Revert "AUTH-3394: Creates a token per app instead of per path"

This reverts commit 8e340d9598.
2025-07-27 19:19:57 +00:00 · 2021-03-10 13:39:33 -06:00
parent aa5ebb817a
commit b0e69c4b8a
8 changed files with 84 additions and 130 deletions
--- a/token/path.go
+++ b/token/path.go
@@ -2,6 +2,7 @@ package token

 import (
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -12,13 +13,12 @@ import (
 )

 // GenerateAppTokenFilePathFromURL will return a filepath for given Access org token
-func GenerateAppTokenFilePathFromURL(appDomain, aud string, suffix string) (string, error) {
+func GenerateAppTokenFilePathFromURL(url *url.URL, suffix string) (string, error) {
 	configPath, err := getConfigPath()
 	if err != nil {
 		return "", err
 	}
-	name := fmt.Sprintf("%s-%s-%s", appDomain, aud, suffix)
-	name = strings.Replace(strings.Replace(name, "/", "-", -1), "*", "-", -1)
+	name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
 	return filepath.Join(configPath, name), nil
 }

--- a/token/token.go
+++ b/token/token.go
@@ -22,18 +22,10 @@ import (
 )

 const (
-	keyName               = "token"
-	tokenCookie           = "CF_Authorization"
-	appDomainHeader       = "CF-Access-Domain"
-	AccessLoginWorkerPath = "/cdn-cgi/access/login"
+	keyName     = "token"
+	tokenHeader = "CF_Authorization"
 )

-type AppInfo struct {
-	AuthDomain string
-	AppAUD     string
-	AppDomain  string
-}
-
 type lock struct {
 	lockFilePath string
 	backoff      *origin.BackoffHandler
@@ -150,23 +142,23 @@ func isTokenLocked(lockFilePath string) bool {

 // FetchTokenWithRedirect will either load a stored token or generate a new one
 // it appends the full url as the redirect URL to the access cli request if opening the browser
-func FetchTokenWithRedirect(appURL *url.URL, appInfo *AppInfo, log *zerolog.Logger) (string, error) {
-	return getToken(appURL, appInfo, false, log)
+func FetchTokenWithRedirect(appURL *url.URL, log *zerolog.Logger) (string, error) {
+	return getToken(appURL, false, log)
 }

 // FetchToken will either load a stored token or generate a new one
 // it appends the host of the appURL as the redirect URL to the access cli request if opening the browser
-func FetchToken(appURL *url.URL, appInfo *AppInfo, log *zerolog.Logger) (string, error) {
-	return getToken(appURL, appInfo, true, log)
+func FetchToken(appURL *url.URL, log *zerolog.Logger) (string, error) {
+	return getToken(appURL, true, log)
 }

 // getToken will either load a stored token or generate a new one
-func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, log *zerolog.Logger) (string, error) {
-	if token, err := GetAppTokenIfExists(appInfo); token != "" && err == nil {
+func getToken(appURL *url.URL, useHostOnly bool, log *zerolog.Logger) (string, error) {
+	if token, err := GetAppTokenIfExists(appURL); token != "" && err == nil {
 		return token, nil
 	}

-	appTokenPath, err := GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+	appTokenPath, err := GenerateAppTokenFilePathFromURL(appURL, keyName)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to generate app token file path")
 	}
@@ -178,36 +170,40 @@ func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, log *zerolog.
 	defer fileLockAppToken.Release()

 	// check to see if another process has gotten a token while we waited for the lock
-	if token, err := GetAppTokenIfExists(appInfo); token != "" && err == nil {
+	if token, err := GetAppTokenIfExists(appURL); token != "" && err == nil {
 		return token, nil
 	}

 	// If an app token couldnt be found on disk, check for an org token and attempt to exchange it for an app token.
 	var orgTokenPath string
-	orgToken, err := GetOrgTokenIfExists(appInfo.AuthDomain)
-	if err != nil {
-		orgTokenPath, err = generateOrgTokenFilePathFromURL(appInfo.AuthDomain)
+	// Get auth domain to format into org token file path
+	if authDomain, err := getAuthDomain(appURL); err != nil {
+		log.Error().Msgf("failed to get auth domain: %s", err)
+	} else {
+		orgToken, err := GetOrgTokenIfExists(authDomain)
 		if err != nil {
-			return "", errors.Wrap(err, "failed to generate org token file path")
-		}
-
-		fileLockOrgToken := newLock(orgTokenPath)
-		if err = fileLockOrgToken.Acquire(); err != nil {
-			return "", errors.Wrap(err, "failed to acquire org token lock")
-		}
-		defer fileLockOrgToken.Release()
-		// check if an org token has been created since the lock was acquired
-		orgToken, err = GetOrgTokenIfExists(appInfo.AuthDomain)
-	}
-	if err == nil {
-		if appToken, err := exchangeOrgToken(appURL, orgToken); err != nil {
-			log.Debug().Msgf("failed to exchange org token for app token: %s", err)
-		} else {
-			// generate app path
-			if err := ioutil.WriteFile(appTokenPath, []byte(appToken), 0600); err != nil {
-				return "", errors.Wrap(err, "failed to write app token to disk")
+			orgTokenPath, err = generateOrgTokenFilePathFromURL(authDomain)
+			if err != nil {
+				return "", errors.Wrap(err, "failed to generate org token file path")
+			}
+
+			fileLockOrgToken := newLock(orgTokenPath)
+			if err = fileLockOrgToken.Acquire(); err != nil {
+				return "", errors.Wrap(err, "failed to acquire org token lock")
+			}
+			defer fileLockOrgToken.Release()
+			// check if an org token has been created since the lock was acquired
+			orgToken, err = GetOrgTokenIfExists(authDomain)
+		}
+		if err == nil {
+			if appToken, err := exchangeOrgToken(appURL, orgToken); err != nil {
+				log.Debug().Msgf("failed to exchange org token for app token: %s", err)
+			} else {
+				if err := ioutil.WriteFile(appTokenPath, []byte(appToken), 0600); err != nil {
+					return "", errors.Wrap(err, "failed to write app token to disk")
+				}
+				return appToken, nil
 			}
-			return appToken, nil
 		}
 	}
 	return getTokensFromEdge(appURL, appTokenPath, orgTokenPath, useHostOnly, log)
@@ -246,46 +242,31 @@ func getTokensFromEdge(appURL *url.URL, appTokenPath, orgTokenPath string, useHo

 }

-// GetAppInfo makes a request to the appURL and stops at the first redirect. The 302 location header will contain the
+// getAuthDomain makes a request to the appURL and stops at the first redirect. The 302 location header will contain the
 // auth domain
-func GetAppInfo(reqURL *url.URL) (*AppInfo, error) {
+func getAuthDomain(appURL *url.URL) (string, error) {
 	client := &http.Client{
 		// do not follow redirects
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			// stop after hitting login endpoint since it will contain app path
-			if strings.Contains(via[len(via)-1].URL.Path, AccessLoginWorkerPath) {
-				return http.ErrUseLastResponse
-			}
-			return nil
+			return http.ErrUseLastResponse
 		},
 		Timeout: time.Second * 7,
 	}

-	appInfoReq, err := http.NewRequest("HEAD", reqURL.String(), nil)
+	authDomainReq, err := http.NewRequest("HEAD", appURL.String(), nil)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to create app info request")
+		return "", errors.Wrap(err, "failed to create auth domain request")
 	}
-	resp, err := client.Do(appInfoReq)
+	resp, err := client.Do(authDomainReq)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get app info")
+		return "", errors.Wrap(err, "failed to get auth domain")
 	}
 	resp.Body.Close()
-	location := resp.Request.URL
-	if !strings.Contains(location.Path, AccessLoginWorkerPath) {
-		return nil, fmt.Errorf("failed to get Access app info for %s", reqURL.String())
+	location, err := resp.Location()
+	if err != nil {
+		return "", fmt.Errorf("failed to get auth domain. Received status code %d from %s", resp.StatusCode, appURL.String())
 	}
-
-	aud := resp.Request.URL.Query().Get("kid")
-	if aud == "" {
-		return nil, errors.New("Empty app aud")
-	}
-
-	domain := resp.Header.Get(appDomainHeader)
-	if domain == "" {
-		return nil, errors.New("Empty app domain")
-	}
-
-	return &AppInfo{location.Hostname(), aud, domain}, nil
+	return location.Hostname(), nil

 }

@@ -295,8 +276,8 @@ func exchangeOrgToken(appURL *url.URL, orgToken string) (string, error) {
 	client := &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			// attach org token to login request
-			if strings.Contains(req.URL.Path, AccessLoginWorkerPath) {
-				req.AddCookie(&http.Cookie{Name: tokenCookie, Value: orgToken})
+			if strings.Contains(req.URL.Path, "cdn-cgi/access/login") {
+				req.AddCookie(&http.Cookie{Name: tokenHeader, Value: orgToken})
 			}
 			// stop after hitting authorized endpoint since it will contain the app token
 			if strings.Contains(via[len(via)-1].URL.Path, "cdn-cgi/access/authorized") {
@@ -319,7 +300,7 @@ func exchangeOrgToken(appURL *url.URL, orgToken string) (string, error) {
 	var appToken string
 	for _, c := range resp.Cookies() {
 		//if Org token revoked on exchange, getTokensFromEdge instead
-		validAppToken := c.Name == tokenCookie && time.Now().Before(c.Expires)
+		validAppToken := c.Name == tokenHeader && time.Now().Before(c.Expires)
 		if validAppToken {
 			appToken = c.Value
 			break
@@ -354,8 +335,8 @@ func GetOrgTokenIfExists(authDomain string) (string, error) {
 	return token.Encode(), nil
 }

-func GetAppTokenIfExists(appInfo *AppInfo) (string, error) {
-	path, err := GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+func GetAppTokenIfExists(url *url.URL) (string, error) {
+	path, err := GenerateAppTokenFilePathFromURL(url, keyName)
 	if err != nil {
 		return "", err
 	}
@@ -392,8 +373,8 @@ func getTokenIfExists(path string) (*jose.JWT, error) {
 }

 // RemoveTokenIfExists removes the a token from local storage if it exists
-func RemoveTokenIfExists(appInfo *AppInfo) error {
-	path, err := GenerateAppTokenFilePathFromURL(appInfo.AppDomain, appInfo.AppAUD, keyName)
+func RemoveTokenIfExists(url *url.URL) error {
+	path, err := GenerateAppTokenFilePathFromURL(url, keyName)
 	if err != nil {
 		return err
 	}