123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 |
- // Copyright (c) 2019 Shivaram Lingamneni <slingamn@cs.stanford.edu>
- // released under the MIT license
-
- package irc
-
- import (
- "sync"
-
- "github.com/oragono/oragono/irc/utils"
- )
-
- // implements draft/resume-0.3, in particular the issuing, management, and verification
- // of resume tokens with two components: a unique ID and a secret key
-
- type resumeTokenPair struct {
- client *Client
- secret string
- }
-
- type ResumeManager struct {
- sync.RWMutex // level 2
-
- resumeIDtoCreds map[string]resumeTokenPair
- server *Server
- }
-
- func (rm *ResumeManager) Initialize(server *Server) {
- rm.resumeIDtoCreds = make(map[string]resumeTokenPair)
- rm.server = server
- }
-
- // GenerateToken generates a resume token for a client. If the client has
- // already been assigned one, it returns "".
- func (rm *ResumeManager) GenerateToken(client *Client) (token string) {
- id := utils.GenerateSecretToken()
- secret := utils.GenerateSecretToken()
-
- rm.Lock()
- defer rm.Unlock()
-
- if client.ResumeID() != "" {
- return
- }
-
- client.SetResumeID(id)
- rm.resumeIDtoCreds[id] = resumeTokenPair{
- client: client,
- secret: secret,
- }
-
- return id + secret
- }
-
- // VerifyToken looks up the client corresponding to a resume token, returning
- // nil if there is no such client or the token is invalid. If successful,
- // the token is consumed and cannot be used to resume again.
- func (rm *ResumeManager) VerifyToken(token string) (client *Client) {
- if len(token) != 2*utils.SecretTokenLength {
- return
- }
-
- rm.RLock()
- defer rm.RUnlock()
-
- id := token[:utils.SecretTokenLength]
- pair, ok := rm.resumeIDtoCreds[id]
- if ok {
- if utils.SecretTokensMatch(pair.secret, token[utils.SecretTokenLength:]) {
- // disallow resume of an unregistered client; this prevents the use of
- // resume as an auth bypass
- if pair.client.Registered() {
- // consume the token, ensuring that at most one resume can succeed
- delete(rm.resumeIDtoCreds, id)
- return pair.client
- }
- }
- }
- return
- }
-
- // Delete stops tracking a client's resume token.
- func (rm *ResumeManager) Delete(client *Client) {
- rm.Lock()
- defer rm.Unlock()
-
- currentID := client.ResumeID()
- if currentID != "" {
- delete(rm.resumeIDtoCreds, currentID)
- }
- }
|