Store the user's key in the session store so that login/unlock is automatic if cookie is still there

2020-02-28 17:20:32 +01:00 · 2020-02-28 17:20:32 +01:00 · 3bb8a78d07
parent 669c2c1c28
commit 3bb8a78d07
2 changed files with 21 additions and 12 deletions
--- a/main.go
+++ b/main.go
@ -23,6 +23,7 @@ type ConfigFile struct {
 	DbType       string `json:"db_type"`
 	DbPath       string `json:"db_path"`
 	MatrixDomain string `json:"matrix_domain"`
+	SessionKey   string `json:"web_session_key"`
 }

 var configFlag = flag.String("config", "./config.json", "Configuration file path")
@ -31,6 +32,9 @@ var config *ConfigFile
 var registration *mxlib.Registration

 func readConfig() ConfigFile {
+	defaultKey := make([]byte, 32)
+	rand.Read(defaultKey)
+
 	config_file := ConfigFile{
 		LogLevel:     "info",
 		ASBindAddr:   "0.0.0.0:8321",
@ -39,6 +43,7 @@ func readConfig() ConfigFile {
 		Server:       "http://localhost:8008",
 		DbType:       "sqlite3",
 		DbPath:       "easybridge.db",
+		SessionKey:   hex.EncodeToString(defaultKey),
 	}

 	_, err := os.Stat(*configFlag)
--- a/web.go
+++ b/web.go
@ -1,7 +1,6 @@
 package main

 import (
-	"crypto/rand"
 	"html/template"
 	"net/http"
 	"strconv"
@ -11,6 +10,7 @@ import (
 	"github.com/gorilla/sessions"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/crypto/argon2"
+	"golang.org/x/crypto/blake2b"

 	"git.deuxfleurs.fr/Deuxfleurs/easybridge/connector"
 	"git.deuxfleurs.fr/Deuxfleurs/easybridge/mxlib"
@ -22,12 +22,8 @@ var sessionsStore sessions.Store = nil
 var userKeys = map[string]*[32]byte{}

 func StartWeb() {
-	session_key := make([]byte, 32)
-	n, err := rand.Read(session_key)
-	if err != nil || n != 32 {
-		log.Fatal(err)
-	}
-	sessionsStore = sessions.NewCookieStore(session_key)
+	session_key := blake2b.Sum256([]byte(config.SessionKey))
+	sessionsStore = sessions.NewCookieStore(session_key[:])

 	r := mux.NewRouter()
 	r.HandleFunc("/", handleHome)
@ -41,7 +37,7 @@ func StartWeb() {

 	log.Printf("Starting web UI HTTP server on %s", config.WebBindAddr)
 	go func() {
-		err = http.ListenAndServe(config.WebBindAddr, logRequest(r))
+		err := http.ListenAndServe(config.WebBindAddr, logRequest(r))
 		if err != nil {
 			log.Fatal("Cannot start http server: ", err)
 		}
@ -66,10 +62,17 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {

 	session, err := sessionsStore.Get(r, SESSION_NAME)
 	if err == nil {
-		mxid, ok := session.Values["login_mxid"]
-		if ok {
+		mxid, ok := session.Values["login_mxid"].(string)
+		user_key, ok2 := session.Values["login_user_key"].([]byte)
+		if ok && ok2 {
+			if _, had_key := userKeys[mxid]; !had_key && len(user_key) == 32 {
+				key := new([32]byte)
+				copy(key[:], user_key)
+				userKeys[mxid] = key
+				LoadDbAccounts(mxid, key)
+			}
 			login_info = &LoginInfo{
-				MxId: mxid.(string),
+				MxId: mxid,
 			}
 		}
 	}
@ -154,7 +157,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {

 		key := new([32]byte)
 		key_slice := argon2.IDKey([]byte(password), []byte("EZBRIDGE account store"), 3, 64*1024, 4, 32)
-		copy(key[:], key_slice[:])
+		copy(key[:], key_slice)
 		userKeys[mxid] = key

 		SaveDbAccounts(mxid, key)
@ -167,6 +170,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
 		}

 		session.Values["login_mxid"] = mxid
+		session.Values["login_user_key"] = key_slice

 		err = session.Save(r, w)
 		if err != nil {