forked from External/ergo
implement draft/resume-0.4
This commit is contained in:
Shivaram Lingamneni
parent
eaf0328608
commit
3d445573cf
15 changed files with 442 additions and 343 deletions
|
|
@ -9,7 +9,7 @@ import (
|
|||
"github.com/oragono/oragono/irc/utils"
|
||||
)
|
||||
|
||||
// implements draft/resume-0.3, in particular the issuing, management, and verification
|
||||
// implements draft/resume, in particular the issuing, management, and verification
|
||||
// of resume tokens with two components: a unique ID and a secret key
|
||||
|
||||
type resumeTokenPair struct {
|
||||
|
|
@ -31,8 +31,8 @@ func (rm *ResumeManager) Initialize(server *Server) {
|
|||
|
||||
// GenerateToken generates a resume token for a client. If the client has
|
||||
// already been assigned one, it returns "".
|
||||
func (rm *ResumeManager) GenerateToken(client *Client) (token string) {
|
||||
id := utils.GenerateSecretToken()
|
||||
func (rm *ResumeManager) GenerateToken(client *Client) (token string, id string) {
|
||||
id = utils.GenerateSecretToken()
|
||||
secret := utils.GenerateSecretToken()
|
||||
|
||||
rm.Lock()
|
||||
|
|
@ -48,13 +48,13 @@ func (rm *ResumeManager) GenerateToken(client *Client) (token string) {
|
|||
secret: secret,
|
||||
}
|
||||
|
||||
return id + secret
|
||||
return id + secret, id
|
||||
}
|
||||
|
||||
// VerifyToken looks up the client corresponding to a resume token, returning
|
||||
// nil if there is no such client or the token is invalid. If successful,
|
||||
// the token is consumed and cannot be used to resume again.
|
||||
func (rm *ResumeManager) VerifyToken(token string) (client *Client) {
|
||||
func (rm *ResumeManager) VerifyToken(newClient *Client, token string) (oldClient *Client, id string) {
|
||||
if len(token) != 2*utils.SecretTokenLength {
|
||||
return
|
||||
}
|
||||
|
|
@ -62,18 +62,32 @@ func (rm *ResumeManager) VerifyToken(token string) (client *Client) {
|
|||
rm.Lock()
|
||||
defer rm.Unlock()
|
||||
|
||||
id := token[:utils.SecretTokenLength]
|
||||
id = token[:utils.SecretTokenLength]
|
||||
pair, ok := rm.resumeIDtoCreds[id]
|
||||
if ok {
|
||||
if utils.SecretTokensMatch(pair.secret, token[utils.SecretTokenLength:]) {
|
||||
// disallow resume of an unregistered client; this prevents the use of
|
||||
// resume as an auth bypass
|
||||
if pair.client.Registered() {
|
||||
// consume the token, ensuring that at most one resume can succeed
|
||||
delete(rm.resumeIDtoCreds, id)
|
||||
return pair.client
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
// disallow resume of an unregistered client; this prevents the use of
|
||||
// resume as an auth bypass
|
||||
if !pair.client.Registered() {
|
||||
return
|
||||
}
|
||||
|
||||
if utils.SecretTokensMatch(pair.secret, token[utils.SecretTokenLength:]) {
|
||||
oldClient = pair.client // success!
|
||||
// consume the token, ensuring that at most one resume can succeed
|
||||
delete(rm.resumeIDtoCreds, id)
|
||||
// old client is henceforth resumeable under new client's creds (possibly empty)
|
||||
newResumeID := newClient.ResumeID()
|
||||
oldClient.SetResumeID(newResumeID)
|
||||
if newResumeID != "" {
|
||||
if newResumeCreds, ok := rm.resumeIDtoCreds[newResumeID]; ok {
|
||||
newResumeCreds.client = oldClient
|
||||
rm.resumeIDtoCreds[newResumeID] = newResumeCreds
|
||||
}
|
||||
}
|
||||
// new client no longer "owns" newResumeID, remove the association
|
||||
newClient.SetResumeID("")
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue