Skip to content

Commit 025d848

Browse files
akclaceakclace
committed
Fix error handling for SAML flow
1 parent ee15aab commit 025d848

File tree

1 file changed

+25
-9
lines changed

1 file changed

+25
-9
lines changed

internal/server/saml.go

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -426,6 +426,10 @@ func (s *SAMLManager) login(w http.ResponseWriter, r *http.Request, providerName
426426
session, err := s.cookieStore.Get(r, cookieName)
427427
if err != nil {
428428
http.Error(w, "error getting session: "+err.Error(), http.StatusInternalServerError)
429+
if session != nil {
430+
session.Options.MaxAge = -1
431+
_ = session.Save(r, w)
432+
}
429433
return
430434
}
431435

@@ -576,6 +580,14 @@ func (s *SAMLManager) redirect(w http.ResponseWriter, r *http.Request) {
576580
return
577581
}
578582
sessionId := string(sessionIdBytes)
583+
success := false
584+
585+
defer func() {
586+
if !success {
587+
session.Options.MaxAge = -1 // delete the session if there is an error
588+
_ = session.Save(r, w)
589+
}
590+
}()
579591

580592
// Get the state map, delete the entry from database, validate state, set the session values
581593
// in the cookie and then redirect to original url
@@ -590,36 +602,40 @@ func (s *SAMLManager) redirect(w http.ResponseWriter, r *http.Request) {
590602
http.Error(w, "error deleting state: "+err.Error(), http.StatusInternalServerError)
591603
return
592604
}
593-
redirectUrl, ok := session.Values[REDIRECT_URL].(string)
605+
606+
auth, ok := stateMap[AUTH_KEY].(bool)
594607
if !ok {
595-
http.Error(w, "error matching session, redirect url not found", http.StatusInternalServerError)
608+
http.Error(w, "error matching session, auth not found", http.StatusInternalServerError)
609+
return
610+
}
611+
if !auth {
612+
http.Error(w, "error matching session, expected auth to be true", http.StatusInternalServerError)
596613
return
597614
}
598615

599-
if auth, ok := session.Values[AUTH_KEY].(bool); !ok || auth {
600-
// already authenticated, redirect to original url
601-
http.Redirect(w, r, redirectUrl, http.StatusFound)
616+
redirectUrl, ok := session.Values[REDIRECT_URL].(string)
617+
if !ok {
618+
http.Error(w, "error matching session, redirect url not found", http.StatusInternalServerError)
602619
return
603620
}
604621

605622
if stateMap[PROVIDER_NAME_KEY] != providerName || stateMap[REDIRECT_URL] != redirectUrl {
606623
http.Error(w, "error matching session state", http.StatusInternalServerError)
607624
return
608625
}
609-
if stateMap[AUTH_KEY] != true {
610-
http.Error(w, "error matching session state, expected auth to be true", http.StatusInternalServerError)
611-
return
612-
}
626+
613627
if stateMap[NONCE_KEY] != sessionNonce {
614628
http.Error(w, "error matching session state, nonce mismatch", http.StatusInternalServerError)
615629
return
616630
}
617631

618632
// Update the session cookie with the new values
633+
success = true
619634
session.Values[AUTH_KEY] = true
620635
session.Values[USER_KEY] = stateMap[USER_KEY].(string)
621636
session.Values[GROUPS_KEY] = stateMap[GROUPS_KEY].([]any)
622637
session.Values[SESSION_INDEX_KEY] = stateMap[SESSION_INDEX_KEY].(string)
638+
delete(session.Values, REDIRECT_URL)
623639
err = session.Save(r, w)
624640
if err != nil {
625641
http.Error(w, "error saving session: "+err.Error(), http.StatusInternalServerError)

0 commit comments

Comments
 (0)