Remove 'gorilla' framework

It was being used for session management, but we weren't using any of the features that differentiated it from using go's cookies directly so it is hard to justify the additional dependencies.
2017-10-03 11:24:07 -04:00 · 2017-10-03 11:24:07 -04:00 · c783e2c1bb
parent 22560dd43a
commit c783e2c1bb
2 changed files with 37 additions and 24 deletions
--- a/main.go
+++ b/main.go
@ -4,7 +4,6 @@ package main

 import (
 	"flag"
-	"github.com/gorilla/context"
 	"log"
 	"net"
 	"net/http"
@ -76,8 +75,8 @@ func main() {

 	log.Printf("Serving on port %d out of directory: %s", config.MoneyGo.Port, config.MoneyGo.Basedir)
 	if config.MoneyGo.Fcgi {
-		fcgi.Serve(listener, context.ClearHandler(servemux))
+		fcgi.Serve(listener, servemux)
 	} else {
-		http.Serve(listener, context.ClearHandler(servemux))
+		http.Serve(listener, servemux)
 	}
 }
--- a/sessions.go
+++ b/sessions.go
@ -1,16 +1,16 @@
 package main

 import (
+	"crypto/rand"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"github.com/gorilla/securecookie"
-	"github.com/gorilla/sessions"
+	"io"
 	"log"
 	"net/http"
+	"time"
 )

-var cookie_store = sessions.NewCookieStore(securecookie.GenerateRandomKey(64))
-
 type Session struct {
 	SessionId     int64
 	SessionSecret string `json:"-"`
@ -25,14 +25,13 @@ func (s *Session) Write(w http.ResponseWriter) error {
 func GetSession(r *http.Request) (*Session, error) {
 	var s Session

-	session, _ := cookie_store.Get(r, "moneygo")
-	_, ok := session.Values["session-secret"]
-	if !ok {
-		return nil, fmt.Errorf("session-secret cookie not set")
+	cookie, err := r.Cookie("moneygo-session")
+	if err != nil {
+		return nil, fmt.Errorf("moneygo-session cookie not set")
 	}
-	s.SessionSecret = session.Values["session-secret"].(string)
+	s.SessionSecret = cookie.Value

-	err := DB.SelectOne(&s, "SELECT * from sessions where SessionSecret=?", s.SessionSecret)
+	err = DB.SelectOne(&s, "SELECT * from sessions where SessionSecret=?", s.SessionSecret)
 	if err != nil {
 		return nil, err
 	}
@ -46,26 +45,41 @@ func DeleteSessionIfExists(r *http.Request) {
 	}
 }

+func NewSessionCookie() (string, error) {
+	bits := make([]byte, 128)
+	if _, err := io.ReadFull(rand.Reader, bits); err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(bits), nil
+}
+
 func NewSession(w http.ResponseWriter, r *http.Request, userid int64) (*Session, error) {
 	s := Session{}

-	session, _ := cookie_store.Get(r, "moneygo")
+	session_secret, err := NewSessionCookie()
+	if err != nil {
+		return nil, err
+	}

-	session.Values["session-secret"] = string(securecookie.GenerateRandomKey(64))
-	s.SessionSecret = session.Values["session-secret"].(string)
+	cookie := http.Cookie{
+		Name:     "moneygo-session",
+		Value:    session_secret,
+		Path:     "/",
+		Domain:   r.URL.Host,
+		Expires:  time.Now().AddDate(0, 1, 0), // a month from now
+		Secure:   true,
+		HttpOnly: true,
+	}
+	http.SetCookie(w, &cookie)
+
+	s.SessionSecret = session_secret
 	s.UserId = userid

-	err := DB.Insert(&s)
+	err = DB.Insert(&s)
 	if err != nil {
 		return nil, err
 	}
-
-	err = session.Save(r, w)
-	if err != nil {
-		return nil, err
-	} else {
-		return &s, nil
-	}
+	return &s, nil
 }

 func SessionHandler(w http.ResponseWriter, r *http.Request) {