Golang: Gorilla sessions don't work for Kors
So, I have configured golang rest api. And on login I do this:
session, _ := store.New(r, sessionId) session.Options.MaxAge = 12 * 3600 err := session.Save(r, w) //treat error
and for checking the session I have something like this:
session, err := store.Get(r, sessionId)
//treat error
if session.IsNew {
http.Error(w, "Unauthorized session.", http.StatusUnauthorized)
return
}
If I run requests from the postman it works great, but when I make them from my client I get 401. Have any of you experienced something like this? The store is a CookieStore.
I already checked the id, I replaced the sessionId variable with a static string. Gorilla session uses gorilla context to register a new request and when I make a request from postman context.data[r]
it is not null but from client it is always null -> always new session.
https://github.com/gorilla/context/blob/master/context.go - line 33
it is called in
https://github.com/gorilla/sessions/blob/master/sessions.go - line 122
which is used in the CookieStore.Get function in
https://github.com/gorilla/sessions/blob/master/store.go - line 77
EDIT 1: For a client, I am using polymer and I tried xmlhttp too. Polymer:
<iron-ajax
id="ajaxRequest"
auto
url="{{requestUrl}}"
headers="{{requestHeaders}}"
handle-as="json"
on-response="onResponse"
on-error="onError"
content-type="application/json"
>
</iron-ajax>
and handlers
onResponse: function(response){
console.log(response.detail.response);
this.items = response.detail.response
},
onError: function(error){
console.log(error.detail)
},
ready: function(){
this.requestUrl = "http://localhost:8080/api/fingerprint/company/" + getCookie("companyId");
this.requestHeaders = {"Set-cookie": getCookie("api_token")}
}
and the cookie reaches the backend successfully.
And xmlhttp:
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == XMLHttpRequest.DONE ) {
if(xmlhttp.status == 200){
//do stuff
}else if(xmlhttp.status == 401){
page.redirect("/unauthorized")
}else{
page.redirect("/error")
}
}
}
xmlhttp.open("GET","http://localhost:8080/api/fingerprint/company/" + getCookie("companyId"),true);
xmlhttp.setRequestHeader("Set-cookie", getCookie("api_token"));
xmlhttp.send();
EDIT 2:
So, I tried debugging with fiddler (thanks for the suggestion) and I found out that the request from the postman has bold input Cookies / Login
, and the request from the client doesn't. Any idea how to get / set this value? This is somehow automatically installed in Postman. In the authentication request, I get a set-cookie header that has all the data I need, but I can't get it on the client. I receive Refused to get unsafe header set-cookie
.
source to share
If anyone has the same problem I am facing and want to whitelist all domains / wildcards (or have a list of domains in an array that you can scan), you can do something like this.
domain_raw := r.Host
domain_host_parts := strings.Split(domain_raw, ".")
domain := domain_host_parts[1] + "." + domain_host_parts[2]
domains := getDomains() // stores a slice of all your allowable domains
has_domain := false
for _, d := range domains {
if d == domain {
has_domain = true
break
}
}
if has_domain == false {
return
} else {
w.Header().Add("Access-Control-Allow-Origin", "https://"+domain_raw)
w.Header().Add("Access-Control-Allow-Credentials", "true")
}
I like to go
source to share