MCPcopy
hub / github.com/oauth2-proxy/oauth2-proxy / getAuthenticatedSession

Method getAuthenticatedSession

oauthproxy.go:1142–1176  ·  view source on GitHub ↗

getAuthenticatedSession checks whether a user is authenticated and returns a session object and nil error if so Returns: - `nil, ErrNeedsLogin` if user needs to login. - `nil, ErrAccessDenied` if the authenticated user is not authorized Set-Cookie headers may be set on the response as a side-effect

(rw http.ResponseWriter, req *http.Request)

Source from the content-addressed store, hash-verified

1140// - `nil, ErrAccessDenied` if the authenticated user is not authorized
1141// Set-Cookie headers may be set on the response as a side-effect of calling this method.
1142func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.Request) (*sessionsapi.SessionState, error) {
1143 session := middlewareapi.GetRequestScope(req).Session
1144
1145 // Check this after loading the session so that if a valid session exists, we can add headers from it
1146 if p.IsAllowedRequest(req) {
1147 return session, nil
1148 }
1149
1150 if session == nil {
1151 return nil, ErrNeedsLogin
1152 }
1153
1154 invalidEmail := session.Email != "" && !p.Validator(session.Email)
1155 authorized, err := p.provider.Authorize(req.Context(), session)
1156 if err != nil {
1157 logger.Errorf("Error with authorization: %v", err)
1158 }
1159
1160 if invalidEmail || !authorized {
1161 cause := "unauthorized"
1162 if invalidEmail {
1163 cause = "invalid email"
1164 }
1165
1166 logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authorization via session (%s): removing session %s", cause, session)
1167 // Invalid session, clear it
1168 err := p.ClearSessionCookie(rw, req)
1169 if err != nil {
1170 logger.Errorf("Error clearing session cookie: %v", err)
1171 }
1172 return nil, ErrAccessDenied
1173 }
1174
1175 return session, nil
1176}
1177
1178// authOnlyAuthorize handles special authorization logic that is only done
1179// on the AuthOnly endpoint for use with Nginx subrequest architectures.

Callers 5

UserInfoMethod · 0.95
SignOutMethod · 0.95
backendLogoutMethod · 0.95
AuthOnlyMethod · 0.95
ProxyMethod · 0.95

Calls 5

IsAllowedRequestMethod · 0.95
ClearSessionCookieMethod · 0.95
ErrorfFunction · 0.92
PrintAuthfFunction · 0.92
AuthorizeMethod · 0.65

Tested by

no test coverage detected