Merge pull request #78 from fossyy/staging
Add Suspicious state for detecting unusual session activity
This commit is contained in:
GitHub
@ -2,6 +2,7 @@ package logoutHandler
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"github.com/fossyy/filekeeper/app"
|
||||
"github.com/fossyy/filekeeper/types"
|
||||
"net/http"
|
||||
|
||||
@ -26,12 +27,12 @@ func GET(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
err = storeSession.Delete()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
app.Server.Logger.Error(err)
|
||||
return
|
||||
}
|
||||
err = session.RemoveSessionInfo(userSession.Email, cookie.Value)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
app.Server.Logger.Error(err)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@ -37,6 +37,7 @@ func init() {
|
||||
"account_selection_required": "Please select an account to proceed with the request.",
|
||||
"consent_required": "Consent is required to proceed. Please provide consent to continue.",
|
||||
"csrf_token_error": "The CSRF token is missing or invalid. Please refresh the page and try again.",
|
||||
"suspicious_session": "We've detected unusual activity on your account. Please log in again to confirm it's you.",
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -81,7 +81,7 @@ func Handler(next http.Handler) http.Handler {
|
||||
}
|
||||
|
||||
func Auth(next http.HandlerFunc, w http.ResponseWriter, r *http.Request) {
|
||||
status, user, _ := session.GetSession(r)
|
||||
status, user, sessionID := session.GetSession(r)
|
||||
|
||||
switch status {
|
||||
case session.Authorized:
|
||||
@ -109,6 +109,25 @@ func Auth(next http.HandlerFunc, w http.ResponseWriter, r *http.Request) {
|
||||
})
|
||||
http.Redirect(w, r, "/signin", http.StatusSeeOther)
|
||||
return
|
||||
case session.Suspicious:
|
||||
userSession := session.Get(sessionID)
|
||||
err := userSession.Delete()
|
||||
if err != nil {
|
||||
app.Server.Logger.Error(err)
|
||||
}
|
||||
err = session.RemoveSessionInfo(user.Email, sessionID)
|
||||
if err != nil {
|
||||
app.Server.Logger.Error(err)
|
||||
return
|
||||
}
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "Session",
|
||||
Value: "",
|
||||
Path: "/",
|
||||
MaxAge: -1,
|
||||
})
|
||||
http.Redirect(w, r, "/signin?error=suspicious_session", http.StatusSeeOther)
|
||||
return
|
||||
default:
|
||||
http.Redirect(w, r, "/", http.StatusSeeOther)
|
||||
return
|
||||
|
||||
@ -37,6 +37,7 @@ const (
|
||||
Authorized UserStatus = "authorized"
|
||||
Unauthorized UserStatus = "unauthorized"
|
||||
InvalidSession UserStatus = "invalid_session"
|
||||
Suspicious UserStatus = "suspicious"
|
||||
)
|
||||
|
||||
func (e *SessionNotFoundError) Error() string {
|
||||
@ -196,6 +197,16 @@ func GetSession(r *http.Request) (UserStatus, types.User, string) {
|
||||
if !storeSession.Authenticated {
|
||||
return Unauthorized, types.User{}, ""
|
||||
}
|
||||
|
||||
sessionInfo, err := GetSessionInfo(storeSession.Email, cookie.Value)
|
||||
if err != nil {
|
||||
return Unauthorized, types.User{}, ""
|
||||
}
|
||||
|
||||
if sessionInfo.IP != utils.ClientIP(r) {
|
||||
return Suspicious, storeSession, cookie.Value
|
||||
}
|
||||
|
||||
return Authorized, storeSession, cookie.Value
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user