[oidc proxy] Create only one ydb_oidc_cookie (#9588)

Author: molotkov-and

ydb/mvp/oidc_proxy/context.cpp

@@ -4,15 +4,16 @@
 #include <library/cpp/string_utils/base64/base64.h>
 #include <ydb/library/actors/http/http.h>
 #include "openid_connect.h"
+#include "oidc_settings.h"
 #include "context.h"
 
 namespace NMVP {
 namespace NOIDC {
 
-TContext::TContext(const TString& state, const TString& requestedAddress, bool isAjaxRequest)
-    : State(state)
-    , AjaxRequest(isAjaxRequest)
-    , RequestedAddress(requestedAddress)
+TContext::TContext(const TInitializer& initializer)
+    : State(initializer.State)
+    , AjaxRequest(initializer.AjaxRequest)
+    , RequestedAddress(initializer.RequestedAddress)
 {}
 
 TContext::TContext(const NHttp::THttpIncomingRequestPtr& request)
@@ -21,8 +22,17 @@ TContext::TContext(const NHttp::THttpIncomingRequestPtr& request)
     , RequestedAddress(GetRequestedUrl(request, AjaxRequest))
 {}
 
-TString TContext::GetState() const {
-    return State;
+TString TContext::GetState(const TString& key) const {
+    static const TDuration STATE_LIFE_TIME = TDuration::Minutes(10);
+    TInstant expirationTime = TInstant::Now() + STATE_LIFE_TIME;
+    TStringBuilder json;
+    json << "{\"state\":\"" << State
+         << "\",\"expiration_time\":\"" << ToString(expirationTime.TimeT()) << "\"}";
+    TString digest = HmacSHA1(key, json);
+    TStringBuilder signedState;
+    signedState << "{\"container\":\"" << Base64Encode(json) << "\","
+                  "\"digest\":\"" << Base64Encode(digest) << "\"}";
+    return Base64EncodeNoPadding(signedState);
 }
 
 bool TContext::IsAjaxRequest() const {
@@ -34,25 +44,22 @@ TString TContext::GetRequestedAddress() const {
 }
 
 TString TContext::CreateYdbOidcCookie(const TString& secret) const {
-    static constexpr size_t COOKIE_MAX_AGE_SEC = 420;
-    return TStringBuilder() << CreateNameYdbOidcCookie(secret, State) << "="
+    static constexpr size_t COOKIE_MAX_AGE_SEC = 3600;
+    return TStringBuilder() << TOpenIdConnectSettings::YDB_OIDC_COOKIE << "="
                             << GenerateCookie(secret) << ";"
                             " Path=" << GetAuthCallbackUrl() << ";"
                             " Max-Age=" << COOKIE_MAX_AGE_SEC << ";"
                             " SameSite=None; Secure";
 }
 
-TString TContext::GenerateCookie(const TString& secret) const {
-    const TDuration StateLifeTime = TDuration::Minutes(10);
-    TInstant expirationTime = TInstant::Now() + StateLifeTime;
-    TStringBuilder stateStruct;
-    stateStruct << "{\"state\":\"" << State
-                << "\",\"requested_address\":\"" << RequestedAddress
-                << "\",\"expiration_time\":" << ToString(expirationTime.TimeT())
-                << ",\"ajax_request\":" << (AjaxRequest ? "true" : "false") << "}";
-    TString digest = HmacSHA256(secret, stateStruct);
-    TString cookieStruct {"{\"state_struct\":\"" + Base64Encode(stateStruct) + "\",\"digest\":\"" + Base64Encode(digest) + "\"}"};
-    return Base64Encode(cookieStruct);
+TString TContext::GenerateCookie(const TString& key) const {
+    TStringBuilder requestedAddressContext;
+    requestedAddressContext << "{\"requested_address\":\"" << RequestedAddress << "\"}";
+    TString digest = HmacSHA256(key, requestedAddressContext);
+    TStringBuilder signedRequestedAddress;
+    signedRequestedAddress << "{\"requested_address_context\":\"" << Base64Encode(requestedAddressContext)
+                           << "\",\"digest\":\"" << Base64Encode(digest) << "\"}";
+    return Base64Encode(signedRequestedAddress);
 }
 
 TString TContext::GenerateState() {

ydb/mvp/oidc_proxy/context.h

@@ -14,16 +14,24 @@ namespace NMVP {
 namespace NOIDC {
 
 class TContext {
+public:
+    struct TInitializer {
+        TString State;
+        TString RequestedAddress;
+        bool AjaxRequest = false;
+    };
+
 private:
     TString State;
     bool AjaxRequest = false;
     TString RequestedAddress;
 
 public:
-    TContext(const TString& state = "", const TString& requestedAddress = "", bool isAjaxRequest = false);
+    TContext() = default;
+    TContext(const TInitializer& initializer);
     TContext(const NHttp::THttpIncomingRequestPtr& request);
 
-    TString GetState() const;
+    TString GetState(const TString& key) const;
     bool IsAjaxRequest() const;
     TString GetRequestedAddress() const;
 
@@ -34,7 +42,7 @@ class TContext {
     static bool DetectAjaxRequest(const NHttp::THttpIncomingRequestPtr& request);
     static TStringBuf GetRequestedUrl(const NHttp::THttpIncomingRequestPtr& request, bool isAjaxRequest);
 
-    TString GenerateCookie(const TString& secret) const;
+    TString GenerateCookie(const TString& key) const;
 };
 
 } // NOIDC

ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp

@@ -100,8 +100,7 @@ void THandlerSessionServiceCheckNebius::ExchangeSessionToken(const TString sessi
 
 void THandlerSessionServiceCheckNebius::RequestAuthorizationCode(const NActors::TActorContext& ctx) {
     LOG_DEBUG_S(ctx, EService::MVP, "Request authorization code");
-    TContext context(Request);
-    NHttp::THttpOutgoingResponsePtr httpResponse = GetHttpOutgoingResponsePtr(Request, Settings, context);
+    NHttp::THttpOutgoingResponsePtr httpResponse = GetHttpOutgoingResponsePtr(Request, Settings);
     ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
     Die(ctx);
 }

ydb/mvp/oidc_proxy/oidc_protected_page_yandex.cpp

@@ -32,8 +32,7 @@ void THandlerSessionServiceCheckYandex::Handle(TEvPrivate::TEvErrorResponse::TPt
     LOG_DEBUG_S(ctx, EService::MVP, "SessionService.Check(): " << event->Get()->Status);
     NHttp::THttpOutgoingResponsePtr httpResponse;
     if (event->Get()->Status == "400") {
-        TContext context(Request);
-        httpResponse = GetHttpOutgoingResponsePtr(Request, Settings, context);
+        httpResponse = GetHttpOutgoingResponsePtr(Request, Settings);
     } else {
         httpResponse = Request->CreateResponse( event->Get()->Status, event->Get()->Message, "text/plain", event->Get()->Details);
     }