fix: clear the anonymous session

beclab · Aug 9, 2024 · 1ffc390 · 1ffc390
1 parent 0ed5401
commit 1ffc390
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 9 deletions.
diff --git a/internal/session/lister.go b/internal/session/lister.go
@@ -136,19 +136,14 @@ func (l *Lister) List() (map[string][]byte, error) {
 	list := make(map[string][]byte)
 
 	for _, k := range reply {
-		sessionId := l.getSessionIDFromKey(k)
-
-		if k == "" {
-			continue
-		}
 
 		item, err := l.db.Get(context.Background(), k).Bytes()
 
 		if err != nil && err != redisv8.Nil {
 			return nil, err
 		}
 
-		list[sessionId] = item
+		list[k] = item
 	}
 
 	return list, nil
@@ -167,7 +162,7 @@ func (l *Lister) getRedisSessionKey(sessionID []byte) string {
 	return keyStr
 }
 
-func (l *Lister) getSessionIDFromKey(key string) string {
+func (l *Lister) GetSessionIDFromKey(key string) string {
 	prefixLen := len(l.keyPrefix) + 1 // prefix + ":".
 
 	if len(key) > prefixLen {
@@ -176,3 +171,8 @@ func (l *Lister) getSessionIDFromKey(key string) string {
 
 	return ""
 }
+
+func (l *Lister) Destroy(ctx context.Context, key string) error {
+	_, err := l.db.Del(ctx, key).Result()
+	return err
+}
diff --git a/internal/session/provider.go b/internal/session/provider.go
@@ -302,7 +302,7 @@ func (p *Provider) reloadTokenToCache() {
 		klog.Error("connect to kubesphere token cache error, ", err)
 	}
 
-	for sid, data := range dataList {
+	for key, data := range dataList {
 		var sess session.Dict
 		err := serializer.Decode(&sess, data)
 
@@ -328,10 +328,15 @@ func (p *Provider) reloadTokenToCache() {
 
 			return false
 		}(); !ok {
-			klog.Info("ignore unknown user, ", us.Username)
+			klog.Info("clear unknown user, ", us.Username)
+			err := p.reloadLister.Destroy(context.Background(), key)
+			if err != nil {
+				klog.Error("destroy session error, ", err)
+			}
 			continue
 		}
 
+		sid := p.reloadLister.GetSessionIDFromKey(key)
 		token := us.AccessToken
 		domain := us.CookieDomain
 

diff --git a/internal/session/session.go b/internal/session/session.go
@@ -78,6 +78,10 @@ func (p *Session) SaveSession(ctx *fasthttp.RequestCtx, userSession UserSession)
 	}
 
 	store.Set(userSessionStorerKey, userSessionJSON)
+	// anonymous session default expiration 5 minutes
+	if userSession.Username == "" {
+		store.SetExpiration(5 * time.Minute)
+	}
 
 	if err = p.sessionHolder.Save(ctx, store); err != nil {
 		return err

diff --git a/internal/utils/aes_test.go b/internal/utils/aes_test.go
@@ -2,6 +2,11 @@ package utils
 
 import (
 	"crypto/sha256"
+	"encoding/base32"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"log"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -45,3 +50,49 @@ func TestShouldFailDecryptOnInvalidCypherText(t *testing.T) {
 
 	assert.Error(t, err, "message authentication failed")
 }
+
+func TestTOTPSecret(t *testing.T) {
+	b32Secret := "KREVIQKNI5CUETKIGNDUUN2LKFFEKQSWKJHVISSNJZIUMNRSJFHUOVSEGNHE2QRVGZGVIVCBG43FCU2JINAQ"
+	s, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(b32Secret)
+	if err != nil {
+		t.Log(err)
+	}
+
+	t.Log(hex.EncodeToString(s))
+
+	key := sha256.Sum256([]byte("dJPM367jfe5R0sx8TzLnu5Ln1vyp0lmA"))
+	as, err := Encrypt(s, &key)
+	if err != nil {
+		t.Log(err)
+		t.Fail()
+		return
+	}
+
+	t.Log(hex.EncodeToString(as))
+	d := base64.StdEncoding.WithPadding(base64.StdPadding).EncodeToString(as)
+
+	fmt.Printf("secret: %s", string(d))
+}
+
+func TestTOTPdecSecret(t *testing.T) {
+	b64secret := "0NjKONtul2VTvzfDpDdYaxOLNxtCcBkwgfDwK7S71XPF3crHuaU2kmeR/jLb2VDgz+nN4pCC08ACrF7w2igYaQZgPeKmCIrHAd1kt5TlMfY="
+
+	as, err := base64.StdEncoding.WithPadding(base64.StdPadding).DecodeString(b64secret)
+	if err != nil {
+		t.Log(err)
+		return
+	}
+
+	log.Print(hex.Dump(as))
+
+	key := sha256.Sum256([]byte("dJPM367jfe5R0sx8TzLnu5Ln1vyp0lmA"))
+
+	s, err := Decrypt(as, &key)
+	if err != nil {
+		t.Log(err)
+		return
+	}
+
+	log.Print(hex.Dump(s))
+	t.Log(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(s))
+}