Skip to content

Commit

Permalink
Merge pull request #174 from Devansh-bit/development
Browse files Browse the repository at this point in the history 
Moved session hijack detection, logging and response to utils
  • Loading branch information
@harshkhandeparkar
harshkhandeparkar authored Dec 17, 2023
2 parents 4ade7dc + c94697c commit 3880e12
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 58 deletions.
13 changes: 2 additions & 11 deletions controllers/mentor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,17 +71,8 @@ func RegisterMentor(w http.ResponseWriter, r *http.Request) {
// Check if the JWT login username is the same as the mentor's given username
login_username := r.Context().Value(middleware.LOGIN_CTX_USERNAME_KEY).(string)

if reqFields.Username != login_username {
utils.LogWarn(
r,
fmt.Sprintf(
"POSSIBLE SESSION HIJACKING\nJWT Username: %s, Given Username: %s",
login_username,
reqFields.Username,
),
)

utils.RespondWithHTTPMessage(r, w, http.StatusUnauthorized, "Login username and given username do not match.")
err = utils.DetectSessionHijackAndRespond(r, w, reqFields.Username, login_username, "Login username and given username do not match.")
if err != nil {
return
}

Expand Down
13 changes: 2 additions & 11 deletions controllers/project_reg.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,17 +46,8 @@ func RegisterProject(w http.ResponseWriter, r *http.Request) {

login_username := r.Context().Value(middleware.LoginCtxKey(middleware.LOGIN_CTX_USERNAME_KEY))

if reqFields.MentorUsername != login_username {
utils.LogWarn(
r,
fmt.Sprintf(
"POSSIBLE SESSION HIJACKING\nJWT Username: %s, Given Username: %s",
login_username,
reqFields.MentorUsername,
),
)

utils.RespondWithHTTPMessage(r, w, http.StatusUnauthorized, "Login username and mentor username do not match.")
err = utils.DetectSessionHijackAndRespond(r, w, reqFields.MentorUsername, login_username.(string), "Login username and mentor username do not match.")
if err != nil {
return
}

Expand Down
14 changes: 2 additions & 12 deletions controllers/project_update.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"github.com/kossiitkgp/kwoc-backend/v2/models"
"github.com/kossiitkgp/kwoc-backend/v2/utils"

"github.com/rs/zerolog/log"
"gorm.io/gorm"
)

Expand Down Expand Up @@ -48,17 +47,8 @@ func UpdateProject(w http.ResponseWriter, r *http.Request) {

login_username := r.Context().Value(middleware.LoginCtxKey(middleware.LOGIN_CTX_USERNAME_KEY))

if reqFields.MentorUsername != login_username {
log.Warn().Msgf(
"%s %s %s\n%s %s",
r.Method,
r.RequestURI,
"POSSIBLE SESSION HIJACKING.",
fmt.Sprintf("JWT Username: %s", login_username),
fmt.Sprintf("Given Username: %s", reqFields.MentorUsername),
)

utils.RespondWithHTTPMessage(r, w, http.StatusUnauthorized, "Login username and mentor username do not match.")
err = utils.DetectSessionHijackAndRespond(r, w, reqFields.MentorUsername, login_username.(string), "Login username and mentor username do not match.")
if err != nil {
return
}

Expand Down
26 changes: 4 additions & 22 deletions controllers/student.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,17 +78,8 @@ func RegisterStudent(w http.ResponseWriter, r *http.Request) {
// Check if the JWT login username is the same as the student's given username
login_username := r.Context().Value(middleware.LOGIN_CTX_USERNAME_KEY).(string)

if reqFields.Username != login_username {
utils.LogWarn(
r,
fmt.Sprintf(
"POSSIBLE SESSION HIJACKING\nJWT Username: %s, Given Username: %s",
login_username,
reqFields.Username,
),
)

utils.RespondWithHTTPMessage(r, w, http.StatusUnauthorized, "Login username and given username do not match.")
err = utils.DetectSessionHijackAndRespond(r, w, reqFields.Username, login_username, "Login username and given username do not match.")
if err != nil {
return
}

Expand Down Expand Up @@ -183,17 +174,8 @@ func StudentBlogLink(w http.ResponseWriter, r *http.Request) {
// Check if the JWT login username is the same as the student's given username
login_username := r.Context().Value(middleware.LOGIN_CTX_USERNAME_KEY).(string)

if reqFields.Username != login_username {
utils.LogWarn(
r,
fmt.Sprintf(
"POSSIBLE SESSION HIJACKING\nJWT Username: %s, Given Username: %s",
login_username,
reqFields.Username,
),
)

utils.RespondWithHTTPMessage(r, w, http.StatusUnauthorized, "Login username and given username do not match.")
err = utils.DetectSessionHijackAndRespond(r, w, reqFields.Username, login_username, "Login username and given username do not match.")
if err != nil {
return
}

Expand Down
24 changes: 22 additions & 2 deletions utils/log.go
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
package utils

import (
"net/http"

"errors"
"fmt"
"github.com/rs/zerolog/log"
"net/http"
)

var SessionHijackError = errors.New("Session hijack detected")

func LogErr(r *http.Request, err error, errMsg string) {
log.Err(err).Msgf(
"%s %s: %s",
Expand Down Expand Up @@ -42,3 +45,20 @@ func LogWarnAndRespond(r *http.Request, w http.ResponseWriter, warning string, s
LogWarn(r, warning)
RespondWithHTTPMessage(r, w, statusCode, warning)
}

func DetectSessionHijackAndRespond(r *http.Request, w http.ResponseWriter, request_username string, login_username string, message string) error {
if request_username != login_username {
LogWarn(
r,
fmt.Sprintf(
"POSSIBLE SESSION HIJACKING\nJWT Username: %s, Given Username: %s",
login_username,
request_username,
),
)

RespondWithHTTPMessage(r, w, http.StatusUnauthorized, message)
return SessionHijackError
}
return nil
}

0 comments on commit 3880e12

Please sign in to comment.