github.com/bitcubate/cryptojournal@v1.2.5-0.20171102134152-f578b3d788ab/src/lib/session/session.go (about)

     1  package session
     2  
     3  import (
     4  	"net/http"
     5  	"strconv"
     6  
     7  	"github.com/fragmenta/auth"
     8  	"github.com/fragmenta/mux"
     9  	"github.com/fragmenta/server/log"
    10  
    11  	"github.com/bitcubate/cryptojournal/src/users"
    12  )
    13  
    14  // CurrentUser returns the saved user (or an empty anon user)
    15  // for the current session cookie
    16  func CurrentUser(w http.ResponseWriter, r *http.Request) *users.User {
    17  
    18  	// Start with an anon user by default (role 0, id 0)
    19  	user := &users.User{}
    20  
    21  	// Build the session from the secure cookie, or create a new one
    22  	session, err := auth.Session(w, r)
    23  	if err != nil {
    24  		//log.Info(log.V{"msg": "session error", "error": err, "status": http.StatusInternalServerError})
    25  		return user
    26  	}
    27  
    28  	// Fetch the current user record if we have one recorded in the session
    29  	var id int64
    30  	val := session.Get(auth.SessionUserKey)
    31  
    32  	// If we have no value, we have no login
    33  	if len(val) == 0 {
    34  		//log.Info(log.V{"msg": "session error", "session": session, "status": http.StatusInternalServerError})
    35  		return user
    36  	}
    37  
    38  	if len(val) > 0 {
    39  		id, err = strconv.ParseInt(val, 10, 64)
    40  		if err != nil {
    41  			log.Info(log.V{"msg": "session error decoding", "val": val, "error": err, "status": http.StatusInternalServerError})
    42  			return user
    43  		}
    44  	}
    45  
    46  	if id > 0 {
    47  		user, err = users.Find(id)
    48  		if err != nil {
    49  			log.Info(log.V{"msg": "session error user not found", "user_id": id, "error": err, "status": http.StatusNotFound})
    50  			return user
    51  		}
    52  	}
    53  
    54  	return user
    55  }
    56  
    57  // clearSession clears the request session cookie entirely.
    58  // If an error is encountered in processing params, the session is cleared.
    59  func clearSession(w http.ResponseWriter, r *http.Request) error {
    60  	// Clear the session
    61  	session, err := auth.SessionGet(r)
    62  	if err != nil {
    63  		return err
    64  	}
    65  	session.Clear(w)
    66  	return nil
    67  }
    68  
    69  // CheckAuthenticity checks the authenticity token in params against cookie -
    70  // The masked token is inserted into forms and POSTS by js.
    71  // The token is inserted into the cookie by the middleware above.
    72  // This is a shortcut for where you don't need params otherwise.
    73  func CheckAuthenticity(w http.ResponseWriter, r *http.Request) error {
    74  
    75  	// We should never be called on GET requests
    76  	if r.Method == http.MethodGet {
    77  		return nil
    78  	}
    79  
    80  	// Get the token from params and compare against cookie
    81  	params, err := mux.Params(r)
    82  	if err != nil {
    83  		clearSession(w, r)
    84  		return err
    85  	}
    86  
    87  	//	log.Info(log.V{"PARAMS": params})
    88  
    89  	// Get the token from params (it is inserted there by js)
    90  	// we do this to allow just one token in the head of every page
    91  	token := params.Get(auth.SessionTokenKey)
    92  
    93  	// Compare that param against the token stored in the session cookie.
    94  	err = auth.CheckAuthenticityToken(token, r)
    95  	if err != nil {
    96  		clearSession(w, r)
    97  		return err
    98  	}
    99  
   100  	return nil
   101  }