getAuthenticatedSession checks whether a user is authenticated and returns a session object and nil error if so Returns: - `nil, ErrNeedsLogin` if user needs to login. - `nil, ErrAccessDenied` if the authenticated user is not authorized Set-Cookie headers may be set on the response as a side-effect
(rw http.ResponseWriter, req *http.Request)
| 1140 | // - `nil, ErrAccessDenied` if the authenticated user is not authorized |
| 1141 | // Set-Cookie headers may be set on the response as a side-effect of calling this method. |
| 1142 | func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.Request) (*sessionsapi.SessionState, error) { |
| 1143 | session := middlewareapi.GetRequestScope(req).Session |
| 1144 | |
| 1145 | // Check this after loading the session so that if a valid session exists, we can add headers from it |
| 1146 | if p.IsAllowedRequest(req) { |
| 1147 | return session, nil |
| 1148 | } |
| 1149 | |
| 1150 | if session == nil { |
| 1151 | return nil, ErrNeedsLogin |
| 1152 | } |
| 1153 | |
| 1154 | invalidEmail := session.Email != "" && !p.Validator(session.Email) |
| 1155 | authorized, err := p.provider.Authorize(req.Context(), session) |
| 1156 | if err != nil { |
| 1157 | logger.Errorf("Error with authorization: %v", err) |
| 1158 | } |
| 1159 | |
| 1160 | if invalidEmail || !authorized { |
| 1161 | cause := "unauthorized" |
| 1162 | if invalidEmail { |
| 1163 | cause = "invalid email" |
| 1164 | } |
| 1165 | |
| 1166 | logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authorization via session (%s): removing session %s", cause, session) |
| 1167 | // Invalid session, clear it |
| 1168 | err := p.ClearSessionCookie(rw, req) |
| 1169 | if err != nil { |
| 1170 | logger.Errorf("Error clearing session cookie: %v", err) |
| 1171 | } |
| 1172 | return nil, ErrAccessDenied |
| 1173 | } |
| 1174 | |
| 1175 | return session, nil |
| 1176 | } |
| 1177 | |
| 1178 | // authOnlyAuthorize handles special authorization logic that is only done |
| 1179 | // on the AuthOnly endpoint for use with Nginx subrequest architectures. |
no test coverage detected