Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid session state (not "secure" related) #115

Closed
michal-rybinski opened this issue Apr 30, 2019 · 8 comments
Closed

Invalid session state (not "secure" related) #115

michal-rybinski opened this issue Apr 30, 2019 · 8 comments
Labels
bug

Comments

@michal-rybinski
Copy link

michal-rybinski commented Apr 30, 2019
edited
Loading

Hi all,

I've set up a vouch in front of my services and are using AWS Cognito as an oath2 provider.
I managed to get it working with Benjamin's help and all works as expected, but from time to time I am encountering an "Invalid session state" issue which by the looks of it points to either unicode encode/decode problem or something else that is dealing with extracting data from cookies on the vouch side. This is the log entry that appears when the problem surfaces and it is quite clear that the problem is with comparison of session variable stored locally and received from cookie:

{"level":"error","ts":1556534349.1250064,"msg":"Invalid session state: stored NHEDnfUelEV/FUfe4gajRJUptDzdG3cH/+tvaBp0YNs=, returned NHEDnfUelEV/FUfe4gajRJUptDzdG3cH/ tvaBp0YNs="}

every time there is a "+" sign generated in session state variable, it is being converted to a space or deleted from returned session state variable what cases the evaluation to fail and presentation of the mentioned above error.

Has someone else encountered this problem as well?

Thanks,
Michal
@michal-rybinski
Copy link
Author

Immediately after the above message there is another one which shows that the plus sign have been provided in the referer string as properly urlencoded string:

{"level":"info","ts":1556534349.125064,"msg":"|200| 205.705µs /auth","statusCode":200,"request":170,"latency":0.000205705,"avgLatency":0.003134225,"ipPort":"127.0.0.1:34346","method":"GET","host":"login.xxx.com","path":"/auth","referer":"https://auth.xxx.com/login?client_id=xxx&redirect_uri=https%3A%2F%2Flogin.xxx.com%2Fauth&response_type=code&scope=openid+email+profile&state=NHEDnfUelEV%2FFUfe4gajRJUptDzdG3cH%2F%2BtvaBp0YNs%3D"}

What can be easily checked here: https://www.urldecoder.org/

@bnfinet bnfinet mentioned this issue May 2, 2019
Closed
@bnfinet bnfinet added the bug label May 2, 2019
@bnfinet bnfinet closed this as completed in 346ac40 May 3, 2019
@bnfinet
Copy link
Member

bnfinet commented May 3, 2019

@michal-rybinski could you please upgrade to v0.5.13 and (hopefully) confirm the fix

@michal-rybinski
Copy link
Author

michal-rybinski commented May 3, 2019
edited
Loading

Unfortunately it is still there...

https://hastebin.com/oxawawehot.pl

@michal-rybinski
Copy link
Author

and I did pull and build the newest version:

`# git pull
remote: Enumerating objects: 74, done.
remote: Counting objects: 100% (74/74), done.
remote: Compressing objects: 100% (30/30), done.
remote: Total 87 (delta 46), reused 68 (delta 41), pack-reused 13
Unpacking objects: 100% (87/87), done.
From https://github.com/vouch/vouch-proxy
998906f..229f735 master -> origin/master

  • [new tag] v0.5.15 -> v0.5.15
    From https://github.com/vouch/vouch-proxy
  • [new tag] v0.5.13 -> v0.5.13
  • [new tag] v0.5.14 -> v0.5.14
    Updating 998906f..229f735
    Fast-forward
    README.md | 13 +++++++++++--
    config/config.yml_example | 13 +++++++++++++
    handlers/handlers.go | 129 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------
    pkg/cfg/cfg.go | 29 +++++++++++++++++++++--------
    pkg/jwtmanager/jwtmanager.go | 11 ++++++++---
    pkg/jwtmanager/jwtmanager_test.go | 19 +++++++++++++++----
    pkg/structs/structs.go | 5 +++++
    7 files changed, 181 insertions(+), 38 deletions(-)

go get ./...

go get: no install location for directory /1/vouch-proxy outside GOPATH
For more details see: 'go help gopath'

go build

#`

@bnfinet
Copy link
Member

bnfinet commented May 3, 2019

go get: no install location for directory /1/vouch-proxy outside GOPATH

What's at $GOPATH/src/github.com/vouch/vouch-proxy

Your build is looking for packages at $GOPATH/src/github.com/vouch/vouch-proxy which I suspect are the old packages.

Please do not push logs and config to gh issues. Please use hastebin as per these instructions from the README...

https://github.com/vouch/vouch-proxy#okay-i-looked-at-the-issues-and-have-tried-some-things-with-my-configs-but-i-still-cant-figure-it-out

@michal-rybinski
Copy link
Author

sorry about not using hastebin, I've fixed the post now.
As for the issue, you are right, I wasn't aware that source needs to be in a certain place for go to pick it up and I was running it from a completely different directory. Once I've copied it across to the $GOPATH/src/github.com/vouch/vouch-proxy I was able to build it without this error what I assume is a good sign :)

I've done some more testing and it looks like it is fixed, as I haven't noticed any "+" signs in the generated sesion state variables so subsequently no problems with decode/encode on them.

Thanks for your help!

@bnfinet
Copy link
Member

bnfinet commented May 3, 2019

Oh I'm so glad to hear that.

Yeah go is a bit too opinionated on this aspect of build imho.

@bnfinet bnfinet mentioned this issue Aug 26, 2019
Closed
@bnfinet
Copy link
Member

bnfinet commented Aug 26, 2019

@michal-rybinski would you be able to comment on the setup in #105 ? I'm not familiar with AWS Cognito's config.

bnfinet added a commit that referenced this issue May 22, 2020
@bnfinet
fix #115 state variable alpha num
0910c1c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnfinet @michal-rybinski