Add How to using rails_cookie_auth file.

2025-09-27 04:55:57 +08:00 · 2025-08-18 11:11:58 +08:00
parent c770bf57b4
commit 6dc7b87d7b
1 changed files with 167 additions and 0 deletions
--- a/pkg/gin/middleware/rails_cookie_auth.md
+++ b/pkg/gin/middleware/rails_cookie_auth.md
@@ -0,0 +1,167 @@
+## Rails cookie authorization middleware
+
+Validate and decrypt a Rails 7.1+ encrypted session cookie using `secret_key_base`, then attach the decoded session payload to Gin context under key `rails_session`.
+
+This middleware is useful when a Go service needs to trust Rails session cookies issued by an existing Rails app (SSO between Rails and Go services).
+
+<br>
+
+### Requirements
+
+- Rails 7.1+ encrypted cookies (AES-256-GCM, PBKDF2-HMAC-SHA256, purpose: `cookie.<cookie_name>`)
+- Rails `secret_key_base`
+- The Rails session cookie name (from `config/initializers/session_store.rb`)
+
+Note: Rails < 7.1 used a different encryption scheme (AES-CBC + HMAC) and is not supported by this middleware.
+
+<br>
+
+### Configuration example
+
+If you keep app configuration in YAML, you can add a section like the following (example from a reference service):
+
+```yaml
+rails:
+  secretKeyBase: "change-me"                           # run: rails credentials:show
+  cookieName:    "_coreui_pro_rails_starter_session"   # from session_store.rb or browser devtools
+  userID:        1137                                    # optional: restrict to a specific logged-in user id
+```
+
+<br>
+
+### Usage
+
+Attach the middleware at the group or router level where you want Rails cookie authentication enforced:
+
+```go
+import (
+    "github.com/gin-gonic/gin"
+    "github.com/go-dev-frame/sponge/pkg/gin/middleware"
+)
+
+func NewRouter(secretKeyBase, cookieName string) *gin.Engine {
+    r := gin.Default()
+
+    g := r.Group("/api/v1")
+    g.Use(middleware.RailsCookieAuthMiddleware(secretKeyBase, cookieName))
+
+    // routes protected by Rails cookie auth
+    g.GET("/me", func(c *gin.Context) { /* ... */ })
+
+    return r
+}
+```
+
+The middleware:
+
+- Reads the Rails session cookie by `cookieName`
+- Verifies and decrypts it using `secretKeyBase`
+- Puts the decoded session map into Gin context at key `"rails_session"`
+
+<br>
+
+### Verifying the logged-in user (optional)
+
+If you also want to ensure the request belongs to a specific user id (as stored by Devise/Warden), you can add a follow-up middleware that extracts the user id from the Rails session and compares it. The helper below shows the pattern:
+
+```go
+import (
+    "strconv"
+    "github.com/gin-gonic/gin"
+    "github.com/go-dev-frame/sponge/pkg/rails"
+)
+
+func VerifyRailsSessionUserIdIs(userID int64) gin.HandlerFunc {
+    return func(c *gin.Context) {
+        v, ok := c.Get("rails_session")
+        if !ok {
+            c.AbortWithStatusJSON(401, gin.H{"error": "rails_session missing"})
+            return
+        }
+        session, ok := v.(map[string]any)
+        if !ok {
+            c.AbortWithStatusJSON(401, gin.H{"error": "invalid rails_session"})
+            return
+        }
+        uidVal, ok := rails.UserIDFromSession(session) // reads warden.user.user.key -> [[id], ...]
+        if !ok {
+            c.AbortWithStatusJSON(401, gin.H{"error": "user id not found in session"})
+            return
+        }
+        var uid int64
+        switch vv := uidVal.(type) {
+        case int64:
+            uid = vv
+        case int:
+            uid = int64(vv)
+        case float64:
+            uid = int64(vv)
+        case string:
+            parsed, err := strconv.ParseInt(vv, 10, 64)
+            if err != nil {
+                c.AbortWithStatusJSON(401, gin.H{"error": "invalid user id in session"})
+                return
+            }
+            uid = parsed
+        default:
+            c.AbortWithStatusJSON(401, gin.H{"error": "invalid user id type in session"})
+            return
+        }
+        if uid != userID {
+            c.AbortWithStatusJSON(403, gin.H{"error": "forbidden"})
+            return
+        }
+        c.Next()
+    }
+}
+```
+
+Then chain it after `RailsCookieAuthMiddleware`:
+
+```go
+g.Use(middleware.RailsCookieAuthMiddleware(secretKeyBase, cookieName))
+g.Use(VerifyRailsSessionUserIdIs(1137))
+```
+
+<br>
+
+### Accessing the Rails session in handlers
+
+```go
+v, ok := c.Get("rails_session")
+if !ok {
+    // not present
+}
+session := v.(map[string]any)
+
+// Example: extract the logged-in user id saved by Warden/Devise
+uid, ok := rails.UserIDFromSession(session)
+// uid can be number or string depending on Rails serialization
+```
+
+Common keys you may see in the session map include `"_csrf_token"` and `"warden.user.user.key"`.
+
+<br>
+
+### Testing with curl
+
+```bash
+curl -i \
+  -H "Cookie: <cookie_name>=<encrypted_cookie_value>" \
+  http://localhost:8080/api/v1/me
+```
+
+Replace `<cookie_name>` with your Rails session cookie name (e.g. `_coreui_pro_rails_starter_session`).
+
+<br>
+
+### Troubleshooting
+
+- 401 Missing cookie: ensure the browser sends the Rails session cookie to this domain/path
+- 401 Invalid cookie: check `secret_key_base`, cookie name, and that the cookie was created by the same Rails environment; requires Rails 7.1+
+- 401 user id not found: verify your app uses Devise/Warden and the session contains `warden.user.user.key`
+- 403 forbidden: your additional user id check failed
+
+Security tips: never log the cookie value; use HTTPS in production so cookies are transmitted securely.
+
+