01d957677f
* initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
61 lines
2.1 KiB
Go
61 lines
2.1 KiB
Go
// Copyright 2012 The Gorilla Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
/*
|
|
Package securecookie encodes and decodes authenticated and optionally
|
|
encrypted cookie values.
|
|
|
|
Secure cookies can't be forged, because their values are validated using HMAC.
|
|
When encrypted, the content is also inaccessible to malicious eyes.
|
|
|
|
To use it, first create a new SecureCookie instance:
|
|
|
|
var hashKey = []byte("very-secret")
|
|
var blockKey = []byte("a-lot-secret")
|
|
var s = securecookie.New(hashKey, blockKey)
|
|
|
|
The hashKey is required, used to authenticate the cookie value using HMAC.
|
|
It is recommended to use a key with 32 or 64 bytes.
|
|
|
|
The blockKey is optional, used to encrypt the cookie value -- set it to nil
|
|
to not use encryption. If set, the length must correspond to the block size
|
|
of the encryption algorithm. For AES, used by default, valid lengths are
|
|
16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
|
|
|
|
Strong keys can be created using the convenience function GenerateRandomKey().
|
|
|
|
Once a SecureCookie instance is set, use it to encode a cookie value:
|
|
|
|
func SetCookieHandler(w http.ResponseWriter, r *http.Request) {
|
|
value := map[string]string{
|
|
"foo": "bar",
|
|
}
|
|
if encoded, err := s.Encode("cookie-name", value); err == nil {
|
|
cookie := &http.Cookie{
|
|
Name: "cookie-name",
|
|
Value: encoded,
|
|
Path: "/",
|
|
}
|
|
http.SetCookie(w, cookie)
|
|
}
|
|
}
|
|
|
|
Later, use the same SecureCookie instance to decode and validate a cookie
|
|
value:
|
|
|
|
func ReadCookieHandler(w http.ResponseWriter, r *http.Request) {
|
|
if cookie, err := r.Cookie("cookie-name"); err == nil {
|
|
value := make(map[string]string)
|
|
if err = s2.Decode("cookie-name", cookie.Value, &value); err == nil {
|
|
fmt.Fprintf(w, "The value of foo is %q", value["foo"])
|
|
}
|
|
}
|
|
}
|
|
|
|
We stored a map[string]string, but secure cookies can hold any value that
|
|
can be encoded using encoding/gob. To store custom types, they must be
|
|
registered first using gob.Register(). For basic types this is not needed;
|
|
it works out of the box.
|
|
*/
|
|
package securecookie
|