philomena/lib/philomena_web/plugs/pow_invalidated_session_plug.ex

defmodule PhilomenaWeb.PowInvalidatedSessionPlug do
  @moduledoc """
  This plug ensures that invalidated sessions can still be used for a short
  amount of time.

  This MAY introduce a slight timing attack vector, but in practice would be
  unlikely as all tokens expires after 60 seconds.

  ## Example

      plug MyAppWeb.PowInvalidatedSessionPlug, :pow_session
      plug MyAppWeb.PowInvalidatedSessionPlug, :pow_persistent_session
      plug Pow.Plug.Session, otp_app: :my_app
      plug PowPersistentSession.Plug.Cookie
      plug MyAppWeb.PowInvalidatedSessionPlug, :load

  """
  alias Plug.Conn
  alias Pow.{Config, Plug, Store.Backend.EtsCache}

  @store_ttl :timer.minutes(1)
  @otp_app :philomena
  @session_key "#{@otp_app}_auth"
  @session_signing_salt Atom.to_string(Pow.Plug.Session)
  @persistent_cookie_key "#{@otp_app}_persistent_session"
  @persistent_cookie_signing_salt Atom.to_string(PowPersistentSession.Plug.Cookie)

  def init(:load), do: :load
  def init(:pow_session) do
    [
      fetch_token: &__MODULE__.client_store_fetch_session/1,
      namespace: :session
    ]
  end
  def init(:pow_persistent_session) do
    [
      fetch_token: &__MODULE__.client_store_fetch_persistent_cookie/1,
      namespace: :persistent_session
    ]
  end
  def init({type, opts}) do
    type
    |> init()
    |> Keyword.merge(opts)
  end

  def call(conn, type) do
    conn
    |> Plug.put_config(otp_app: @otp_app)
    |> do_call(type)
  end

  defp do_call(conn, :load) do
    Enum.reduce(conn.private[:invalidated_session_opts], conn, fn opts, conn ->
      maybe_load_from_cache(conn, Plug.current_user(conn), opts)
    end)
  end
  defp do_call(conn, opts) do
    fetch_fn = Keyword.fetch!(opts, :fetch_token)
    token    = fetch_fn.(conn)

    conn
    |> put_opts_in_private(opts)
    |> Conn.register_before_send(fn conn ->
      maybe_put_cache(conn, Plug.current_user(conn), token, opts)
    end)
  end

  defp maybe_load_from_cache(conn, nil, opts) do
    fetch_fn = Keyword.fetch!(opts, :fetch_token)

    case fetch_fn.(conn) do
      nil   -> conn
      token -> load_from_cache(conn, token, opts)
    end
  end
  defp maybe_load_from_cache(conn, _any, _opts), do: conn

  defp put_opts_in_private(conn, opts) do
    plug_opts = (conn.private[:invalidated_session_opts] || []) ++ [opts]

    Conn.put_private(conn, :invalidated_session_opts, plug_opts)
  end

  defp maybe_put_cache(conn, nil, _old_token, _opts), do: conn
  defp maybe_put_cache(conn, _user, nil, _opts), do: conn
  defp maybe_put_cache(conn, user, old_token, opts) do
    fetch_fn = Keyword.fetch!(opts, :fetch_token)

    case fetch_fn.(conn) do
      ^old_token -> conn
      _token     -> put_cache(conn, user, old_token, opts)
    end
  end

  defp put_cache(conn, user, token, opts) do
    {store, store_config} = invalidated_cache(conn, opts)

    store.put(store_config, token, user)

    conn
  end

  defp load_from_cache(conn, token, opts) do
    config                = Plug.fetch_config(conn)
    {store, store_config} = invalidated_cache(conn, opts)

    case store.get(store_config, token) do
      :not_found -> conn
      user       -> Plug.assign_current_user(conn, user, config)
    end
  end

  @doc false
  def client_store_fetch_session(conn) do
    conn = Conn.fetch_session(conn)

    with session_id when is_binary(session_id) <- Conn.get_session(conn, @session_key),
         {:ok, session_id}                     <- Plug.verify_token(conn, @session_signing_salt, session_id) do
      session_id
    else
      _any -> nil
    end
  end

  @doc false
  def client_store_fetch_persistent_cookie(conn) do
    conn = Conn.fetch_cookies(conn)

    with token when is_binary(token) <- conn.cookies[@persistent_cookie_key],
         {:ok, token}                <- Plug.verify_token(conn, @persistent_cookie_signing_salt, token) do
      token
    else
      _any -> nil
    end

  end

  defp invalidated_cache(conn, opts) do
    store_config = store_config(opts)
    config       = Plug.fetch_config(conn)
    store        = Config.get(config, :cache_store_backend, EtsCache)

    {store, store_config}
  end

  defp store_config(opts) do
    namespace = Keyword.fetch!(opts, :namespace)
    ttl       = Keyword.get(opts, :ttl, @store_ttl)

    [
      ttl: ttl,
      namespace: "invalidated_#{namespace}",
    ]
  end
end
Add plug to handle invalidated Pow session tokens (#36) * Add plug to handle invalidated Pow session tokens * Add token signing * Refactor for tests 2020-04-11 20:54:55 +02:00			`defmodule PhilomenaWeb.PowInvalidatedSessionPlug do`
			`@moduledoc """`
			`This plug ensures that invalidated sessions can still be used for a short`
			`amount of time.`

			`This MAY introduce a slight timing attack vector, but in practice would be`
			`unlikely as all tokens expires after 60 seconds.`

			`## Example`

			`plug MyAppWeb.PowInvalidatedSessionPlug, :pow_session`
			`plug MyAppWeb.PowInvalidatedSessionPlug, :pow_persistent_session`
			`plug Pow.Plug.Session, otp_app: :my_app`
			`plug PowPersistentSession.Plug.Cookie`
			`plug MyAppWeb.PowInvalidatedSessionPlug, :load`

			`"""`
			`alias Plug.Conn`
			`alias Pow.{Config, Plug, Store.Backend.EtsCache}`

			`@store_ttl :timer.minutes(1)`
			`@otp_app :philomena`
			`@session_key "#{@otp_app}_auth"`
			`@session_signing_salt Atom.to_string(Pow.Plug.Session)`
			`@persistent_cookie_key "#{@otp_app}_persistent_session"`
			`@persistent_cookie_signing_salt Atom.to_string(PowPersistentSession.Plug.Cookie)`

			`def init(:load), do: :load`
			`def init(:pow_session) do`
			`[`
			`fetch_token: &__MODULE__.client_store_fetch_session/1,`
			`namespace: :session`
			`]`
			`end`
			`def init(:pow_persistent_session) do`
			`[`
			`fetch_token: &__MODULE__.client_store_fetch_persistent_cookie/1,`
			`namespace: :persistent_session`
			`]`
			`end`
			`def init({type, opts}) do`
			`type`
			`\|> init()`
			`\|> Keyword.merge(opts)`
			`end`

			`def call(conn, type) do`
			`conn`
			`\|> Plug.put_config(otp_app: @otp_app)`
			`\|> do_call(type)`
			`end`

			`defp do_call(conn, :load) do`
			`Enum.reduce(conn.private[:invalidated_session_opts], conn, fn opts, conn ->`
			`maybe_load_from_cache(conn, Plug.current_user(conn), opts)`
			`end)`
			`end`
			`defp do_call(conn, opts) do`
			`fetch_fn = Keyword.fetch!(opts, :fetch_token)`
			`token = fetch_fn.(conn)`

			`conn`
			`\|> put_opts_in_private(opts)`
			`\|> Conn.register_before_send(fn conn ->`
			`maybe_put_cache(conn, Plug.current_user(conn), token, opts)`
			`end)`
			`end`

			`defp maybe_load_from_cache(conn, nil, opts) do`
			`fetch_fn = Keyword.fetch!(opts, :fetch_token)`

			`case fetch_fn.(conn) do`
			`nil -> conn`
			`token -> load_from_cache(conn, token, opts)`
			`end`
			`end`
			`defp maybe_load_from_cache(conn, _any, _opts), do: conn`

			`defp put_opts_in_private(conn, opts) do`
			`plug_opts = (conn.private[:invalidated_session_opts] \|\| []) ++ [opts]`

			`Conn.put_private(conn, :invalidated_session_opts, plug_opts)`
			`end`

			`defp maybe_put_cache(conn, nil, _old_token, _opts), do: conn`
			`defp maybe_put_cache(conn, _user, nil, _opts), do: conn`
			`defp maybe_put_cache(conn, user, old_token, opts) do`
			`fetch_fn = Keyword.fetch!(opts, :fetch_token)`

			`case fetch_fn.(conn) do`
			`^old_token -> conn`
			`_token -> put_cache(conn, user, old_token, opts)`
			`end`
			`end`

			`defp put_cache(conn, user, token, opts) do`
			`{store, store_config} = invalidated_cache(conn, opts)`

			`store.put(store_config, token, user)`

			`conn`
			`end`

			`defp load_from_cache(conn, token, opts) do`
			`config = Plug.fetch_config(conn)`
			`{store, store_config} = invalidated_cache(conn, opts)`

			`case store.get(store_config, token) do`
			`:not_found -> conn`
			`user -> Plug.assign_current_user(conn, user, config)`
			`end`
			`end`

			`@doc false`
			`def client_store_fetch_session(conn) do`
			`conn = Conn.fetch_session(conn)`

			`with session_id when is_binary(session_id) <- Conn.get_session(conn, @session_key),`
			`{:ok, session_id} <- Plug.verify_token(conn, @session_signing_salt, session_id) do`
			`session_id`
			`else`
			`_any -> nil`
			`end`
			`end`

			`@doc false`
			`def client_store_fetch_persistent_cookie(conn) do`
			`conn = Conn.fetch_cookies(conn)`

			`with token when is_binary(token) <- conn.cookies[@persistent_cookie_key],`
			`{:ok, token} <- Plug.verify_token(conn, @persistent_cookie_signing_salt, token) do`
			`token`
			`else`
			`_any -> nil`
			`end`

			`end`

			`defp invalidated_cache(conn, opts) do`
			`store_config = store_config(opts)`
			`config = Plug.fetch_config(conn)`
			`store = Config.get(config, :cache_store_backend, EtsCache)`

			`{store, store_config}`
			`end`

			`defp store_config(opts) do`
			`namespace = Keyword.fetch!(opts, :namespace)`
			`ttl = Keyword.get(opts, :ttl, @store_ttl)`

			`[`
			`ttl: ttl,`
			`namespace: "invalidated_#{namespace}",`
			`]`
			`end`
			`end`