#104 and #109 large cookies full of tokens

vouch · May 22, 2019 · dba94fe · dba94fe
1 parent 789ac29
commit dba94fe
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/config/config.yml_example b/config/config.yml_example
@@ -83,6 +83,15 @@ vouch:
     querystring: access_token
     redirect: X-Vouch-Requested-URI
 
+    # GENERAL WARNING ABOUT claims AND tokens
+    # all of these config elements can cause performance impacts due to the amount of information being 
+    # moved around.  They will get added to the Vouch cookie and (possibly) make it large.  The Vouch cookie will 
+    # get split up into several cookies. Every request will process the cookies in order to extract and create the 
+    # additional headers which get returned.  But if you need it, you need it.
+    # With large cookies and headers it will require additional nginx config to open up the buffers a bit..
+    # see `large_client_header_buffers` http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
+    # and `proxy_buffer_size` http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+
     # claims - a list of claims that will be stored in the JWT and passed down to applications via headers
     # By default claims are sent down as headers with a prefix of X-Vouch-IdP-Claims-ClaimKey
     # Only when a claim is found in the user's info will the header exist.  This is optional.  These are case sensitive.

diff --git a/handlers/handlers.go b/handlers/handlers.go
@@ -228,7 +228,6 @@ func ValidateRequestHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Add(cfg.Cfg.Headers.User, claims.Username)
 	w.Header().Add(cfg.Cfg.Headers.Success, "true")
 
-	log.Debugf("response header %+v", w.Header())
 	if cfg.Cfg.Headers.AccessToken != "" {
 		if claims.PAccessToken != "" {
 			w.Header().Add(cfg.Cfg.Headers.AccessToken, claims.PAccessToken)
@@ -240,8 +239,11 @@ func ValidateRequestHandler(w http.ResponseWriter, r *http.Request) {
 
 		}
 	}
+	// fastlog.Debugf("response headers %+v", w.Header())
+	// fastlog.Debug("response header",
+	// 	zap.String(cfg.Cfg.Headers.User, w.Header().Get(cfg.Cfg.Headers.User)))
 	fastlog.Debug("response header",
-		zap.String(cfg.Cfg.Headers.User, w.Header().Get(cfg.Cfg.Headers.User)))
+		zap.Any("all headers", w.Header()))
 
 	// good to go!!
 	if cfg.Cfg.Testing {
@@ -523,6 +525,7 @@ func getUserInfo(r *http.Request, user *structs.User, customClaims *structs.Cust
 	}
 	ptokens.PAccessToken = providerToken.AccessToken
 	ptokens.PIdToken = providerToken.Extra("id_token").(string)
+	log.Debugf("ptokens: %+v", ptokens)
 
 	// make the "third leg" request back to google to exchange the token for the userinfo
 	client := cfg.OAuthClient.Client(context.TODO(), providerToken)

diff --git a/pkg/cookie/cookie.go b/pkg/cookie/cookie.go
@@ -80,7 +80,7 @@ func setCookie(w http.ResponseWriter, r *http.Request, val string, maxAge int) {
 func Cookie(r *http.Request) (string, error) {
 
 	var cookieParts []string
-	var numParts int = -1
+	var numParts = -1
 
 	var err error
 	cookies := r.Cookies()
@@ -102,13 +102,14 @@ func Cookie(r *http.Request) (string, error) {
 				if numParts, err = strconv.Atoi(xyArray[1]); err != nil {
 					return "", fmt.Errorf("multipart cookie fail: %s", err)
 				}
+				log.Debugf("make cookieParts of size %d", numParts)
 				cookieParts = make([]string, numParts)
 			}
 			var i int
 			if i, err = strconv.Atoi(xyArray[0]); err != nil {
 				return "", fmt.Errorf("multipart cookie fail: %s", err)
 			}
-			cookieParts[i] = cookie.Value
+			cookieParts[i-1] = cookie.Value
 		}
 
 	}