.html")
 
-	store := setupSessionStore()
+	if config.LoadableConfig.Server.Frontend.Enabled {
+		store := setupSessionStore()
+
+		setupHydraEndpoints(router, store)
+		setup2FAEndpoints(router, store)
+		setupWebAuthnEndpoints(router, store)
+		setupNotifyEndpoint(router, store)
+	}
 
-	setupHydraEndpoints(router, store)
-	setup2FAEndpoints(router, store)
-	setupWebAuthnEndpoints(router, store)
 	setupStaticContent(router)
-	setupNotifyEndpoint(router, store)
 	setupBackChannelEndpoints(router)
 
 	// www.SetKeepAlivesEnabled(false)

diff --git a/server/util/util.go b/server/util/util.go
@@ -153,7 +153,7 @@ func (c *CryptPassword) GetParameters(cryptedPassword string) (
 }
 
 func PreparePassword(password string) string {
-	return fmt.Sprintf("%s\x00%s", config.LoadableConfig.PasswordNonce, password)
+	return fmt.Sprintf("%s\x00%s", config.LoadableConfig.Server.Redis.PasswordNonce, password)
 }
 
 // GetHash creates an SHA-256 hash of a plain text password and returns the first 128 bits.