New approach

Author: dgellow

internal/auth/browser.go

@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"net/http"
 	"time"
 
@@ -19,15 +18,25 @@ type SessionData struct {
 	Expires time.Time `json:"expires"`
 }
 
+// BrowserState represents the state parameter data for browser SSO
+type BrowserState struct {
+	Nonce     string `json:"nonce"`
+	ReturnURL string `json:"return_url"`
+}
+
 // SSOMiddleware creates middleware for browser-based SSO authentication
 func (s *Server) SSOMiddleware() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check for session cookie
 			sessionValue, err := cookie.GetSession(r)
 			if err != nil {
-				// No cookie, redirect directly to Google OAuth
+				// No cookie, redirect directly to OAuth
 				state := s.generateBrowserState(r.URL.String())
+				if state == "" {
+					jsonwriter.WriteInternalServerError(w, "Failed to generate authentication state")
+					return
+				}
 				googleURL := s.authService.GoogleAuthURL(state)
 				http.Redirect(w, r, googleURL, http.StatusFound)
 				return
@@ -56,11 +65,14 @@ func (s *Server) SSOMiddleware() func(http.Handler) http.Handler {
 
 			// Check expiration
 			if time.Now().After(sessionData.Expires) {
-				// Expired session
 				log.LogDebug("Session expired for user %s", sessionData.Email)
 				cookie.ClearSession(w)
 				// Redirect directly to Google OAuth
 				state := s.generateBrowserState(r.URL.String())
+				if state == "" {
+					jsonwriter.WriteInternalServerError(w, "Failed to generate authentication state")
+					return
+				}
 				googleURL := s.authService.GoogleAuthURL(state)
 				http.Redirect(w, r, googleURL, http.StatusFound)
 				return
@@ -75,14 +87,16 @@ func (s *Server) SSOMiddleware() func(http.Handler) http.Handler {
 
 // generateBrowserState creates a secure state parameter for browser SSO
 func (s *Server) generateBrowserState(returnURL string) string {
-	// Generate random nonce
-	nonce := crypto.GenerateSecureToken()
-
-	// Create signed CSRF token: nonce + HMAC(nonce + returnURL)
-	// This ensures the token is tied to the specific return URL
-	data := nonce + ":" + returnURL
-	signature := crypto.SignData(data, []byte(s.config.EncryptionKey))
+	state := BrowserState{
+		Nonce:     crypto.GenerateSecureToken(),
+		ReturnURL: returnURL,
+	}
 
-	// Format: "browser:nonce:signature:returnURL"
-	return fmt.Sprintf("browser:%s:%s:%s", nonce, signature, returnURL)
+	token, err := s.browserStateToken.Sign(state)
+	if err != nil {
+		log.LogError("Failed to sign browser state: %v", err)
+		// Return empty string to trigger auth failure - middleware will handle it
+		return ""
+	}
+	return "browser:" + token
 }

internal/auth/server.go

@@ -33,11 +33,12 @@ func GetUserContextKey() contextKey {
 
 // Server wraps fosite.OAuth2Provider with clean architecture
 type Server struct {
-	provider         fosite.OAuth2Provider
-	storage          storage.Storage
-	authService      *authService
-	config           Config
-	sessionEncryptor crypto.Encryptor // Created once for browser SSO performance
+	provider          fosite.OAuth2Provider
+	storage           storage.Storage
+	authService       *authService
+	config            Config
+	sessionEncryptor  crypto.Encryptor
+	browserStateToken *crypto.SignedToken
 }
 
 // Config holds OAuth server configuration
@@ -132,11 +133,12 @@ func NewServer(config Config, store storage.Storage) (*Server, error) {
 	}
 
 	return &Server{
-		provider:         provider,
-		storage:          store,
-		authService:      authService,
-		config:           config,
-		sessionEncryptor: sessionEncryptor,
+		provider:          provider,
+		storage:           store,
+		authService:       authService,
+		config:            config,
+		sessionEncryptor:  sessionEncryptor,
+		browserStateToken: crypto.NewSignedToken(key, 10*time.Minute),
 	}, nil
 }
 

internal/crypto/signed_token.go

@@ -0,0 +1,98 @@
+package crypto
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+)
+
+// SignedToken provides HMAC-signed JSON tokens with optional expiry
+type SignedToken struct {
+	signingKey []byte
+	ttl        time.Duration
+}
+
+// NewSignedToken creates a new signed token handler
+func NewSignedToken(signingKey []byte, ttl time.Duration) *SignedToken {
+	return &SignedToken{
+		signingKey: signingKey,
+		ttl:        ttl,
+	}
+}
+
+// TokenData wraps user data with metadata
+type TokenData struct {
+	Data      json.RawMessage `json:"data"`
+	ExpiresAt time.Time       `json:"expires_at,omitempty"`
+}
+
+// Sign marshals data to JSON, signs it with HMAC, and returns a base64-encoded token
+func (st *SignedToken) Sign(v any) (string, error) {
+	// Marshal user data
+	userData, err := json.Marshal(v)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal data: %w", err)
+	}
+
+	// Wrap with metadata
+	tokenData := TokenData{
+		Data: userData,
+	}
+	if st.ttl > 0 {
+		tokenData.ExpiresAt = time.Now().Add(st.ttl)
+	}
+
+	// Marshal complete token
+	jsonData, err := json.Marshal(tokenData)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal token data: %w", err)
+	}
+
+	// Create signature
+	signature := SignData(string(jsonData), st.signingKey)
+
+	// Combine data and signature
+	combined := fmt.Sprintf("%s.%s", base64.URLEncoding.EncodeToString(jsonData), signature)
+	return combined, nil
+}
+
+// Verify validates the signature, checks expiry, and unmarshals the data
+func (st *SignedToken) Verify(token string, v any) error {
+	// Split data and signature
+	parts := strings.Split(token, ".")
+	if len(parts) != 2 {
+		return fmt.Errorf("invalid token format")
+	}
+
+	// Decode JSON data
+	jsonData, err := base64.URLEncoding.DecodeString(parts[0])
+	if err != nil {
+		return fmt.Errorf("failed to decode token data: %w", err)
+	}
+
+	// Verify signature
+	signature := parts[1]
+	if !ValidateSignedData(string(jsonData), signature, st.signingKey) {
+		return fmt.Errorf("invalid signature")
+	}
+
+	// Unmarshal token data
+	var tokenData TokenData
+	if err := json.Unmarshal(jsonData, &tokenData); err != nil {
+		return fmt.Errorf("failed to unmarshal token data: %w", err)
+	}
+
+	// Check expiry
+	if !tokenData.ExpiresAt.IsZero() && time.Now().After(tokenData.ExpiresAt) {
+		return fmt.Errorf("token expired")
+	}
+
+	// Unmarshal user data
+	if err := json.Unmarshal(tokenData.Data, v); err != nil {
+		return fmt.Errorf("failed to unmarshal user data: %w", err)
+	}
+
+	return nil
+}