From d21fac6f190c1079ca247658530d465ad5867ff5 Mon Sep 17 00:00:00 2001
From: Niall Sheridan <nsheridan@gmail.com>
Date: Thu, 9 Aug 2018 20:47:50 +0100
Subject: Only request a reason from the client if the server requires it

---
 server/config/config.go |  1 +
 server/web.go           | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

(limited to 'server')

diff --git a/server/config/config.go b/server/config/config.go
index 422a135..1985800 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -37,6 +37,7 @@ type Server struct {
 	CSRFSecret            string   `hcl:"csrf_secret"`
 	HTTPLogFile           string   `hcl:"http_logfile"`
 	Database              Database `hcl:"database"`
+	RequireReason         bool     `hcl:"require_reason"`
 }
 
 // Auth holds the configuration specific to the OAuth provider.
diff --git a/server/web.go b/server/web.go
index 5677429..e238150 100644
--- a/server/web.go
+++ b/server/web.go
@@ -33,8 +33,9 @@ import (
 
 // appContext contains local context - cookiestore, authsession etc.
 type appContext struct {
-	cookiestore *sessions.CookieStore
-	authsession *auth.Session
+	cookiestore   *sessions.CookieStore
+	authsession   *auth.Session
+	requireReason bool
 }
 
 // getAuthTokenCookie retrieves a cookie from the request.
@@ -141,6 +142,12 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 	if err != nil {
 		return http.StatusBadRequest, errors.Wrap(err, "unable to extract key from request")
 	}
+
+	if a.requireReason && req.Message == "" {
+		w.Header().Add("X-Need-Reason", "required")
+		return http.StatusForbidden, errors.New(http.StatusText(http.StatusForbidden))
+	}
+
 	username := authprovider.Username(token)
 	authprovider.Revoke(token) // We don't need this anymore.
 	cert, err := keysigner.SignUserKey(req, username)
@@ -266,7 +273,6 @@ type appHandler struct {
 func (ah appHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	status, err := ah.h(ah.appContext, w, r)
 	if err != nil {
-		log.Printf("HTTP %d: %q", status, err)
 		http.Error(w, err.Error(), status)
 	}
 }
@@ -283,7 +289,8 @@ func newState() string {
 func runHTTPServer(conf *config.Server, l net.Listener) {
 	var err error
 	ctx := &appContext{
-		cookiestore: sessions.NewCookieStore([]byte(conf.CookieSecret)),
+		cookiestore:   sessions.NewCookieStore([]byte(conf.CookieSecret)),
+		requireReason: conf.RequireReason,
 	}
 	ctx.cookiestore.Options = &sessions.Options{
 		MaxAge:   900,
@@ -313,6 +320,7 @@ func runHTTPServer(conf *config.Server, l net.Listener) {
 	r.Methods("GET").Path("/admin/certs.json").Handler(appHandler{ctx, listCertsJSONHandler})
 	r.Methods("GET").Path("/metrics").Handler(promhttp.Handler())
 	r.Methods("GET").Path("/healthcheck").HandlerFunc(healthcheck)
+
 	box := packr.NewBox("static")
 	r.PathPrefix("/static/").Handler(http.StripPrefix("/static/", http.FileServer(box)))
 	h := handlers.LoggingHandler(logfile, r)
-- 
cgit v1.2.3