external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
aurweb/doc/web-auth.md
moson-mo 22fe4a988a
fix: make AURSID a session cookie if "remember me" is not checked 
This should match more closely the expectation of a user.
A session cookie should vanish on browser close
and you thus they need to authenticate again.

There is no need to bump the expiration of AURSID either,
so we can remove that part.

Signed-off-by: moson-mo <mo-son@mailbox.org>
2023-05-26 22:57:47 +02:00

104 lines
4.3 KiB
Markdown
Raw Blame History

# aurweb Web Authentication
aurweb uses an HTTP cookie to persist user sessions across requests.
This cookie **must** be delivered with a request in order to be considered
an authenticated user.
See [HTTP Cookie](#http-cookie) for detailed information about the cookie.
## HTTP Cookie
aurweb utilizes an HTTP cookie by the name of `AURSID` to track
user authentication across requests.
This cookie's requirements changes due to aurweb's configuration
in the following ways:
- `options.disable_http_login: 0`
- [Samesite=LAX](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute), Max-Age
- `options.disable_http_login: 1`
- [Samesite=LAX](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute), [Secure, HttpOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies), Max-Age
### Max-Age
The value used for the `AURSID` Max-Age attribute is decided based
off of the "Remember Me" checkbox on the login page. If it was not
checked, we don't set Max-Age and it becomes a session cookie.
Otherwise we make it a persistent cookie and for the expiry date
we use `options.persistent_cookie_timeout`.
It indicates the number of seconds the session should live.
### Notes
At all times, aur.archlinux.org operates over HTTPS. Secure cookies will
only remain intact when subsequently requesting an aurweb route through
the HTTPS scheme at the same host as the cookie was obtained.
## Login Process
When a user logs in to aurweb, the following steps are taken:
1. Was a Referer header delivered from an address starting with
`{aurweb_url}/login`?
1. No, an HTTP 400 Bad Request response is returned
2. Yes, move on to 2
2. Does a Users database record exist for the given username/email?
1. No, you are returned to the login page with `Bad username or password.`
error
2. Yes, move on to 3
3. Is the user suspended?
1. Yes, you are returned to the login page with `Account Suspended` error
2. No, move on to 4
4. Can the user login with the given password?
1. No, you are returned to the login page with `Bad username or password.`
error
2. Yes, move on to 5
5. Update the user's `LastLogin` and `LastLoginIPAddress` columns
6. Does the user have a related Sessions record?
1. No, generate a new Sessions record with a new unique `SessionID`
2. Yes, update the Sessions record's `SessionID` column with a new unique
string and update the Sessions record's `LastUpdateTS` column if it has
expired
3. In both cases, set the user's `InactivityTS` column to `0`
4. In both cases, return the new `SessionID` column value and move on to 7
7. Return a redirect to the `next` GET variable with the
following cookies set:
1. `AURSID`
- Unique session string matching the user's related
`Sessions.SessionID` column
2. `AURTZ`
- User's timezone setting
3. `AURLANG`
- User's language setting
4. `AURREMEMBER`
- Boolean state of the "Remember Me" checkbox when login submitted
## Auth Verification
When a request is made toward aurweb, a middleware is responsible for
verifying the user's auth cookie. If no valid `AURSID` cookie could be
found for a user in the database, the request is considered unauthenticated.
The following list of steps describes exactly how this verification works:
1. Was the `AURSID` cookie delivered?
1. No, the algorithm ends, you are considered unauthenticated
2. Yes, move on to 2
2. Was the `AURREMEMBER` cookie delivered with a value of `True`?
1. No, set the expected session timeout **T** to `options.login_timeout`
2. Yes, set the expected session timeout **T** to
`options.persistent_cookie_timeout`
3. Does a Sessions database record exist which matches the `AURSID`?
1. No, the algorithm ends, you are considered unauthenticated
2. Yes, move on to 4
4. Does the Sessions record's LastUpdateTS column fit within `utcnow - T`?
1. No, the Sessions record at hand is deleted, the algorithm ends, you
are considered unauthenticated
2. Yes, move on to 5
5. You are considered authenticated
## aur.archlinux.org Auth-Related Configuration
- Operates over HTTPS with a Let's Encrypt SSL certificate
- `options.disable_http_login: 1`
- `options.login_timeout: <default_provided_in_config.defaults>`
- `options.persistent_cookie_timeout: <default_provided_in_config.defaults>`
Reference in a new issue View git blame Copy permalink