Swap to redis based store to prevent session race conditions

Author: srbry

appengine_templates/app.yaml.tpl

@@ -9,6 +9,7 @@ env_variables:
   JWT_SECRET: _JWT_SECRET
   SESSION_SECRET: _SESSION_SECRET
   ENCRYPTION_SECRET: _ENCRYPTION_SECRET
+  REDIS_SESSION_DB: _REDIS_SESSION_DB
   GIN_MODE: release
 
 vpc_access_connector:

authenticate/authenticate.go

@@ -149,14 +149,15 @@ func (auth *Auth) Login(context *gin.Context, session sessions.Session) {
 }
 
 func (auth *Auth) Logout(context *gin.Context, session sessions.Session) {
+	session.Set(JWT_TOKEN_KEY, "")
 	session.Clear()
+	// session.Options(SessionOptions(true))
 	err := session.Save()
 	if err != nil {
 		auth.notAuth(context)
 		return
 	}
 	context.HTML(http.StatusOK, "logout.tmpl", gin.H{})
-	context.Abort()
 }
 
 func (auth *Auth) notAuth(context *gin.Context) {
@@ -176,6 +177,29 @@ func (auth *Auth) NotAuthWithError(context *gin.Context, errorMessage string) {
 	context.Abort()
 }
 
+func (auth *Auth) RefreshToken(context *gin.Context, session sessions.Session, claim *UACClaims) {
+	signedToken, err := auth.JWTCrypto.EncryptJWT(claim.UAC, &claim.UacInfo, claim.AuthTimeout)
+	if err != nil {
+		auth.Logger.Error("Failed to Encrypt JWT", zap.Error(err))
+		return
+	}
+
+	if session.Get(JWT_TOKEN_KEY) == nil || session.Get(JWT_TOKEN_KEY).(string) == "" {
+		auth.Logger.Info("Not refreshing JWT as it looks like the user has logged out",
+			append(utils.GetRequestSource(context),
+				zap.String("InstrumentName", claim.UacInfo.InstrumentName),
+				zap.String("CaseID", claim.UacInfo.InstrumentName),
+			)...)
+		return
+	}
+	session.Set(JWT_TOKEN_KEY, signedToken)
+	if err := session.Save(); err != nil {
+		auth.Logger.Error("Failed to save JWT to session", zap.Error(err))
+		return
+	}
+	return
+}
+
 func (auth *Auth) isUac16() bool {
 	return auth.UacKind == "uac16"
 }
@@ -191,18 +215,3 @@ func Forbidden(context *gin.Context) {
 	context.HTML(http.StatusForbidden, "access_denied.tmpl", gin.H{})
 	context.Abort()
 }
-
-func (auth *Auth) RefreshToken(context *gin.Context, session sessions.Session, claim *UACClaims) {
-	signedToken, err := auth.JWTCrypto.EncryptJWT(claim.UAC, &claim.UacInfo, claim.AuthTimeout)
-	if err != nil {
-		auth.Logger.Error("Failed to Encrypt JWT", zap.Error(err))
-		return
-	}
-
-	session.Set(JWT_TOKEN_KEY, signedToken)
-	if err := session.Save(); err != nil {
-		auth.Logger.Error("Failed to save JWT to session", zap.Error(err))
-		return
-	}
-	return
-}

go.sum

@@ -57,6 +57,7 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/blendle/zapdriver v1.3.1 h1:C3dydBOWYRiOk+B8X9IVZ5IOe+7cl+tGOexN4QqHfpE=
 github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc=
+github.com/boj/redistore v0.0.0-20180917114910-cd5dcc76aeff h1:RmdPFa+slIr4SCBg4st/l/vZWVe9QJKMXGO60Bxbe04=
 github.com/boj/redistore v0.0.0-20180917114910-cd5dcc76aeff/go.mod h1:+RTT1BOk5P97fT2CiHkbFQwkK3mjsFAP6zCYV2aXtjw=
 github.com/bradfitz/gomemcache v0.0.0-20180710155616-bc664df96737/go.mod h1:PmM6Mmwb0LSuEubjR8N7PtNe1KxZLtOUHtbeikc5h60=
 github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
@@ -166,6 +167,7 @@ github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/gomodule/redigo v2.0.0+incompatible h1:K/R+8tc58AaqLkqG2Ol3Qk+DR/TlNuhuh457pBFPtt0=
 github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=

webserver/webserver.go

@@ -12,7 +12,7 @@ import (
 	"github.com/blendle/zapdriver"
 	"github.com/gin-contrib/secure"
 	"github.com/gin-contrib/sessions"
-	"github.com/gin-contrib/sessions/cookie"
+	"github.com/gin-contrib/sessions/redis"
 	"github.com/gin-gonic/gin"
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
@@ -31,6 +31,7 @@ var (
 )
 
 type Config struct {
+	RedisSessionDB   string `default:"localhost:3389" split_words:"true"`
 	SessionSecret    string `required:"true" split_words:"true"`
 	EncryptionSecret string `required:"true" split_words:"true"`
 	CatiUrl          string `required:"true" split_words:"true"`
@@ -100,7 +101,10 @@ func (server *Server) SetupRouter() *gin.Engine {
 
 	httpRouter.Use(secure.New(securityConfig))
 
-	store := cookie.NewStore([]byte(server.Config.SessionSecret), []byte(server.Config.EncryptionSecret))
+	store, err := redis.NewStore(10, "tcp", server.Config.RedisSessionDB, "", []byte(server.Config.SessionSecret), []byte(server.Config.EncryptionSecret))
+	if err != nil {
+		log.Fatalf("Could not connect to session database: %s", err)
+	}
 	store.Options(sessions.Options{
 		Path:     "/",
 		MaxAge:   60 * 60 * 24 * 30, // 30 days