Support larger session cookie

[alirazeen]

Hello! First, I'd like to thank the authors of this very useful project!

I have a suggestion. I have noticed that when a user visits a vouch-protected site, and the URL is very long, completing the oauth flow will result in a 400 Bad Request. I suspect it's because the initial session state is not saved correctly. I see the following log lines from vouch:

{"level":"debug","ts":1610000281.386837,"msg":"raw URL is https://<LONG_REDACTED_URL>"}
{"level":"debug","ts":1610000281.3869734,"msg":"session requestedURL set to <LONG_REDACTED_URL>"}
{"level":"debug","ts":1610000281.386992,"msg":"saving session with failcount 1"}
{"level":"error","ts":1610000281.3871233,"msg":"securecookie: the value is too long"}
{"level":"debug","ts":1610000281.3871434,"msg":"redirecting to oauthURL <OAUTH_ENDPOINT>"}

Digging through the code and the Gorilla sessions and securecookie packages, it looks like the securecookie package lets you set the MaxLength property for cookies. By default, it's set to 4096 bytes.

From my understanding, these sessions are saved on the vouch server. If so, would it be possible to somehow expose the MaxLength option from the securecookie package so that we can change it in the vouch config? That way, the users of the vouch-protected site will not have to resort to any workarounds. The current workaround is:

1. Initiate the first login to the site using a short URL.
2. On successful login, use the long URL.

[bnfinet]

@alirazeen thanks for the kind words

To clarify the URL is saved in a session cookie, not on the server.

please review #109 and other items in the issues related to "cookie size"

[alirazeen]

Ah, got it. I overlooked something while I was looking at which browser cookies were being set by Vouch and didn't see the session cookie.

In #109, you made an offhand remark that there might not be a need to set the domain on the session cookie. Why is it being done this way now? Isn't it enough for the session cookie to be set to the vouch domain? Are there situations where it's better to have the session cookie set to the original URL the user tried to visit?

[bnfinet]

@nicholac could you please edit your post in the manner described in the README

[nicholac]

@bnfinet - Apos & thanks for checking - all formatted etc as per README in gist here:

https://gist.github.com/nicholac/e980beefcfa9bde0bc54eb6f93513ab6

[bnfinet]

@nicholac thanks for doing that

session requestedURL set to https://+++++++++/

How long is the URL you're trying to store? I just want to confirm that we're running into this same issue.

[nicholac]

Full URL at line 76 is 18 chars: https://localhost/

Full URL at line 90 is 1677 chars: https://localhost/auth?code=<1561 chars>&state=O9RuclIZi44VvoSUzPECXnO6fW2wYG&session_state=26f0d197-8a08-4d66-b3a7-64da1f9b11ce

I'd be happy to help out with a PR, but cant say I really know enough Go to contribute effectively.

[nicholac]

@bnfinet - Any pointers on the above & how we can get it to work with Azure OIDC?

[mig5]

Reproducing this error with a MediaWiki installation. MediaWiki has some very long URLs that load static assets, such as

https://mediawiki.xxxxxx.com/load.php?lang=en&modules=diffMatchPatch%2Cdompurify%2Cmoment%2Coojs%2Coojs-ui%2Coojs-ui-core%2Coojs-ui-toolbars%2Coojs-ui-widgets%2Coojs-ui-windows%2Cpapaparse%2Crangefix%2Cspark-md5%2CtreeDiffer%2Cunicodejs%7Cext.visualEditor.data%2CmoduleIcons%2CmoduleIndicators%7Cjquery.lengthLimit%2Cspinner%2Ctablesorter%7Cjquery.spinner.styles%7Cjquery.tablesorter.styles%7Cjquery.uls.data%7Cmediawiki.ForeignApi%2CForeignStructuredUpload%2CForeignUpload%2CUpload%2Cpulsatingdot%2Cwidgets%7Cmediawiki.ForeignApi.core%7Cmediawiki.ForeignStructuredUpload.BookletLayout%7Cmediawiki.Upload.BookletLayout%7Cmediawiki.action.view.redirectPage%7Cmediawiki.diff.styles%7Cmediawiki.interface.helpers.styles%7Cmediawiki.language.months%2Cnames%7Cmediawiki.libs.jpegmeta%7Cmediawiki.page.gallery.styles%7Cmediawiki.skinning.content.parsoid%7Cmediawiki.widgets.AbandonEditDialog%2CCategoryMultiselectWidget%2CDateInputWidget%2CMediaSearch%2CStashedFileWidget%2CUserInputWidget%2Cstyles%7Cmediawiki.widgets.DateInputWidget.styles%7Coojs-ui-core.icons%2Cstyles%7Coojs-ui-toolbars.icons%7Coojs-ui-widgets.icons%7Coojs-ui-windows.icons%7Coojs-ui.styles.icons-accessibility%2Cicons-alerts%2Cicons-content%2Cicons-editing-advanced%2Cicons-editing-core%2Cicons-editing-list%2Cicons-editing-styling%2Cicons-interactions%2Cicons-layout%2Cicons-media%2Cicons-moderation%2Cicons-movement%2Cicons-user%2Cicons-wikimedia%2Cindicators&skin=vector&version=12156

I'm just hazarding a guess that it's one of those URLs that triggers it. Because what's weird is I can't reliably reproduce it. After an apparently random number of refreshes I trip the problem, then I can't again for ages. Obviously the main pages are much shorter URLs, but as I understand it, even 'assets' get passed through the auth_request unless specified otherwise?

Do we know how many characters crosses the threshold for the 'value is too long' message to occur? (which I have seen has come up in other projects: auth0-samples/auth0-golang-web-app#4, solo-io/gloo-portal-issues#56, markbates/goth#133 )

[bduffany]

I am experiencing this issue using a Grafana dashboard URL that is 1800 characters long, using the google oauth provider and using Google Chrome version 111 on Linux. I can reproduce it 100% reliably.

If I try to visit the URL, I consistently get a 400 Bad Request page from Vouch. In the logs, I see the following errors:

{"level":"error", "msg":"no jwt found in request", "ts":1.6808808026673043E9}
{"level":"error", "msg":"securecookie: the value is too long", "ts":1.6808808027477238E9}
ERROR 2023-04-07T15:20:03.250552590Z [resource.labels.containerName: vouch]
{"level":"error", "msg":"/auth Invalid session state: stored %!s(<nil>), returned <REDACTED>", "ts":1.6808808032503834E9}
INFO 2023-04-07T15:20:03.250672064Z [resource.labels.containerName: vouch] {"avgLatency":9.1855E-5, "host":"<REDACTED>", "ipPort":"<REDACTED>", "latency":1.29954E-4, "level":"info", "method":"GET", "msg":"|400| 129.954µs /auth", "path":"/auth", "referer":"", "request":3.1316292E7, "statusCode":400, "ts":1.68088080325057E9}

If I trim the URL down to 1600 characters (from 1800), I consistently get a "502 Bad Gateway" error from nginx. In vouch, the only error that I see logged is

{"level":"error", "msg":"no jwt found in request", "ts":1.6808809397931244E9}

Interestingly, if I trim the URL down to 1500 characters, I consistently see the "400 Bad Request" page from Vouch again. In the logs, I see:

{"level":"error", "msg":"no jwt found in request", "ts":1.6808810710593183E9}
{"level":"error", "msg":"no destination URL requested", "ts":1.680881071159156E9}

(The "no destination URL requested" looks new.)

If I trim it down to 1400 characters, I consistently get the 502 Bad Gateway page again:

{"level":"error", "msg":"no jwt found in request", "ts":1.6808809397931244E9}

At 1300 characters, we're back to "400 Bad Request" again (this alternating between vouch<->nginx as I decrease the URL length is very interesting/weird; maybe it is related to the browser's cookie eviction policy or something like that)

At 1200 characters, the page loads without any issues.

I only decreased the character count by 100 at a time, but it seems the max URL length is somewhere between 1200-1300 chars. I am not sure if this is directly related to a browser-imposed limit on cookie size, or if it also depends on the size of other cookies (e.g. JWT cookie / VouchCookie etc. - I haven't fully grokked how all these cookies work yet)

[bnfinet]

@bduffany thanks for confirming, PR welcome

Configuring the size of the session cookie beyond default 4096 sounds like it's worth trying