grafana/pkg/services/authn/clients/session.go

package clients

import (
	"context"
	"errors"
	"net/url"
	"strconv"
	"time"

	"go.opentelemetry.io/otel/trace"

	claims "github.com/grafana/authlib/types"
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/services/auth"
	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/login"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/setting"
)

var _ authn.ContextAwareClient = new(Session)

func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService,
	authInfoService login.AuthInfoService, tracer trace.Tracer) *Session {
	return &Session{
		cfg:             cfg,
		log:             log.New(authn.ClientSession),
		sessionService:  sessionService,
		authInfoService: authInfoService,
		tracer:          tracer,
	}
}

type Session struct {
	cfg             *setting.Cfg
	log             log.Logger
	sessionService  auth.UserTokenService
	authInfoService login.AuthInfoService
	tracer          trace.Tracer
}

func (s *Session) Name() string {
	return authn.ClientSession
}

func (s *Session) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
	unescapedCookie, err := r.HTTPRequest.Cookie(s.cfg.LoginCookieName)
	if err != nil {
		return nil, err
	}

	rawSessionToken, err := url.QueryUnescape(unescapedCookie.Value)
	if err != nil {
		return nil, err
	}

	token, err := s.sessionService.LookupToken(ctx, rawSessionToken)
	if err != nil {
		return nil, err
	}

	if token.NeedsRotation(time.Duration(s.cfg.TokenRotationIntervalMinutes) * time.Minute) {
		return nil, authn.ErrTokenNeedsRotation.Errorf("token needs to be rotated")
	}

	ident := &authn.Identity{
		ID:           strconv.FormatInt(token.UserId, 10),
		Type:         claims.TypeUser,
		SessionToken: token,
		ClientParams: authn.ClientParams{
			FetchSyncedUser: true,
			SyncPermissions: true,
		},
	}

	info, err := s.authInfoService.GetAuthInfo(ctx, &login.GetAuthInfoQuery{UserId: token.UserId})
	if err != nil {
		if !errors.Is(err, user.ErrUserNotFound) {
			s.log.FromContext(ctx).Error("Failed to fetch auth info", "err", err)
		}
		return ident, nil
	}

	ident.AuthID = info.AuthId
	ident.AuthenticatedBy = info.AuthModule
	return ident, nil
}

func (s *Session) IsEnabled() bool {
	return true
}

func (s *Session) Test(ctx context.Context, r *authn.Request) bool {
	if s.cfg.LoginCookieName == "" {
		return false
	}

	if _, err := r.HTTPRequest.Cookie(s.cfg.LoginCookieName); err != nil {
		return false
	}

	return true
}

func (s *Session) Priority() uint {
	return 60
}
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`package clients`

			`import (`
			`"context"`
Session: set authID and authenticatedBy (#85806) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places 2024-04-11 16:25:29 +08:00			`"errors"`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`"net/url"`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`"strconv"`
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 21:39:04 +08:00			`"time"`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00
Auth: Add tracing to auth clients and AuthToken service (#107878) * Add tracing to auth clients + authtoken svc * Fix span names * Fix ext_jwt.go * Fix idimpl/service * Update wire_gen.go * Add tracing to JWT client * Lint 2025-07-10 21:41:00 +08:00			`"go.opentelemetry.io/otel/trace"`

Authlib: Use types package rather than claims (#99243) 2025-01-21 17:06:55 +08:00			`claims "github.com/grafana/authlib/types"`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`"github.com/grafana/grafana/pkg/infra/log"`
			`"github.com/grafana/grafana/pkg/services/auth"`
			`"github.com/grafana/grafana/pkg/services/authn"`
Session: set authID and authenticatedBy (#85806) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places 2024-04-11 16:25:29 +08:00			`"github.com/grafana/grafana/pkg/services/login"`
			`"github.com/grafana/grafana/pkg/services/user"`
AuthN: add utility functions for different type of login responses (#64133) * AuthN: add utility functions to handle response and redirect after successful login * API: Reuse utility functions for logins if authnService flag is enabled 2023-03-03 21:17:09 +08:00			`"github.com/grafana/grafana/pkg/setting"`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`)`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`var _ authn.ContextAwareClient = new(Session)`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00
Auth: Add tracing to auth clients and AuthToken service (#107878) * Add tracing to auth clients + authtoken svc * Fix span names * Fix ext_jwt.go * Fix idimpl/service * Update wire_gen.go * Add tracing to JWT client * Lint 2025-07-10 21:41:00 +08:00			`func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService,`
			`authInfoService login.AuthInfoService, tracer trace.Tracer) *Session {`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`return &Session{`
Session: set authID and authenticatedBy (#85806) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places 2024-04-11 16:25:29 +08:00			`cfg: cfg,`
			`log: log.New(authn.ClientSession),`
			`sessionService: sessionService,`
			`authInfoService: authInfoService,`
Auth: Add tracing to auth clients and AuthToken service (#107878) * Add tracing to auth clients + authtoken svc * Fix span names * Fix ext_jwt.go * Fix idimpl/service * Update wire_gen.go * Add tracing to JWT client * Lint 2025-07-10 21:41:00 +08:00			`tracer: tracer,`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`}`
			`}`

			`type Session struct {`
Session: set authID and authenticatedBy (#85806) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places 2024-04-11 16:25:29 +08:00			`cfg *setting.Cfg`
			`log log.Logger`
			`sessionService auth.UserTokenService`
			`authInfoService login.AuthInfoService`
Auth: Add tracing to auth clients and AuthToken service (#107878) * Add tracing to auth clients + authtoken svc * Fix span names * Fix ext_jwt.go * Fix idimpl/service * Update wire_gen.go * Add tracing to JWT client * Lint 2025-07-10 21:41:00 +08:00			`tracer trace.Tracer`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`}`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`func (s *Session) Name() string {`
			`return authn.ClientSession`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`}`

			`func (s Session) Authenticate(ctx context.Context, r authn.Request) (*authn.Identity, error) {`
AuthN: add utility functions for different type of login responses (#64133) * AuthN: add utility functions to handle response and redirect after successful login * API: Reuse utility functions for logins if authnService flag is enabled 2023-03-03 21:17:09 +08:00			`unescapedCookie, err := r.HTTPRequest.Cookie(s.cfg.LoginCookieName)`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`if err != nil {`
			`return nil, err`
			`}`

			`rawSessionToken, err := url.QueryUnescape(unescapedCookie.Value)`
			`if err != nil {`
			`return nil, err`
			`}`

			`token, err := s.sessionService.LookupToken(ctx, rawSessionToken)`
			`if err != nil {`
			`return nil, err`
			`}`

AuthToken: Remove client token rotation feature toggle (#82886) * Remove usage of client token rotation flag * Remove client token rotation feature toggle 2024-02-16 22:03:37 +08:00			`if token.NeedsRotation(time.Duration(s.cfg.TokenRotationIntervalMinutes) * time.Minute) {`
			`return nil, authn.ErrTokenNeedsRotation.Errorf("token needs to be rotated")`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`}`

Session: set authID and authenticatedBy (#85806) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places 2024-04-11 16:25:29 +08:00			`ident := &authn.Identity{`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`ID: strconv.FormatInt(token.UserId, 10),`
			`Type: claims.TypeUser,`
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 21:39:04 +08:00			`SessionToken: token,`
			`ClientParams: authn.ClientParams{`
			`FetchSyncedUser: true,`
			`SyncPermissions: true,`
			`},`
Session: set authID and authenticatedBy (#85806) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places 2024-04-11 16:25:29 +08:00			`}`

			`info, err := s.authInfoService.GetAuthInfo(ctx, &login.GetAuthInfoQuery{UserId: token.UserId})`
			`if err != nil {`
			`if !errors.Is(err, user.ErrUserNotFound) {`
			`s.log.FromContext(ctx).Error("Failed to fetch auth info", "err", err)`
			`}`
			`return ident, nil`
			`}`

			`ident.AuthID = info.AuthId`
			`ident.AuthenticatedBy = info.AuthModule`
			`return ident, nil`
AuthN: Add session client (#60894) * add basic session client * populate UserToken in ReqContext * token rotation as a post auth hook * fixed in context handler * add session token rotation * add session token tests * use namespacedID constructor 2023-01-04 23:10:43 +08:00			`}`

Auth: Add `IsClientEnabled` and `IsEnabled` for the `authn.Service` and `authn.Client` interfaces (#86034) * Add `Service. IsClientEnabled` and `Client.IsEnabled` functions * Implement `IsEnabled` function for authn clients * Implement `IsClientEnabled` function for authn services 2024-04-15 16:54:50 +08:00			`func (s *Session) IsEnabled() bool {`
			`return true`
			`}`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`func (s Session) Test(ctx context.Context, r authn.Request) bool {`
AuthN: add utility functions for different type of login responses (#64133) * AuthN: add utility functions to handle response and redirect after successful login * API: Reuse utility functions for logins if authnService flag is enabled 2023-03-03 21:17:09 +08:00			`if s.cfg.LoginCookieName == "" {`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`return false`
			`}`

AuthN: add utility functions for different type of login responses (#64133) * AuthN: add utility functions to handle response and redirect after successful login * API: Reuse utility functions for logins if authnService flag is enabled 2023-03-03 21:17:09 +08:00			`if _, err := r.HTTPRequest.Cookie(s.cfg.LoginCookieName); err != nil {`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`return false`
			`}`

			`return true`
			`}`

			`func (s *Session) Priority() uint {`
			`return 60`
			`}`