Affected by GO-2022-0413 and 3 other vulnerabilities

GO-2022-0413: Exposure of Sensitive Information in Pomerium in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

sessions

package

v0.16.3 Latest Latest Go to latest Published: Feb 11, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package sessions handles the storage, management, and validation of pomerium user sessions.

Index ¶

Variables
func FromContext(ctx context.Context) (string, error)
func NewContext(ctx context.Context, jwt string, err error) context.Context
func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler
type SessionLoader
type SessionStore
type State
- func NewSession(s *State, issuer string, audience []string) State
type Version
- func (v *Version) String() string
- func (v *Version) UnmarshalJSON(b []byte) error

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrNoSessionFound is the error for when no session is found.
	ErrNoSessionFound = errors.New("internal/sessions: session is not found")

	// ErrMalformed is the error for when a session is found but is malformed.
	ErrMalformed = errors.New("internal/sessions: session is malformed")

	// ErrNotValidYet indicates that token is used before time indicated in nbf claim.
	ErrNotValidYet = errors.New("internal/sessions: validation failed, token not valid yet (nbf)")

	// ErrExpired indicates that token is used after expiry time indicated in exp claim.
	ErrExpired = errors.New("internal/sessions: validation failed, token is expired (exp)")

	// ErrExpiryRequired indicates that the token does not contain a valid expiry (exp) claim.
	ErrExpiryRequired = errors.New("internal/sessions: validation failed, token expiry (exp) is required")

	// ErrIssuedInTheFuture indicates that the iat field is in the future.
	ErrIssuedInTheFuture = errors.New("internal/sessions: validation field, token issued in the future (iat)")

	// ErrInvalidAudience indicated invalid aud claim.
	ErrInvalidAudience = errors.New("internal/sessions: validation failed, invalid audience claim (aud)")
)

View Source

var (
	SessionCtxKey = &contextKey{"Session"}
	ErrorCtxKey   = &contextKey{"Error"}
)

Context keys

View Source

var ErrMissingID = errors.New("invalid session: missing id")

ErrMissingID is the error for a session state that has no ID set.

Functions ¶

func FromContext ¶ added in v0.4.0

func FromContext(ctx context.Context) (string, error)

FromContext retrieves context values for the user session state and error.

func NewContext ¶ added in v0.4.0

func NewContext(ctx context.Context, jwt string, err error) context.Context

NewContext sets context values for the user session state and error.

func RetrieveSession ¶ added in v0.4.0

func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler

RetrieveSession takes a slice of session loaders and tries to find a valid session in the order they were supplied and is added to the request's context

Types ¶

type SessionLoader ¶ added in v0.4.0

type SessionLoader interface {
	LoadSession(*http.Request) (string, error)
}

SessionLoader defines an interface for loading a session.

type SessionStore ¶

type SessionStore interface {
	SessionLoader
	ClearSession(http.ResponseWriter, *http.Request)
	SaveSession(http.ResponseWriter, *http.Request, interface{}) error
}

SessionStore defines an interface for loading, saving, and clearing a session.

type State ¶ added in v0.4.0

type State struct {
	// Public claim values (as specified in RFC 7519).
	Issuer    string           `json:"iss,omitempty"`
	Subject   string           `json:"sub,omitempty"`
	Audience  jwt.Audience     `json:"aud,omitempty"`
	Expiry    *jwt.NumericDate `json:"exp,omitempty"`
	NotBefore *jwt.NumericDate `json:"nbf,omitempty"`
	IssuedAt  *jwt.NumericDate `json:"iat,omitempty"`
	ID        string           `json:"jti,omitempty"`

	// "ver" field is not standard, but is supported by most providers.
	Version Version `json:"ver,omitempty"`

	// Azure returns OID which should be used instead of subject.
	OID string `json:"oid,omitempty"`

	// Programmatic whether this state is used for machine-to-machine
	// programmatic access.
	Programmatic bool `json:"programmatic"`

	// DatabrokerServerVersion tracks the last referenced databroker server version
	// for the saved session.
	DatabrokerServerVersion uint64 `json:"databroker_server_version,omitempty"`
	// DatabrokerRecordVersion tracks the last referenced databroker record version
	// for the saved session.
	DatabrokerRecordVersion uint64 `json:"databroker_record_version,omitempty"`
}

State is our object that keeps track of a user's session state

func NewSession ¶ added in v0.9.0

func NewSession(s *State, issuer string, audience []string) State

NewSession updates issuer, audience, and issuance timestamps but keeps parent expiry.

func (*State) IsExpired ¶ added in v0.8.0

func (s *State) IsExpired() bool

IsExpired returns true if the users's session is expired.

func (*State) UnmarshalJSON ¶ added in v0.6.3

func (s *State) UnmarshalJSON(data []byte) error

UnmarshalJSON returns a State struct from JSON. Additionally munges a user's session by using by setting `user` claim to `sub` if empty.

func (*State) UserID ¶ added in v0.10.0

func (s *State) UserID(provider string) string

UserID returns the corresponding user ID for a session.

type Version ¶ added in v0.10.0

type Version string

Version represents "ver" field in JWT public claims.

The field is not specified by RFC 7519, so providers can return either string or number (like okta).

func (*Version) String ¶ added in v0.10.0

func (v *Version) String() string

String implements fmt.Stringer interface.

func (*Version) UnmarshalJSON ¶ added in v0.10.0

func (v *Version) UnmarshalJSON(b []byte) error

UnmarshalJSON implements json.Unmarshaler interface.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cookie Package cookie provides a cookie based implementation of session store and loader.	Package cookie provides a cookie based implementation of session store and loader.
header Package header provides a request header based implementation of a session loader.	Package header provides a request header based implementation of a session loader.
mock Package mock provides a mock implementation of session store and loader.	Package mock provides a mock implementation of session store and loader.
queryparam Package queryparam provides a query param based implementation of a both as session store and loader.	Package queryparam provides a query param based implementation of a both as session store and loader.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL