forgejo/modules/setting/session.go

// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package setting

import (
	"net/http"
	"path"
	"path/filepath"
	"strings"

	"code.gitea.io/gitea/modules/json"
	"code.gitea.io/gitea/modules/log"
)

var (
	// SessionConfig defines Session settings
	SessionConfig = struct {
		Provider string
		// Provider configuration, it's corresponding to provider.
		ProviderConfig string
		// Cookie name to save session ID. Default is "MacaronSession".
		CookieName string
		// Cookie path to store. Default is "/".
		CookiePath string
		// GC interval time in seconds. Default is 3600.
		Gclifetime int64
		// Max life time in seconds. Default is whatever GC interval time is.
		Maxlifetime int64
		// Use HTTPS only. Default is false.
		Secure bool
		// Cookie domain name. Default is empty.
		Domain string
		// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax"
		SameSite http.SameSite
	}{
		CookieName:  "i_like_gitea",
		Gclifetime:  86400,
		Maxlifetime: 86400,
		SameSite:    http.SameSiteLaxMode,
	}
)

func newSessionService() {
	sec := Cfg.Section("session")
	SessionConfig.Provider = sec.Key("PROVIDER").In("memory",
		[]string{"memory", "file", "redis", "mysql", "postgres", "couchbase", "memcache", "db"})
	SessionConfig.ProviderConfig = strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(path.Join(AppDataPath, "sessions")), "\" ")
	if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) {
		SessionConfig.ProviderConfig = path.Join(AppWorkPath, SessionConfig.ProviderConfig)
	}
	SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")
	SessionConfig.CookiePath = AppSubURL
	SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(false)
	SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
	SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
	SessionConfig.Domain = sec.Key("DOMAIN").String()
	samesiteString := sec.Key("SAME_SITE").In("lax", []string{"none", "lax", "strict"})
	switch strings.ToLower(samesiteString) {
	case "none":
		SessionConfig.SameSite = http.SameSiteNoneMode
	case "strict":
		SessionConfig.SameSite = http.SameSiteStrictMode
	default:
		SessionConfig.SameSite = http.SameSiteLaxMode
	}
	shadowConfig, err := json.Marshal(SessionConfig)
	if err != nil {
		log.Fatal("Can't shadow session config: %v", err)
	}
	SessionConfig.ProviderConfig = string(shadowConfig)
	SessionConfig.Provider = "VirtualSession"

	log.Info("Session Service Enabled")
}
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`// Copyright 2019 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package setting`

			`import (`
Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-03-07 08:12:43 +00:00			`"net/http"`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`"path"`
			`"path/filepath"`
			`"strings"`

Add an abstract json layout to make it's easier to change json library (#16528) * Add an abstract json layout to make it's easier to change json library * Fix import * Fix import sequence * Fix blank lines * Fix blank lines 2021-07-24 16:03:58 +00:00			`"code.gitea.io/gitea/modules/json"`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`"code.gitea.io/gitea/modules/log"`
			`)`

			`var (`
Fix various documentation, user-facing, and source comment typos (#16367) * Fix various doc, user-facing, and source comment typos Found via `codespell -q 3 -S ./options/locale,./vendor -L ba,pullrequest,pullrequests,readby` 2021-07-08 11:38:13 +00:00			`// SessionConfig defines Session settings`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`SessionConfig = struct {`
			`Provider string`
			`// Provider configuration, it's corresponding to provider.`
			`ProviderConfig string`
			`// Cookie name to save session ID. Default is "MacaronSession".`
			`CookieName string`
			`// Cookie path to store. Default is "/".`
			`CookiePath string`
			`// GC interval time in seconds. Default is 3600.`
			`Gclifetime int64`
			`// Max life time in seconds. Default is whatever GC interval time is.`
			`Maxlifetime int64`
			`// Use HTTPS only. Default is false.`
			`Secure bool`
			`// Cookie domain name. Default is empty.`
			`Domain string`
Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-03-07 08:12:43 +00:00			`// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax"`
			`SameSite http.SameSite`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`}{`
			`CookieName: "i_like_gitea",`
			`Gclifetime: 86400,`
			`Maxlifetime: 86400,`
Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-03-07 08:12:43 +00:00			`SameSite: http.SameSiteLaxMode,`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`}`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`)`

			`func newSessionService() {`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`sec := Cfg.Section("session")`
			`SessionConfig.Provider = sec.Key("PROVIDER").In("memory",`
Create DB session provider(based on xorm) (#13031) * Create Xorm session provider This PR creates a Xorm session provider which creates the appropriate Session table for macaron/session. Fix #7137 Signed-off-by: Andrew Thornton <art27@cantab.net> * extraneous l Signed-off-by: Andrew Thornton <art27@cantab.net> * fix lint Signed-off-by: Andrew Thornton <art27@cantab.net> * use key instead of ID to be compatible with go-macaron/session Signed-off-by: Andrew Thornton <art27@cantab.net> * And change the migration too. Signed-off-by: Andrew Thornton <art27@cantab.net> * Update spacing of imports Co-authored-by: 6543 <6543@obermui.de> * Update modules/session/xorm.go Co-authored-by: techknowlogick <matti@mdranta.net> * add xorm provider to the virtual provider Signed-off-by: Andrew Thornton <art27@cantab.net> * prep for master merge * prep for merge master * As per @lunny * move migration out of the way * Move to call this db session as per @lunny Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2021-02-15 05:33:31 +00:00			`[]string{"memory", "file", "redis", "mysql", "postgres", "couchbase", "memcache", "db"})`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`SessionConfig.ProviderConfig = strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(path.Join(AppDataPath, "sessions")), "\" ")`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) {`
			`SessionConfig.ProviderConfig = path.Join(AppWorkPath, SessionConfig.ProviderConfig)`
			`}`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")`
Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`SessionConfig.CookiePath = AppSubURL`
Movde dependents on macaron from modules/setting (#10050) Co-authored-by: Lauris BH <lauris@nix.lv> 2020-01-29 07:47:46 +00:00			`SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(false)`
			`SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)`
			`SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)`
			`SessionConfig.Domain = sec.Key("DOMAIN").String()`
Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-03-07 08:12:43 +00:00			`samesiteString := sec.Key("SAME_SITE").In("lax", []string{"none", "lax", "strict"})`
			`switch strings.ToLower(samesiteString) {`
			`case "none":`
			`SessionConfig.SameSite = http.SameSiteNoneMode`
			`case "strict":`
			`SessionConfig.SameSite = http.SameSiteStrictMode`
			`default:`
			`SessionConfig.SameSite = http.SameSiteLaxMode`
			`}`
Prevent creating empty sessions (#6677) * Prevent creating empty sessions Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/setting/session.go * Remove unnecessary option Signed-off-by: Andrew Thornton <art27@cantab.net> * Add destory to list of ignored misspellings * rename cookie.go -> virtual.go * Delete old file * Add test to ensure that sessions are not created without being logged in Signed-off-by: Andrew Thornton <art27@cantab.net> * fix tests Signed-off-by: Andrew Thornton <art27@cantab.net> * Update integrations/create_no_session_test.go 2019-04-20 06:44:50 +00:00			`shadowConfig, err := json.Marshal(SessionConfig)`
			`if err != nil {`
			`log.Fatal("Can't shadow session config: %v", err)`
			`}`
			`SessionConfig.ProviderConfig = string(shadowConfig)`
			`SessionConfig.Provider = "VirtualSession"`

Split setting.go as multiple files (#6014) * split setting.go as multiple files * fix comments 2019-02-10 01:37:37 +00:00			`log.Info("Session Service Enabled")`
			`}`