blob: 15ff9cad38a5a0d79e2fc1a0318a5d24d5e9e87f [file] [log] [blame]
#pragma once
#include <nlohmann/json.hpp>
#include <pam_authenticate.hpp>
#include <webassets.hpp>
#include <random>
#include <crow/app.h>
#include <crow/http_request.h>
#include <crow/http_response.h>
#include <boost/container/flat_map.hpp>
#include <boost/uuid/uuid.hpp>
#include <boost/uuid/uuid_generators.hpp>
#include <boost/uuid/uuid_io.hpp>
namespace crow {
namespace PersistentData {
enum class PersistenceType {
TIMEOUT, // User session times out after a predetermined amount of time
SINGLE_REQUEST // User times out once this request is completed.
};
struct UserSession {
std::string unique_id;
std::string session_token;
std::string username;
std::string csrf_token;
std::chrono::time_point<std::chrono::steady_clock> last_updated;
PersistenceType persistence;
/**
* @brief Fills object with data from UserSession's JSON representation
*
* This replaces nlohmann's from_json to ensure no-throw approach
*
* @param[in] j JSON object from which data should be loaded
*
* @return true if data has been loaded properly, false otherwise
*/
bool fromJson(const nlohmann::json& j) {
auto jUid = j.find("unique_id");
auto jToken = j.find("session_token");
auto jUsername = j.find("username");
auto jCsrf = j.find("csrf_token");
// Verify existence
if (jUid == j.end() || jToken == j.end() || jUsername == j.end() ||
jCsrf == j.end()) {
return false;
}
// Verify types
if (!jUid->is_string() || !jToken->is_string() || !jUsername->is_string() ||
!jCsrf->is_string()) {
return false;
}
unique_id = jUid->get<std::string>();
session_token = jToken->get<std::string>();
username = jUsername->get<std::string>();
csrf_token = jCsrf->get<std::string>();
// For now, sessions that were persisted through a reboot get their timer
// reset. This could probably be overcome with a better understanding of
// wall clock time and steady timer time, possibly persisting values with
// wall clock time instead of steady timer, but the tradeoffs of all the
// corner cases involved are non-trivial, so this is done temporarily
last_updated = std::chrono::steady_clock::now();
persistence = PersistenceType::TIMEOUT;
return true;
}
};
void to_json(nlohmann::json& j, const UserSession& p) {
if (p.persistence != PersistenceType::SINGLE_REQUEST) {
j = nlohmann::json{{"unique_id", p.unique_id},
{"session_token", p.session_token},
{"username", p.username},
{"csrf_token", p.csrf_token}};
}
}
class Middleware;
class SessionStore {
public:
SessionStore() : timeout_in_minutes(60) {}
const UserSession& generate_user_session(
const std::string& username,
PersistenceType persistence = PersistenceType::TIMEOUT) {
// TODO(ed) find a secure way to not generate session identifiers if
// persistence is set to SINGLE_REQUEST
static constexpr std::array<char, 62> alphanum = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c',
'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p',
'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
// entropy: 30 characters, 62 possibilities. log2(62^30) = 178 bits of
// entropy. OWASP recommends at least 60
// https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Entropy
std::string session_token;
session_token.resize(20, '0');
std::uniform_int_distribution<int> dist(0, alphanum.size() - 1);
for (int i = 0; i < session_token.size(); ++i) {
session_token[i] = alphanum[dist(rd)];
}
// Only need csrf tokens for cookie based auth, token doesn't matter
std::string csrf_token;
csrf_token.resize(20, '0');
for (int i = 0; i < csrf_token.size(); ++i) {
csrf_token[i] = alphanum[dist(rd)];
}
std::string unique_id;
unique_id.resize(10, '0');
for (int i = 0; i < unique_id.size(); ++i) {
unique_id[i] = alphanum[dist(rd)];
}
const auto session_it = auth_tokens.emplace(
session_token,
std::move(UserSession{unique_id, session_token, username, csrf_token,
std::chrono::steady_clock::now(), persistence}));
const UserSession& user = (session_it).first->second;
// Only need to write to disk if session isn't about to be destroyed.
need_write_ = persistence == PersistenceType::TIMEOUT;
return user;
}
const UserSession* login_session_by_token(const std::string& token) {
apply_session_timeouts();
auto session_it = auth_tokens.find(token);
if (session_it == auth_tokens.end()) {
return nullptr;
}
UserSession& foo = session_it->second;
foo.last_updated = std::chrono::steady_clock::now();
return &foo;
}
const UserSession* get_session_by_uid(const std::string& uid) {
apply_session_timeouts();
// TODO(Ed) this is inefficient
auto session_it = auth_tokens.begin();
while (session_it != auth_tokens.end()) {
if (session_it->second.unique_id == uid) {
return &session_it->second;
}
session_it++;
}
return nullptr;
}
void remove_session(const UserSession* session) {
auth_tokens.erase(session->session_token);
need_write_ = true;
}
std::vector<const std::string*> get_unique_ids(
bool getAll = true,
const PersistenceType& type = PersistenceType::SINGLE_REQUEST) {
apply_session_timeouts();
std::vector<const std::string*> ret;
ret.reserve(auth_tokens.size());
for (auto& session : auth_tokens) {
if (getAll || type == session.second.persistence) {
ret.push_back(&session.second.unique_id);
}
}
return ret;
}
bool needs_write() { return need_write_; }
int get_timeout_in_seconds() const {
return std::chrono::seconds(timeout_in_minutes).count();
};
// Persistent data middleware needs to be able to serialize our auth_tokens
// structure, which is private
friend Middleware;
private:
void apply_session_timeouts() {
auto time_now = std::chrono::steady_clock::now();
if (time_now - last_timeout_update > std::chrono::minutes(1)) {
last_timeout_update = time_now;
auto auth_tokens_it = auth_tokens.begin();
while (auth_tokens_it != auth_tokens.end()) {
if (time_now - auth_tokens_it->second.last_updated >=
timeout_in_minutes) {
auth_tokens_it = auth_tokens.erase(auth_tokens_it);
need_write_ = true;
} else {
auth_tokens_it++;
}
}
}
}
std::chrono::time_point<std::chrono::steady_clock> last_timeout_update;
boost::container::flat_map<std::string, UserSession> auth_tokens;
std::random_device rd;
bool need_write_{false};
std::chrono::minutes timeout_in_minutes;
};
} // namespaec PersistentData
} // namespace crow