detect when we should set a new cookie from the auth provider

Signed-off-by: Donnie Adams <[email protected]>
obot-platform · Jan 20, 2025 · c36a669 · c36a669
1 parent 4c53bfe
commit c36a669
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 12 deletions.
diff --git a/go.mod b/go.mod
@@ -205,7 +205,6 @@ require (
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/therootcompany/xz v1.0.1 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect

diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
@@ -62,6 +62,10 @@ func (s *Server) wrap(f api.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		if setCookie := firstValue(user.GetExtra(), "set-cookie"); setCookie != "" {
+			rw.Header().Set("Set-Cookie", setCookie)
+		}
+
 		if !s.authorizer.Authorize(req, user) {
 			http.Error(rw, "forbidden", http.StatusForbidden)
 			return
@@ -90,3 +94,11 @@ func (s *Server) wrap(f api.HandlerFunc) http.HandlerFunc {
 		}
 	}
 }
+
+func firstValue(m map[string][]string, key string) string {
+	values := m[key]
+	if len(values) == 0 {
+		return ""
+	}
+	return values[0]
+}
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -175,6 +175,7 @@ type SerializableState struct {
 	PreferredUsername string     `json:"preferredUsername"`
 	User              string     `json:"user"`
 	Email             string     `json:"email"`
+	SetCookie         string     `json:"setCookie"`
 }
 
 func (p *Proxy) authenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
@@ -198,9 +199,10 @@ func (p *Proxy) authenticateRequest(req *http.Request) (*authenticator.Response,
 	if err != nil {
 		return nil, false, err
 	}
+	defer stateResponse.Body.Close()
 
 	var ss SerializableState
-	if err := json.NewDecoder(stateResponse.Body).Decode(&ss); err != nil {
+	if err = json.NewDecoder(stateResponse.Body).Decode(&ss); err != nil {
 		return nil, false, err
 	}
 
@@ -212,20 +214,26 @@ func (p *Proxy) authenticateRequest(req *http.Request) (*authenticator.Response,
 		}
 	}
 
+	u := &user.DefaultInfo{
+		UID:  ss.User,
+		Name: userName,
+		Extra: map[string][]string{
+			"email":                   {ss.Email},
+			"auth_provider_name":      {p.name},
+			"auth_provider_namespace": {p.namespace},
+		},
+	}
+
+	if ss.SetCookie != "" {
+		u.Extra["set-cookie"] = []string{ss.SetCookie}
+	}
+
 	if req.URL.Path == "/api/me" {
 		// Put the access token on the context so that the profile icon can be fetched.
 		*req = *req.WithContext(accesstoken.ContextWithAccessToken(req.Context(), ss.AccessToken))
 	}
 
 	return &authenticator.Response{
-		User: &user.DefaultInfo{
-			UID:  ss.User,
-			Name: userName,
-			Extra: map[string][]string{
-				"email":                   {ss.Email},
-				"auth_provider_name":      {p.name},
-				"auth_provider_namespace": {p.namespace},
-			},
-		},
+		User: u,
 	}, true, nil
 }
diff --git a/pkg/services/config.go b/pkg/services/config.go
@@ -65,7 +65,7 @@ type Config struct {
 	Docker                     bool     `usage:"Enable Docker support" default:"false" env:"OBOT_DOCKER"`
 	EnvKeys                    []string `usage:"The environment keys to pass through to the GPTScript server" env:"OBOT_ENV_KEYS"`
 	KnowledgeSetIngestionLimit int      `usage:"The maximum number of files to ingest into a knowledge set" default:"3000" env:"OBOT_KNOWLEDGESET_INGESTION_LIMIT" name:"knowledge-set-ingestion-limit"`
-	EnableAuthentication       bool     `usage:"Enable authentication" default:"false" env:"OBOT_ENABLE_AUTHENTICATION"`
+	EnableAuthentication       bool     `usage:"Enable authentication" default:"false"`
 	AuthAdminEmails            []string `usage:"Emails of admin users"`
 
 	// Sendgrid webhook