From 557e7313b2635dda78ccae49fe4ecd033be89867 Mon Sep 17 00:00:00 2001 From: bagas Date: Fri, 20 Sep 2024 22:44:11 +0700 Subject: [PATCH] Add Suspicious state for detecting unusual session activity --- handler/logout/logout.go | 5 +++-- handler/signin/signin.go | 1 + middleware/middleware.go | 21 ++++++++++++++++++++- session/session.go | 11 +++++++++++ 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/handler/logout/logout.go b/handler/logout/logout.go index dfdcb0b..19d6dc8 100644 --- a/handler/logout/logout.go +++ b/handler/logout/logout.go @@ -2,6 +2,7 @@ package logoutHandler import ( "errors" + "github.com/fossyy/filekeeper/app" "github.com/fossyy/filekeeper/types" "net/http" @@ -26,12 +27,12 @@ func GET(w http.ResponseWriter, r *http.Request) { err = storeSession.Delete() if err != nil { - panic(err) + app.Server.Logger.Error(err) return } err = session.RemoveSessionInfo(userSession.Email, cookie.Value) if err != nil { - panic(err) + app.Server.Logger.Error(err) return } diff --git a/handler/signin/signin.go b/handler/signin/signin.go index 8c01347..fba76c1 100644 --- a/handler/signin/signin.go +++ b/handler/signin/signin.go @@ -37,6 +37,7 @@ func init() { "account_selection_required": "Please select an account to proceed with the request.", "consent_required": "Consent is required to proceed. Please provide consent to continue.", "csrf_token_error": "The CSRF token is missing or invalid. Please refresh the page and try again.", + "suspicious_session": "We've detected unusual activity on your account. Please log in again to confirm it's you.", } } diff --git a/middleware/middleware.go b/middleware/middleware.go index f6132b6..f6369b3 100644 --- a/middleware/middleware.go +++ b/middleware/middleware.go @@ -81,7 +81,7 @@ func Handler(next http.Handler) http.Handler { } func Auth(next http.HandlerFunc, w http.ResponseWriter, r *http.Request) { - status, user, _ := session.GetSession(r) + status, user, sessionID := session.GetSession(r) switch status { case session.Authorized: @@ -109,6 +109,25 @@ func Auth(next http.HandlerFunc, w http.ResponseWriter, r *http.Request) { }) http.Redirect(w, r, "/signin", http.StatusSeeOther) return + case session.Suspicious: + userSession := session.Get(sessionID) + err := userSession.Delete() + if err != nil { + app.Server.Logger.Error(err) + } + err = session.RemoveSessionInfo(user.Email, sessionID) + if err != nil { + app.Server.Logger.Error(err) + return + } + http.SetCookie(w, &http.Cookie{ + Name: "Session", + Value: "", + Path: "/", + MaxAge: -1, + }) + http.Redirect(w, r, "/signin?error=suspicious_session", http.StatusSeeOther) + return default: http.Redirect(w, r, "/", http.StatusSeeOther) return diff --git a/session/session.go b/session/session.go index 6e8c57b..45d385f 100644 --- a/session/session.go +++ b/session/session.go @@ -37,6 +37,7 @@ const ( Authorized UserStatus = "authorized" Unauthorized UserStatus = "unauthorized" InvalidSession UserStatus = "invalid_session" + Suspicious UserStatus = "suspicious" ) func (e *SessionNotFoundError) Error() string { @@ -196,6 +197,16 @@ func GetSession(r *http.Request) (UserStatus, types.User, string) { if !storeSession.Authenticated { return Unauthorized, types.User{}, "" } + + sessionInfo, err := GetSessionInfo(storeSession.Email, cookie.Value) + if err != nil { + return Unauthorized, types.User{}, "" + } + + if sessionInfo.IP != utils.ClientIP(r) { + return Suspicious, storeSession, cookie.Value + } + return Authorized, storeSession, cookie.Value }