Session management refactoring

6 files changed, 23 insertions, 51 deletions

diff --git a/server/ui/controller/controller.go b/server/ui/controller/controller.go
index cfecf42..8f1f415 100644
--- a/server/ui/controller/controller.go
+++ b/server/ui/controller/controller.go
@@ -44,10 +44,11 @@ func (c *Controller) getCommonTemplateArgs(ctx *core.Context) (tplParams, error)
 	}
 
 	params := tplParams{
-		"menu":        "",
-		"user":        user,
-		"countUnread": countUnread,
-		"csrf":        ctx.CsrfToken(),
+		"menu":         "",
+		"user":         user,
+		"countUnread":  countUnread,
+		"csrf":         ctx.CSRF(),
+		"flashMessage": ctx.FlashMessage(),
 	}
 	return params, nil
 }
diff --git a/server/ui/controller/login.go b/server/ui/controller/login.go
index d130f4c..87b8a4e 100644
--- a/server/ui/controller/login.go
+++ b/server/ui/controller/login.go
@@ -5,10 +5,8 @@
 package controller
 
 import (
-	"net/http"
-	"time"
-
 	"github.com/miniflux/miniflux/logger"
+	"github.com/miniflux/miniflux/server/cookie"
 	"github.com/miniflux/miniflux/server/core"
 	"github.com/miniflux/miniflux/server/ui/form"
 
@@ -23,7 +21,7 @@ func (c *Controller) ShowLoginPage(ctx *core.Context, request *core.Request, res
 	}
 
 	response.HTML().Render("login", tplParams{
-		"csrf": ctx.CsrfToken(),
+		"csrf": ctx.CSRF(),
 	})
 }
 
@@ -32,7 +30,7 @@ func (c *Controller) CheckLogin(ctx *core.Context, request *core.Request, respon
 	authForm := form.NewAuthForm(request.Request())
 	tplParams := tplParams{
 		"errorMessage": "Invalid username or password.",
-		"csrf":         ctx.CsrfToken(),
+		"csrf":         ctx.CSRF(),
 	}
 
 	if err := authForm.Validate(); err != nil {
@@ -60,15 +58,7 @@ func (c *Controller) CheckLogin(ctx *core.Context, request *core.Request, respon
 
 	logger.Info("[Controller:CheckLogin] username=%s just logged in", authForm.Username)
 
-	cookie := &http.Cookie{
-		Name:     "sessionID",
-		Value:    sessionToken,
-		Path:     "/",
-		Secure:   request.IsHTTPS(),
-		HttpOnly: true,
-	}
-
-	response.SetCookie(cookie)
+	response.SetCookie(cookie.New(cookie.CookieUserSessionID, sessionToken, request.IsHTTPS()))
 	response.Redirect(ctx.Route("unread"))
 }
 
@@ -76,21 +66,10 @@ func (c *Controller) CheckLogin(ctx *core.Context, request *core.Request, respon
 func (c *Controller) Logout(ctx *core.Context, request *core.Request, response *core.Response) {
 	user := ctx.LoggedUser()
 
-	sessionCookie := request.Cookie("sessionID")
-	if err := c.store.RemoveUserSessionByToken(user.ID, sessionCookie); err != nil {
+	if err := c.store.RemoveUserSessionByToken(user.ID, ctx.UserSessionToken()); err != nil {
 		logger.Error("[Controller:Logout] %v", err)
 	}
 
-	cookie := &http.Cookie{
-		Name:     "sessionID",
-		Value:    "",
-		Path:     "/",
-		Secure:   request.IsHTTPS(),
-		HttpOnly: true,
-		MaxAge:   -1,
-		Expires:  time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC),
-	}
-
-	response.SetCookie(cookie)
+	response.SetCookie(cookie.Expired(cookie.CookieUserSessionID, request.IsHTTPS()))
 	response.Redirect(ctx.Route("login"))
 }
diff --git a/server/ui/controller/oauth2.go b/server/ui/controller/oauth2.go
index 56ed53c..5011b1a 100644
--- a/server/ui/controller/oauth2.go
+++ b/server/ui/controller/oauth2.go
@@ -5,11 +5,10 @@
 package controller
 
 import (
-	"net/http"
-
 	"github.com/miniflux/miniflux/config"
 	"github.com/miniflux/miniflux/logger"
 	"github.com/miniflux/miniflux/model"
+	"github.com/miniflux/miniflux/server/cookie"
 	"github.com/miniflux/miniflux/server/core"
 	"github.com/miniflux/miniflux/server/oauth2"
 	"github.com/tomasen/realip"
@@ -19,7 +18,7 @@ import (
 func (c *Controller) OAuth2Redirect(ctx *core.Context, request *core.Request, response *core.Response) {
 	provider := request.StringParam("provider", "")
 	if provider == "" {
-		logger.Error("[OAuth2] Invalid or missing provider")
+		logger.Error("[OAuth2] Invalid or missing provider: %s", provider)
 		response.Redirect(ctx.Route("login"))
 		return
 	}
@@ -31,7 +30,7 @@ func (c *Controller) OAuth2Redirect(ctx *core.Context, request *core.Request, re
 		return
 	}
 
-	response.Redirect(authProvider.GetRedirectURL(ctx.CsrfToken()))
+	response.Redirect(authProvider.GetRedirectURL(ctx.GenerateOAuth2State()))
 }
 
 // OAuth2Callback receives the authorization code and create a new session.
@@ -51,8 +50,8 @@ func (c *Controller) OAuth2Callback(ctx *core.Context, request *core.Request, re
 	}
 
 	state := request.QueryStringParam("state", "")
-	if state != ctx.CsrfToken() {
-		logger.Error("[OAuth2] Invalid state value")
+	if state == "" || state != ctx.OAuth2State() {
+		logger.Error(`[OAuth2] Invalid state value: got "%s" instead of "%s"`, state, ctx.OAuth2State())
 		response.Redirect(ctx.Route("login"))
 		return
 	}
@@ -78,6 +77,7 @@ func (c *Controller) OAuth2Callback(ctx *core.Context, request *core.Request, re
 			return
 		}
 
+		ctx.SetFlashMessage(ctx.Translate("Your external account is now linked !"))
 		response.Redirect(ctx.Route("settings"))
 		return
 	}
@@ -118,15 +118,7 @@ func (c *Controller) OAuth2Callback(ctx *core.Context, request *core.Request, re
 
 	logger.Info("[Controller:OAuth2Callback] username=%s just logged in", user.Username)
 
-	cookie := &http.Cookie{
-		Name:     "sessionID",
-		Value:    sessionToken,
-		Path:     "/",
-		Secure:   request.IsHTTPS(),
-		HttpOnly: true,
-	}
-
-	response.SetCookie(cookie)
+	response.SetCookie(cookie.New(cookie.CookieUserSessionID, sessionToken, request.IsHTTPS()))
 	response.Redirect(ctx.Route("unread"))
 }
 
diff --git a/server/ui/controller/session.go b/server/ui/controller/session.go
index a020b16..05cb29e 100644
--- a/server/ui/controller/session.go
+++ b/server/ui/controller/session.go
@@ -9,7 +9,7 @@ import (
 	"github.com/miniflux/miniflux/server/core"
 )
 
-// ShowSessions shows the list of active sessions.
+// ShowSessions shows the list of active user sessions.
 func (c *Controller) ShowSessions(ctx *core.Context, request *core.Request, response *core.Response) {
 	user := ctx.LoggedUser()
 	args, err := c.getCommonTemplateArgs(ctx)
@@ -24,15 +24,14 @@ func (c *Controller) ShowSessions(ctx *core.Context, request *core.Request, resp
 		return
 	}
 
-	sessionCookie := request.Cookie("sessionID")
 	response.HTML().Render("sessions", args.Merge(tplParams{
 		"sessions":            sessions,
-		"currentSessionToken": sessionCookie,
+		"currentSessionToken": ctx.UserSessionToken(),
 		"menu":                "settings",
 	}))
 }
 
-// RemoveSession remove a session.
+// RemoveSession remove a user session.
 func (c *Controller) RemoveSession(ctx *core.Context, request *core.Request, response *core.Response) {
 	user := ctx.LoggedUser()
 
diff --git a/server/ui/controller/settings.go b/server/ui/controller/settings.go
index af7558a..feba893 100644
--- a/server/ui/controller/settings.go
+++ b/server/ui/controller/settings.go
@@ -62,6 +62,7 @@ func (c *Controller) UpdateSettings(ctx *core.Context, request *core.Request, re
 		return
 	}
 
+	ctx.SetFlashMessage(ctx.Translate("Preferences saved!"))
 	response.Redirect(ctx.Route("settings"))
 }
 
diff --git a/server/ui/controller/unread.go b/server/ui/controller/unread.go
index 87faafc..8cf8a38 100644
--- a/server/ui/controller/unread.go
+++ b/server/ui/controller/unread.go
@@ -44,6 +44,6 @@ func (c *Controller) ShowUnreadPage(ctx *core.Context, request *core.Request, re
 		"entries":     entries,
 		"pagination":  c.getPagination(ctx.Route("unread"), countUnread, offset),
 		"menu":        "unread",
-		"csrf":        ctx.CsrfToken(),
+		"csrf":        ctx.CSRF(),
 	})
 }