Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stopped outdated error from being returned #251

Closed
wants to merge 4 commits into from
Closed

Stopped outdated error from being returned #251

wants to merge 4 commits into from

Conversation

fednelpat
Copy link

Fixes #249

Summary of Changes

  1. Internal change to make it so that if there is an error while creating a session the session won't be saved to the registry.
  2. Fixed an issue which would cause a nil pointer dereference
  3. Note: This does not change anything for the users utilizing the library apart from the fact that certain kinds of errors won't happen anymore

This didn't need any test changes.

@fednelpat
Copy link
Author

@elithrar There we go, I committed the pr.
Sadly I had to make a last commit in which I gofmt'ed everything (including the files I didn't need to modify) since since the latest commit a new go version was released which asked for changes to the //go:build and // +build lines.

elithrar
elithrar reviewed Dec 16, 2021
View reviewed changes
sessions.go Show resolved Hide resolved
aeneasr
aeneasr suggested changes Jan 8, 2022
View reviewed changes
Copy link

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest not to merge this. It prevents new sessions (which have been created because e.g. keys had been rotated) from being able to be saved using .Save() because they'll never make it to the session store, thus never will be called in for name, info := range s.sessions {.

IMO a test should be added to ensure this type regression can't happen:

  1. Client sends cookie with incorrect signature (e.g. wrong secret, malformed string)
  2. Server wants to save cookie
  3. Client receives updated cookie, which now has the correct value

@fednelpat
Copy link
Author

fednelpat commented Jan 8, 2022
edited

@aeneasr
The changes I made don't prevent new sessions from being able to be saved. They prevent sessions which returned errors during creation from being saved in the session cache. Errors returned should be handled by the developer when the function returns a value. Furthermore the issue with Save() is that it doesn't check for session errors anywhere which means that it will save invalid sessions, but once the session is retrieved using Store.Get it will be kept as valid because the error won't have been saved in the store. Also since the error is kept in the registry this means that when Registry.Get is called it will keep returning the same invalid session and the same error. After looking at the code more, it seems to me that there is no way to exit out of that loop (it will never stop sending the invalid session + error), but I may have missed something.

@aeneasr
Copy link

aeneasr commented Jan 8, 2022

In the context of this library, an error will be returned when the signature of an existing cookie is invalid. In that case, the error should be ignored, and the cookie should still be set, and then saved, with a signature that is valid.

This means that we gracefully handle non-existent cookies, or cookies which have an incorrect signature.

Removing this code would mean that those cookies would NEVER be saved because they can NEVER be retrieved in the first place, as they will always return an error.

The underlying problem this PR attempts to resolve is #249 . However, #249 is an issue because the storage implementation of the mongo adapter does not respect the interface (i.e. it returns a nil session when an error is given which clearly violates the contract witch expects a session always). Therefore, this is a pretty serious breaking change that would cause cookies with invalid signatures to no longer be saved, unless the developers make some big hoops to catch this particular case (in most cases they will not).

@fednelpat
Copy link
Author

I tested my code and couldn't find any issues in case we only saved one session. You are right though, if multiple sessions are being saved using Registry.Save the session won't be saved. What do you think about, instead of returning the error without saving the session, saving the session even though there was an error? Not saving the error is a good change because first of all the error being saved is only used in Registry.Get and nowhere else so it doesn't have any impact if it's saved or not. Furthermore if we did instead save the error the issue would be that here
image
it would still return an error even though the session was valid, which means that if someone were to actually handle the Registry.Get error (instead of ignoring it like it's done in most cases) they might get an outdated error which would no longer be valid.

@fednelpat
Copy link
Author

The updated Registry.Get code looks like this.
image
Now as to the nil pointer dereference issue that is an issue with the storage implementation and is out of the scope of this project, so I am going to rename this pr

@fednelpat fednelpat changed the title Fixed nil pointer dereference Stopped outdated error from being returned Jan 8, 2022
@aeneasr
Copy link

aeneasr commented Jan 8, 2022

Nice, thank you for reproducing the issue on your end!

Not saving the error is a good change because first of all the error being saved is only used in Registry.Get and nowhere else so it doesn't have any impact if it's saved or not.

There's a particular use case where the error is needed. Currently

cookie, err := session.Get(...)
cookie, err = session.Get(...)

return the same result. This is useful if you want to figure out whether the cookie was invalid and recreated, or whether it existed in the first place. You can do this with:

cookie, err := session.Get(...)
if err == nil && cookie.IsNew {
  / It's a new cookie, not a cookie recovered from an error
}

with your suggested change, this would not work any more once you call session.Get twice. However, this change is important because we might want to delete a cookie if it is invalid, but we do not want to delete a cookie if no cookie existed in the first place.

@fednelpat
Copy link
Author

fednelpat commented Jan 8, 2022 via email

@stale
Copy link

stale bot commented Apr 17, 2022

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

@stale stale bot added the stale label Apr 17, 2022
@stale stale bot closed this Apr 27, 2022
@github-actions github-actions bot mentioned this pull request Apr 28, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elithrar elithrar elithrar left review comments

@aeneasr aeneasr aeneasr requested changes

Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Changed auth/encryption key prevents the signed in user from accessing the webpage again
3 participants
@fednelpat @aeneasr @elithrar