Merge pull request #120 from costelmoraru/session_state_email

Encrypting user/email from cookie

CHANGELOG.md

@@ -8,6 +8,7 @@
   - Use JSON to encode session state to be stored in browser cookies
   - Implement legacy decode function to support existing cookies generated by older versions
   - Add detailed table driven tests in session_state_test.go
+- [#120](https://github.com/pusher/oauth2_proxy/pull/120) Encrypting user/email from cookie (@costelmoraru)
 - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer)
 - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer)
 - [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr)

providers/session_state.go

@@ -62,6 +62,18 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) {
 	} else {
 		ss = *s
 		var err error
+		if ss.Email != "" {
+			ss.Email, err = c.Encrypt(ss.Email)
+			if err != nil {
+				return "", err
+			}
+		}
+		if ss.User != "" {
+			ss.User, err = c.Encrypt(ss.User)
+			if err != nil {
+				return "", err
+			}
+		}
 		if ss.AccessToken != "" {
 			ss.AccessToken, err = c.Encrypt(ss.AccessToken)
 			if err != nil {
@@ -172,6 +184,20 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) {
 			User:  ss.User,
 		}
 	} else {
+		// Backward compatibility with using unecrypted Email
+		if ss.Email != "" {
+			decryptedEmail, errEmail := c.Decrypt(ss.Email)
+			if errEmail == nil {
+				ss.Email = decryptedEmail
+			}
+		}
+		// Backward compatibility with using unecrypted User
+		if ss.User != "" {
+			decryptedUser, errUser := c.Decrypt(ss.User)
+			if errUser == nil {
+				ss.User = decryptedUser
+			}
+		}
 		if ss.AccessToken != "" {
 			ss.AccessToken, err = c.Decrypt(ss.AccessToken)
 			if err != nil {

providers/session_state_test.go

@@ -41,8 +41,8 @@ func TestSessionStateSerialization(t *testing.T) {
 	ss, err = DecodeSessionState(encoded, c2)
 	t.Logf("%#v", ss)
 	assert.Equal(t, nil, err)
-	assert.Equal(t, "user", ss.User)
+	assert.NotEqual(t, "user", ss.User)
-	assert.Equal(t, s.Email, ss.Email)
+	assert.NotEqual(t, s.Email, ss.Email)
 	assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
 	assert.NotEqual(t, s.AccessToken, ss.AccessToken)
 	assert.NotEqual(t, s.IDToken, ss.IDToken)
@@ -77,8 +77,8 @@ func TestSessionStateSerializationWithUser(t *testing.T) {
 	ss, err = DecodeSessionState(encoded, c2)
 	t.Logf("%#v", ss)
 	assert.Equal(t, nil, err)
-	assert.Equal(t, s.User, ss.User)
+	assert.NotEqual(t, s.User, ss.User)
-	assert.Equal(t, s.Email, ss.Email)
+	assert.NotEqual(t, s.Email, ss.Email)
 	assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
 	assert.NotEqual(t, s.AccessToken, ss.AccessToken)
 	assert.NotEqual(t, s.RefreshToken, ss.RefreshToken)
@@ -229,7 +229,7 @@ func TestDecodeSessionState(t *testing.T) {
 				ExpiresOn:    e,
 				RefreshToken: "refresh4321",
 			},
-			Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString),
+			Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString),
 			Cipher:  c,
 		},
 		{
@@ -237,7 +237,7 @@ func TestDecodeSessionState(t *testing.T) {
 				Email: "user@domain.com",
 				User:  "just-user",
 			},
-			Encoded: `{"Email":"user@domain.com","User":"just-user"}`,
+			Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`,
 			Cipher:  c,
 		},
 		{