Fix: Fix in-memory cache

Refactor various functions to use the PassDBResult instead of AuthState. This simplifies the core logic and eliminates restoring state information. Signed-off-by: Christian Roessner <c@roessner.co>
croessner · Nov 27, 2024 · ee215c3 · ee215c3
1 parent 111e558
commit ee215c3
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 35 deletions.
diff --git a/server/core/auth.go b/server/core/auth.go
@@ -1758,7 +1758,7 @@ func (a *AuthState) authenticateUser(ctx *gin.Context, useCache bool, backendPos
 
 	if passDBResult.Authenticated {
 		if !(a.haveMonitoringFlag(definitions.MonInMemory) || a.isMasterUser()) {
-			localcache.LocalCache.Set(a.generateLocalChacheKey(), a, config.EnvConfig.LocalCacheAuthTTL)
+			localcache.LocalCache.Set(a.generateLocalChacheKey(), passDBResult, config.EnvConfig.LocalCacheAuthTTL)
 		}
 
 		authResult = definitions.AuthResultOK
@@ -2832,7 +2832,7 @@ func (a *AuthState) getOauth2SubjectAndClaims(oauth2Client openapi.OAuth2Client)
 // The key is constructed by concatenating the Username, Password and  Service values using a null character ('\0')
 // as a separator.
 func (a *AuthState) generateLocalChacheKey() string {
-	return fmt.Sprintf("%s\000%s\000%s\000%s\000%s\000%s",
+	return fmt.Sprintf("%s\000%s\000%s\000%s\000%s",
 		a.Username,
 		a.Password,
 		a.Service,
@@ -2844,13 +2844,6 @@ func (a *AuthState) generateLocalChacheKey() string {
 
 			return a.ClientIP
 		}(),
-		func() string {
-			if a.XClientPort == "" {
-				return "0"
-			}
-
-			return a.XClientPort
-		}(),
 	)
 }
 
@@ -2866,22 +2859,12 @@ func (a *AuthState) getFromLocalCache(ctx *gin.Context) bool {
 	}
 
 	if value, found := localcache.LocalCache.Get(a.generateLocalChacheKey()); found {
-		guid := *a.GUID
-		restoreCtx := false
-
-		if a.HTTPClientContext != nil {
-			a.HTTPClientContext = nil
-			restoreCtx = true
-		}
+		passDBResult := value.(*PassDBResult)
 
-		*a = *value.(*AuthState)
-
-		a.GUID = &guid
-		a.UsedPassDBBackend = definitions.BackendLocalCache
-
-		if restoreCtx {
-			a.HTTPClientContext = ctx.Copy()
-		}
+		updateAuthentication(a, passDBResult, &PassDBMap{
+			backend: definitions.BackendLocalCache,
+			fn:      nil,
+		})
 
 		ctx.Set(definitions.CtxLocalCacheAuthKey, true)
 
@@ -2895,20 +2878,20 @@ func (a *AuthState) getFromLocalCache(ctx *gin.Context) bool {
 // If not found in the cache, it checks if the request is a brute force attack and updates the brute force counter.
 // It then performs a post Lua action and triggers a failed authentication response.
 // If a brute force attack is detected, it returns true, otherwise false.
-func (a *AuthState) preproccessAuthRequest(ctx *gin.Context) (found bool, reject bool) {
-	if found = a.getFromLocalCache(ctx); !found {
+func (a *AuthState) preproccessAuthRequest(ctx *gin.Context) (reject bool) {
+	if found := a.getFromLocalCache(ctx); !found {
 		stats.CacheMisses.Inc()
 
 		if a.checkBruteForce() {
 			a.updateBruteForceBucketsCounter()
 			a.postLuaAction(&PassDBResult{})
 			a.authFail(ctx)
 
-			return false, true
+			return true
 		}
 	} else {
 		stats.CacheHits.Inc()
 	}
 
-	return found, false
+	return false
 }
diff --git a/server/core/http.go b/server/core/http.go
@@ -179,10 +179,8 @@ func requestHandler(ctx *gin.Context) {
 				return
 			}
 
-			if found, reject := auth.preproccessAuthRequest(ctx); reject {
+			if reject := auth.preproccessAuthRequest(ctx); reject {
 				return
-			} else if found {
-				auth.withLocalInfo(ctx).withUserAgent(ctx).withXSSL(ctx)
 			}
 
 			switch ctx.Param("service") {

diff --git a/server/core/hydra.go b/server/core/hydra.go
@@ -1170,7 +1170,7 @@ func initializeAuthLogin(ctx *gin.Context) (*AuthState, error) {
 
 	auth.withDefaults(ctx).withClientInfo(ctx).withLocalInfo(ctx).withUserAgent(ctx).withXSSL(ctx).initMethodAndUserAgent()
 
-	if _, reject := auth.preproccessAuthRequest(ctx); reject {
+	if reject := auth.preproccessAuthRequest(ctx); reject {
 		return nil, errors.ErrBruteForceAttack
 	}
 

diff --git a/server/core/register.go b/server/core/register.go
@@ -290,12 +290,10 @@ func loginPOST2FAHandler(ctx *gin.Context) {
 
 	auth.withDefaults(ctx).withClientInfo(ctx).withLocalInfo(ctx).withUserAgent(ctx).withXSSL(ctx)
 
-	if found, reject := auth.preproccessAuthRequest(ctx); reject {
+	if reject := auth.preproccessAuthRequest(ctx); reject {
 		handleErr(ctx, errors.ErrBruteForceAttack)
 
 		return
-	} else if found {
-		auth.withClientInfo(ctx).withLocalInfo(ctx).withUserAgent(ctx).withXSSL(ctx)
 	}
 
 	if authResult == definitions.AuthResultUnset {