The problem is, cannot get value from session.Value in another file in the same package
In the controllers.go file
func (c *AuthenticationControllers) AdminLogin() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
//AUTHENTICATION
if answer {
w.Write([]byte("Successful Authenticated!"))
//1* Create Session
session, _ := store.Get(r, "session") //SESSION START
///Here I've setted true
session.Values["authenticated"] = true//Successful Authenticated
sessionToken, _ := uuid.NewV4() //Generate session token
session.Values["userid"] = sessionToken.String()
session.Save(r, w)
//Redirect
http.Redirect(w, r, "/admin/application", 302)
} else {
//http.Redirect(w, r, "/login", 302)
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
}
}
}
IN middleware.go file in the same package
func (m *AuthenticationMiddleWares) RequiresLogin(handler http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "session") //!!!
if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
handler(w, r)
}
}
session.Values["authenticated"] //has nil value, but has to be true after authentification in order to get you access to the route
router.HandleFunc("/admin/applications", authMiddle.RequiresLogin(authContrl.Application()))
What I have done wrong? Why session.Values["authenticated"] returns "nil"
session, _ := store.Get(r, "session") //SESSION START, your session depends on the request r, which is a pointer that is created by the package that calls your controller. If you are calling session from another file, you need to ensure, that it is the same request that is passed into store.Get(). That could be the reason.
Related
I have a middleware written with httpHandler but now I am trying to use gin-gornic and needed to provide an alternative. I have tried rewriting but still not working as I want it to work.
func AuthMiddlewarex(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
auth := r.Header.Get("Authorization")
if auth == "" {
h.ServeHTTP(w, r)
return
}
bearer := "Bearer "
auth = auth[len(bearer):]
validate, err := utils.JwtValidate(context.Background(), auth)
if err != nil || !validate.Valid {
http.Error(w, "Invalid token", http.StatusForbidden)
return
}
customClaim, _ := validate.Claims.(*utils.JwtCustomClaim)
ctx := context.WithValue(r.Context(), authString("auth"), customClaim)
r = r.WithContext(ctx)
h.ServeHTTP(w, r)
})
}
After rewriting it, I am left with this.
func AuthMiddlewareq() gin.HandlerFunc {
return func(c *gin.Context) {
auth := c.Request.Header.Get("Authorization")
if auth == "" {
c.Next()
// next.ServeHTTP(w, r)
return
}
bearer := "Bearer "
auth = auth[len(bearer):]
validate, err := utils.JwtValidate(context.Background(), auth)
if err != nil || !validate.Valid {
http.Error(c.Writer, "Invalid token", http.StatusForbidden)
// http.Error(w, "Invalid token", http.StatusForbidden)
return
}
customClaim, _ := validate.Claims.(*utils.JwtCustomClaim)
ctx := context.WithValue(c.Request.Context(), authString("auth"), customClaim)
c.Request = c.Request.WithContext(ctx)
c.Next()
// next.ServeHTTP(w, r)
}
}
This code has two parts. One is to set and clear the session and the second part is login and logout.
What it does?
In the second part, If an email and password are found in the database and the match is true then it set the session and move to the about() function which has an about file. If the logout is called then it clears the session and redirects to the home page.
What it should do?
The problem is that even if I am logged out and the session is cleared, I can still visit an about page. I don't want to be allowed to visit an about page if I am not logged in.
First part
var cookieHandler = securecookie.New(
securecookie.GenerateRandomKey(64),
securecookie.GenerateRandomKey(32),
)
func setSession(email, password string, res http.ResponseWriter) {
value := map[string]string{ "email": email, "password": password}
encoded, err := cookieHandler.Encode("session", value)
if err == nil {
cookie := &http.Cookie{ Name: "session", Value: encoded, Path: "/"}
http.SetCookie(res, cookie)
}
}
func clearSession(res http.ResponseWriter) {
cookie := &http.Cookie{ Name: "session", Value: "", Path: "/", MaxAge: -1}
http.SetCookie(res, cookie)
}
Second part
func about(res http.ResponseWriter, req *http.Request) {
if err := tmpl.ExecuteTemplate(res, "about.html", nil); err != nil {
log.Fatal("template didn't execute", nil)
}
}
func loginAuth(res http.ResponseWriter, req *http.Request) {
email := req.FormValue("email")
password := req.FormValue("password")
match := database.Findaccount(email, password)
if match == true {
setSession(email, password, res)
about(res, req)
fmt.Println("You're logged in")
} else {
tmpl.ExecuteTemplate(res, "login.html", nil)
fmt.Println("Enter the correct email or password")
}
}
func logout(res http.ResponseWriter, req *http.Request) {
clearSession(res)
http.Redirect(res, req, "/", 302)
}
Few things you don't want to do, in general:
Don't use cookie encoder directly. Use a cookie session store.
Don't call an handler within an handler, prefer a redirect. This should prevent writing twice the headers/body on the response.
Don't pass the user/password in the cookie, even encoded, in 2021 we may even prevent sending that through the form at all (you might consider sending only a hash and re hash the hash on the server side to figure out if things are good to go).
Few things you always want to do:
Write tests.
Make use of middlewares.
Always provide small reproducible examples.
That being said, I have written a lookalike code with some stubs (mostly for db), I removed template support (i was not in the mood to write HTML) and more importantly I wrote tests !!
To the question How to clear the session :
Delete the values from the store, write the store
To the question and only visit an about page after login?:
Wrap that handler with a middleware that verifies login data attached to the user cookie store
-- main.go --
package main
import (
"crypto/sha256"
"encoding/gob"
"fmt"
"log"
"net/http"
"github.com/gorilla/mux"
"github.com/gorilla/securecookie"
"github.com/gorilla/sessions"
)
// Note: Don't store your key in your source code. Pass it via an
// environmental variable, or flag (or both), and don't accidentally commit it
// alongside your code. Ensure your key is sufficiently random - i.e. use Go's
// crypto/rand or securecookie.GenerateRandomKey(32) and persist the result.
var store = sessions.NewCookieStore(
securecookie.GenerateRandomKey(32),
)
//emulate db package
func dbLookupUser(user, pwd string) bool {
return user == "user" && pwd == "pwd"
}
func dbLookupHash(h string) bool {
return h == hash("user", "pwd")
}
func hash(s ...interface{}) string {
hr := sha256.New()
fmt.Fprint(hr, s...)
return fmt.Sprintf("%x", hr.Sum(nil))
}
// hashKey is a typed key for the session map store to prevent unintented overwrites.
type hashKey string
func init() {
gob.Register(hashKey(""))
}
func loginAuth(res http.ResponseWriter, req *http.Request) {
email := req.FormValue("email")
password := req.FormValue("password")
match := dbLookupUser(email, password)
if match == true {
session, _ := store.Get(req, "session-name")
session.Values["hash"] = hash(email, password)
// Save it before we write to the response/return from the handler.
err := session.Save(req, res)
if err == nil {
// about(res, req) // don't!
// the about handler might want to setup its own http response headers
// That would conflict with what we did here.
// prefer a redirect
http.Redirect(res, req, "/about", http.StatusFound)
return
}
} else {
fmt.Fprintf(res, "try again") // use a templatee instead!
// tmpl.ExecuteTemplate(res, "login.html", nil)
}
}
func logout(res http.ResponseWriter, req *http.Request) {
session, _ := store.Get(req, "session-name")
delete(session.Values, hashKey("hash"))
_ = session.Save(req, res)
http.Redirect(res, req, "/", 302)
}
func about(res http.ResponseWriter, req *http.Request) {
fmt.Fprintf(res, "welcome to about page")
}
func requireLogin(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "session-name")
var h string
if x, ok := session.Values[hashKey("hash")]; ok {
h = x.(string)
}
var match bool
if h != "" {
match = dbLookupHash(h)
}
if !match {
// Write an error and stop the handler chain
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
next(w, r)
}
}
func main() {
r := mux.NewRouter()
r.HandleFunc("/", loginAuth)
r.HandleFunc("/logout", logout)
r.HandleFunc("/about", requireLogin(about))
log.Fatal(http.ListenAndServe("localhost:8080", r))
}
-- main_test.go --
package main
import (
"net/http"
"net/http/httptest"
"net/url"
"testing"
)
func TestLogin(t *testing.T) {
req := httptest.NewRequest("POST", "http://example.com/foo", nil)
form := url.Values{}
form.Set("email", "user")
form.Set("password", "pwd")
req.Form = form
w := httptest.NewRecorder()
loginAuth(w, req)
resp := w.Result()
// body, _ := io.ReadAll(resp.Body)
if wanted := http.StatusFound; resp.StatusCode != wanted {
t.Fatalf("invalid response code, got=%v wanted=%v", resp.StatusCode, wanted)
}
// implement more check
}
func TestLoginFailure(t *testing.T) {
req := httptest.NewRequest("POST", "http://example.com/foo", nil)
form := url.Values{}
form.Set("email", "!user")
form.Set("password", "!pwd")
req.Form = form
w := httptest.NewRecorder()
loginAuth(w, req)
resp := w.Result()
// body, _ := io.ReadAll(resp.Body)
if wanted := http.StatusOK; resp.StatusCode != wanted {
t.Fatalf("invalid response code, got=%v wanted=%v", resp.StatusCode, wanted)
}
// implement more check
}
func TestAboutNotLogged(t *testing.T) {
req := httptest.NewRequest("POST", "http://example.com/foo", nil)
w := httptest.NewRecorder()
requireLogin(about)(w, req)
resp := w.Result()
// body, _ := io.ReadAll(resp.Body)
if wanted := http.StatusForbidden; resp.StatusCode != wanted {
t.Fatalf("invalid response code, got=%v wanted=%v", resp.StatusCode, wanted)
}
// implement more check
}
func TestAboutLogged(t *testing.T) {
req := httptest.NewRequest("POST", "http://example.com/foo", nil)
w := httptest.NewRecorder()
session, _ := store.Get(req, "session-name")
session.Values[hashKey("hash")] = hash("user", "pwd")
err := session.Save(req, w)
if err != nil {
t.Fatal(err)
}
hdr := w.Header()
req.Header.Add("Cookie", hdr["Set-Cookie"][0])
w = httptest.NewRecorder()
requireLogin(about)(w, req)
resp := w.Result()
// body, _ := io.ReadAll(resp.Body)
if wanted := http.StatusOK; resp.StatusCode != wanted {
t.Fatalf("invalid response code, got=%v wanted=%v", resp.StatusCode, wanted)
}
// implement more check
}
I'm new one for Golang programming. In Golang how to display the username error.
This is my code:
func LoginHandler(w http.ResponseWriter, req *http.Request){
if req.Method == http.MethodPost{
un := req.FormValue("username")
p := req.FormValue("password")
u, ok := dbUsers[un]
if !ok{
var body, _ = helpers.LoadFile("sss/login.html")
fmt.Fprintf(response, body)
//fmt.Fprintln(w, "incorrect user name")
//return
}
if u.Password != p{
fmt.Fprintln(w, "incorrect password")
return
}
http.Redirect(w, req, "/index.html", http.StatusSeeOther)
return
}
}
In go You have different ways for error handling
func SomeHandler(w http.ResponseWriter, r *http.Request) (int, error) {
if req.Method == http.MethodPost{
un := req.FormValue("username")
p := req.FormValue("password")
u, ok := dbUsers[un]
if !ok{
var body, _ = helpers.LoadFile("sss/login.html")
return 400, errors.New("can't load sss/login")
}
if u.Password != p{
return 400, errors.New("wrong password")
}
http.Redirect(w, req, "/index.html", http.StatusSeeOther)
return 302, nil
}
or
func SomeHandler(w http.ResponseWriter, r *http.Request) {
un := req.FormValue("username")
p := req.FormValue("password")
u, ok := dbUsers[un]
if !ok{
var body, _ = helpers.LoadFile("sss/login.html")
http.Error(w, "can't load sss/login", 400)
return
}
if u.Password != p{
http.Error(w, "wrong password", 400)
return
}
http.Redirect(w, req, "/index.html", http.StatusSeeOther)
return
}
For more information You can read here very helpful blogpost about middlewares:
https://www.nicolasmerouze.com/middlewares-golang-best-practices-examples/
Post with simple example:
https://blog.questionable.services/article/http-handler-error-handling-revisited/
Http package docs: https://golang.org/pkg/net/http/
You could do something a little bit more elegant.
Pass a context object to the template and render the error there.
func index(w http.ResponseWriter, r *http.Request) {
context := make(map[string]string]
context["Error"] = "Username error"
t := template.Must(template.ParseFiles("./templates/index.html"))
t.Execute(w, context)
}
Then, on the template render it like this
{{.Error}}}
If no error occurred, the field will be empty.
Cheers.
func indexHandler(w http.ResponseWriter, req *http.Request) {
session, err := store.Get(req, sessionName)
if err != nil {
log.WithError(err).Error("bad session")
http.SetCookie(w, &http.Cookie{Name: sessionName, MaxAge: -1, Path: "/"})
}
err = views.ExecuteTemplate(w, "index.html", session.Values)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
}
All my handlers use Gorilla sessions. How can I avoid store.Getting the session in each of my handlers, i.e. code repeating?
Another issue, is there a better way to give the template the session values, other that an explicit way like:
err = views.ExecuteTemplate(w, "index.html",
struct {
Session map[interface{}]interface{},
...other handler specific data for the template
}{
session.Values,
...
})
Code samples originate from https://github.com/kaihendry/internal-google-login
For the middleware you can define a function that takes a handler as an argument and returns another handler as its result.
func sessionMiddleware(h http.HandlerFunc) http.HandlerFunc {
// ...
}
The returned handler can store.Get the session, if it's not present return the error, if it is present store the session into the request's context and then call the actual handler.
func sessionMiddleware(h http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
session, err := store.Get(r, sessionName)
if err != nil {
log.WithError(err).Error("bad session")
http.SetCookie(w, &http.Cookie{Name: sessionName, MaxAge: -1, Path: "/"})
return
}
r = r.WithContext(context.WithValue(r.Context(), "session", session))
h(w, r)
}
}
Now your handlers will still need to "get" the session value from the context however any handler that is wrapped by sessionMiddleware can assume, when it's executed, that a session is present in the context and therefore it can skip the error checking.
func indexHandler(w http.ResponseWriter, req *http.Request) {
session := req.Context().Value("session").(*sessions.Session)
err := views.ExecuteTemplate(w, "index.html", session.Values)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
}
And to register the handler you would do:
app.HandleFunc("/", sessionMiddleware(indexHandler))
If this is still too much code repetition for your taste you can pass the session directly to your handlers however you'll have to change their signature.
type SessionHandler func(w http.ResponseWriter, r *http.Request, s *session.Session)
Then update your handlers.
func indexHandler(w http.ResponseWriter, req *http.Request, s *session.Session) {
err := views.ExecuteTemplate(w, "index.html", s.Values)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
}
And you can define the middleware part on the SessionHandler type as a method.
func (h SessionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
session, err := store.Get(r, sessionName)
if err != nil {
log.WithError(err).Error("bad session")
http.SetCookie(w, &http.Cookie{Name: sessionName, MaxAge: -1, Path: "/"})
return
}
h(w, r, session)
}
And then to register the handler you would do:
app.Handle("/", SessionHandler(indexHandler))
I am using the gorilla/sessions package to implement sessions. the relevant code (or at least what I think is the only relevant part) is as follows:
// Function handler for executing HTML code
func lobbyHandler(w http.ResponseWriter, req *http.Request) {
if isLoggedIn := validateSession(w, req); isLoggedIn {
lobbyTempl.Execute(w, req.Host)
} else {
homeTempl.Execute(w, map[string]string{
"loginErrors": "Must log in first",
})
}
}
// Serves the files as needed, whenever they are requested
// used for all images, js, css, and other static files
func sourceHandler(w http.ResponseWriter, r *http.Request) {
http.ServeFile(w, r, r.URL.Path[1:])
}
func loginHandler(w http.ResponseWriter, r *http.Request) {
un, pw := r.FormValue("lUn"), r.FormValue("lPw")
if usr := findUser(un, pw); usr != nil {
if createSession(w, r) {
http.Redirect(w, req, "/lobby.html", http.StatusFound)
}
} else {
homeTempl.Execute(w, map[string]string{
"loginErrors": "User not found",
})
}
}
func createSession(w http.ResponseWriter, r *http.Request) bool {
session, _ := store.Get(r, sessionName)
session.Values["isAuthorized"] = true
if err := session.Save(r, w); err != nil {
fmt.Println("saving error: ", err.Error())
return false
}
return true
}
func validateSession(w http.ResponseWriter, r *http.Request) bool {
if session, err := store.Get(r, sessionName); err == nil {
if v, ok := session.Values["isAuthorized"]; ok && v == true {
fmt.Println("Authorized user identified!")
return true
} else {
fmt.Println("Unauthorized user detected!")
return false
}
}
return false
}
func main() {
//...
// serving files for the game
http.HandleFunc("/", homeHandler)
http.Handle("/ws", websocket.Handler(wsLobbyHandler))
http.HandleFunc("/lobby.html", lobbyHandler)
http.HandleFunc("/formlogin", loginHandler)
//...
//http.HandleFunc("/*.html", SourceHandler)
if err := http.ListenAndServeTLS(*addr, "cert.pem", "key.pem", nil); err != nil {
log.Fatal("ListenAndServe:", err)
}
}`
in my html i have:
<form id="login_form" action="/formlogin" method="post">
When logging in, the request is handled within loginHandler
The user is identified correctly from the database and a session is created (via createSession()) and placed into the cookie store.
But after the redirect to lobby.html, back in loginHandler
http.Redirect(w, req, "/lobby.html", http.StatusFound)
the validation within lobbyHandler does not work. Does this have to do with the store.Save(...) altering the headers?
I'm very new to go, as well as web apps in general, so I would really appreciate feedback.
Thanks to the comments, i was able to stumble across a similar search that works for me.
session.Options = &sessions.Options{
Path: "/lobby.html",
}
I needed to make sure the cookies know where they are going to be redirected properly.