games: a news session that travels to the games box

preferred_username was being read from the ID token and thrown away after
serving as a display-name fallback. It is the whole identity story: MAS imports
it as the Matrix localpart, so it is also who the player is in the euro economy.
Keep it in the session, and derive @user:server from it.

The session cookie was host-only, so a sign-in on news never reached games.
Widen it with an opt-in web.auth.cookie_domain — but only the session cookie:
the OAuth round-trip cookie pairs with a redirect back to the host that started
the login and stays where it was set. And because the redirect must return to
that host, the redirect_uri is now derived per-request for hosts inside the
cookie domain, with the configured URL as the fallback for anything else — a
Host header we don't own is never echoed into a redirect.
This commit is contained in:
prosolis
2026-07-13 23:04:09 -07:00
parent 44613c4760
commit cb84e1d549
4 changed files with 184 additions and 5 deletions

View File

@@ -11,6 +11,7 @@ import (
"fmt"
"log/slog"
"net/http"
"net/url"
"strings"
"time"
@@ -32,6 +33,7 @@ type Authenticator struct {
oauth *oauth2.Config
verifier *oidc.IDTokenVerifier
secret []byte
domain string // cookie Domain; empty means host-only
}
// SessionUser is the identity carried in the signed session cookie.
@@ -39,7 +41,23 @@ type SessionUser struct {
Sub string `json:"sub"`
Name string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
Exp int64 `json:"exp"`
// Username is the Authentik preferred_username, which MAS imported as the
// Matrix localpart — so it is also who this person is in the game economy.
// Sessions signed before games existed don't carry it; MatrixUser returns
// "" for those and the caller sends them back through sign-in.
Username string `json:"username,omitempty"`
Exp int64 `json:"exp"`
}
// MatrixUser maps the session to a Matrix ID on the given server name, e.g.
// "reala" on "parodia.dev" -> "@reala:parodia.dev". Empty if either half is
// missing, which callers must treat as "not identified in the economy".
func (u *SessionUser) MatrixUser(serverName string) string {
name := strings.ToLower(strings.TrimSpace(u.Username))
if name == "" || serverName == "" {
return ""
}
return "@" + name + ":" + serverName
}
// Display is the friendly name shown in the header (name, else email, else sub).
@@ -88,6 +106,7 @@ func newAuthenticator(ctx context.Context, cfg config.AuthConfig) (*Authenticato
},
verifier: provider.Verifier(&oidc.Config{ClientID: cfg.ClientID}),
secret: []byte(cfg.SessionSecret),
domain: strings.TrimSpace(cfg.CookieDomain),
}, nil
}
@@ -150,11 +169,23 @@ func (a *Authenticator) userFromRequest(r *http.Request) *SessionUser {
return &u
}
// cookieDomain is the Domain attribute for a given cookie. Only the session
// cookie is widened: the OAuth round-trip cookie stays host-only, because it
// pairs with a redirect back to the host that started the login and has no
// business being readable from anywhere else.
func (a *Authenticator) cookieDomain(name string) string {
if name == sessionCookie {
return a.domain
}
return ""
}
func (a *Authenticator) setCookie(w http.ResponseWriter, name, value string, ttl time.Duration) {
http.SetCookie(w, &http.Cookie{
Name: name,
Value: value,
Path: "/",
Domain: a.cookieDomain(name),
Expires: time.Now().Add(ttl),
MaxAge: int(ttl.Seconds()),
HttpOnly: true,
@@ -166,10 +197,42 @@ func (a *Authenticator) setCookie(w http.ResponseWriter, name, value string, ttl
func (a *Authenticator) clearCookie(w http.ResponseWriter, name string) {
http.SetCookie(w, &http.Cookie{
Name: name, Value: "", Path: "/", MaxAge: -1,
Domain: a.cookieDomain(name),
HttpOnly: true, Secure: true, SameSite: http.SameSiteLaxMode,
})
}
// oauthFor returns the OAuth config to use for this request. The configured
// redirect_url names one host (news), but a login that starts on games has to
// come back to games — otherwise the browser is dumped on the news site with
// its "next" path pointing at a page that lives elsewhere. So when the request
// arrives on a host inside the shared cookie domain, keep the redirect on that
// host, reusing the configured URL's scheme and path. Every host used this way
// must be registered as a redirect URI in Authentik.
func (a *Authenticator) oauthFor(r *http.Request) *oauth2.Config {
if a.domain == "" || !hostInDomain(r.Host, a.domain) {
return a.oauth
}
u, err := url.Parse(a.oauth.RedirectURL)
if err != nil || u.Host == r.Host {
return a.oauth
}
cfg := *a.oauth
cfg.RedirectURL = u.Scheme + "://" + r.Host + u.Path
return &cfg
}
// hostInDomain reports whether host sits inside a cookie domain like
// ".parodia.dev" (which also covers the bare "parodia.dev").
func hostInDomain(host, domain string) bool {
if i := strings.IndexByte(host, ':'); i >= 0 {
host = host[:i] // strip port
}
host = strings.ToLower(host)
bare := strings.TrimPrefix(strings.ToLower(domain), ".")
return host == bare || strings.HasSuffix(host, "."+bare)
}
// ---- handlers -------------------------------------------------------------
// handleLogin starts the OIDC authorization-code flow.
@@ -182,7 +245,7 @@ func (a *Authenticator) handleLogin(w http.ResponseWriter, r *http.Request) {
}
payload, _ := json.Marshal(st)
a.setCookie(w, oauthCookie, a.sign(payload), oauthTTL)
http.Redirect(w, r, a.oauth.AuthCodeURL(st.State, oidc.Nonce(st.Nonce)), http.StatusFound)
http.Redirect(w, r, a.oauthFor(r).AuthCodeURL(st.State, oidc.Nonce(st.Nonce)), http.StatusFound)
}
// handleCallback completes the flow: validates state, exchanges the code,
@@ -212,7 +275,7 @@ func (a *Authenticator) handleCallback(w http.ResponseWriter, r *http.Request) {
ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
defer cancel()
tok, err := a.oauth.Exchange(ctx, r.URL.Query().Get("code"))
tok, err := a.oauthFor(r).Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
slog.Error("auth: code exchange failed", "err", err)
http.Error(w, "sign-in failed", http.StatusBadGateway)
@@ -247,7 +310,13 @@ func (a *Authenticator) handleCallback(w http.ResponseWriter, r *http.Request) {
if name == "" {
name = claims.PreferredUsername
}
u := SessionUser{Sub: claims.Sub, Name: name, Email: claims.Email, Exp: time.Now().Add(sessionTTL).Unix()}
u := SessionUser{
Sub: claims.Sub,
Name: name,
Email: claims.Email,
Username: claims.PreferredUsername,
Exp: time.Now().Add(sessionTTL).Unix(),
}
sess, _ := json.Marshal(u)
a.setCookie(w, sessionCookie, a.sign(sess), sessionTTL)
slog.Info("auth: user signed in", "sub", claims.Sub, "name", name)