README
¶
Sesh
Sesh is a session management library written in Go. It uses a postgres table to track current sessions and their expiration, and it logs all session lifecycle events. It was created to fulfill the following requirements:
- Sessions can be ended server-side, immediately rejecting all further requests from that session
- Only one session can be active at a time, if you login while you have a session active the old one will be ended.
- The browser stores the session in an HttpOnly cookie, minimizing the attack surface area for intercepting the session
- All session lifecycle events are logged: creation, destruction, reuse, and invalid requests.
Configuration
- Run the migration included in ./migrations to set up the
sessionstable in your postgres db. - Instantiate the sesh.Sessions struct
dbConnection, err := sqlx.Open("postgres", dbConnectionURL)
if err != nil {
return nil, fmt.Errorf("error connecting to database using sqlx.Open: %w", err)
}
seshLogger := AuthLogger{}
sessions := sesh.NewSessions(dbConnection, seshLogger, 5*time.Minute, false)
There are several options, described below.
- Pass the Sessions struct to anywhere that needs it. Likely your router and your login/logout handlers.
Usage
There are 5 places in your code where you need to interact with sesh once it's configured.
- Login
- Middleware for protected routes:
- Extracting the session id inside protected handlers
- Logout
Login
When a user successfully authenticates (whether via username/password, OAuth, client certs, etc.), create a new login and set the HttpOnly cookie like so:
// With a valid accountID, we can begin a session.
_, err := sessions.UserDidAuthenticate(w, accountID.String())
if err != nil {
fmt.Println("Error Creating New Session", err)
http.Error(w, 500, http.StatusInternalServerError)
return
}
}
This will create a new session associated with that AccountID and set the sesh cookie in the response writer. AccountID can be any string.
Middleware for protected routes
To protect a route with sesh, add the sesh middleware to it.
router := mux.NewRouter()
protectedRoutes := router.PathPrefix("/me").Subrouter()
protectedRoutes.Handle("", fetchCurrentUserHandler)
protectedRoutes.Handle("/dogs", fetchDogsHandler)
protectedRoutes.Use(sessions.AuthenticationMiddleware())
The middleware will grab the sesh cookie from the request, check that the session with that ID is valid, and add the Session struct to the context. If any part of that fails, it will log, write an error to the response, and not call any further http handlers.
Extracting the session id inside protected handlers
Inside your protected handlers, you can access the current Session object from the context to get the AccountID that the session belongs to.
func (r *UserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
session := sesh.SessionFromContext(ctx)
user, err := fetchUserForID(session.AccountID)
...
The session object is inserted into the context by the AuthenticationMiddleware
Logout
When someone logs out, you can end a session thusly:
logoutErr := sessions.UserDidLogout(w, r)
if logoutErr != nil {
fmt.Println("Error logging out user", logoutErr)
http.Error(w, 500, http.StatusInternalServerError)
return
}
This will check the sesh cookie in the request, and end the session.
NOTE: while your login handler must not be protected by the AuthenticationMiddleware, your logout handler must be protected so.
Lineage
This project was adapted from the session management code written for Culper.
Documentation
¶
Overview ¶
Package sesh is a session management library written in Go. It uses a postgres table to track current sessions and their expiration, and it logs all session lifecycle events.
Index ¶
- func ContextWithTestSession(ctx context.Context, session Session) context.Context
- type Session
- type Sessions
- func (s Sessions) AuthenticateUserAndAddToTestRequest(r *http.Request, accountID string) error
- func (s Sessions) AuthenticationMiddleware() func(http.Handler) http.Handler
- func (s Sessions) UserDidAuthenticate(w http.ResponseWriter, accountID string) (sessionKey string, err error)
- func (s Sessions) UserDidLogout(w http.ResponseWriter, r *http.Request) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Session ¶
Session contains all the information about a given user session This type is inserted into the context by the AuthenticationMiddleware
func SessionFromContext ¶
SessionFromContext pulls the current sesh.Session object out of the context This function is all that is required in your handlers to get the current session information
type Sessions ¶
type Sessions struct {
// contains filtered or unexported fields
}
Sessions manage browser sessions with a db table and logs all significant lifecycle events
func NewSessions ¶
func NewSessions(db *sqlx.DB, log domain.LogService, timeout time.Duration, useSecureCookie bool) Sessions
NewSessions returns a configured Sessions, taking an existing sqlx.DB as the first argument.
func (Sessions) AuthenticateUserAndAddToTestRequest ¶ added in v0.0.3
AuthenticateUserAndAddToTestRequest is not used in the operation of sesh. It is intended to be used in your tests to create a valid session for a request, alleviating you from having to make a login request as part of the test.
func (Sessions) AuthenticationMiddleware ¶
AuthenticationMiddleware reads the session cookie and verifies that the request is being made by someone with a valid session It then stores the current session in the context, which can be retrieved with SessionFromContext(ctx) If the session is invalid it responds with an error and does not call any further handlers.
func (Sessions) UserDidAuthenticate ¶
func (s Sessions) UserDidAuthenticate(w http.ResponseWriter, accountID string) (sessionKey string, err error)
UserDidAuthenticate creates a new session and writes an HTTPOnly cookie to track that session it returns errors
func (Sessions) UserDidLogout ¶
UserDidLogout destroys the session and removes the session cookie. it returns errors
Source Files
Directories