@@ -263,7 +263,7 @@ func sessionSigningKeys(options Options) (SigningKey, map[string]SigningKey, err
263263
264264func validateSigningKeyID (label string , id string ) error {
265265 if strings .Contains (id , "." ) {
266- return fmt .Errorf ("gowdk auth: %s id %q must not contain . " , label , id )
266+ return fmt .Errorf ("gowdk auth: %s id %q must not contain dot " , label , id )
267267 }
268268 return nil
269269}
@@ -406,12 +406,12 @@ func (sessions *Sessions) Revoke(ctx context.Context, request *http.Request) err
406406 if sessions .mode != SessionModeRevocable || request == nil {
407407 return nil
408408 }
409- cookie , err := request . Cookie ( sessions .cookie )
410- if err != nil {
409+ cookie , ok := sessions .requestCookie ( request )
410+ if ! ok {
411411 return nil
412412 }
413- payload , err := sessions .verify (cookie .Value )
414- if err != nil {
413+ payload , ok := sessions .verifiedPayload (cookie .Value )
414+ if ! ok {
415415 return nil
416416 }
417417 if strings .TrimSpace (payload .SessionID ) == "" {
@@ -456,24 +456,24 @@ func (sessions *Sessions) ClearCookie() http.Cookie {
456456// principal and no error, meaning unauthenticated.
457457func (sessions * Sessions ) Principal (request * http.Request ) (* Principal , error ) {
458458 if request == nil {
459- return nil , nil
459+ return unauthenticatedPrincipal ()
460460 }
461- cookie , err := request . Cookie ( sessions .cookie )
462- if err != nil {
463- return nil , nil
461+ cookie , ok := sessions .requestCookie ( request )
462+ if ! ok {
463+ return unauthenticatedPrincipal ()
464464 }
465- payload , err := sessions .verify (cookie .Value )
466- if err != nil {
467- return nil , nil
465+ payload , ok := sessions .verifiedPayload (cookie .Value )
466+ if ! ok {
467+ return unauthenticatedPrincipal ()
468468 }
469469 if sessions .now ().Unix () >= payload .Expires {
470- return nil , nil
470+ return unauthenticatedPrincipal ()
471471 }
472472 if sessions .mode == SessionModeRevocable {
473473 return sessions .revocablePrincipal (request .Context (), payload )
474474 }
475475 if strings .TrimSpace (payload .ID ) == "" {
476- return nil , nil
476+ return unauthenticatedPrincipal ()
477477 }
478478 return & Principal {
479479 ID : payload .ID ,
@@ -485,21 +485,21 @@ func (sessions *Sessions) Principal(request *http.Request) (*Principal, error) {
485485
486486func (sessions * Sessions ) revocablePrincipal (ctx context.Context , payload sessionPayload ) (* Principal , error ) {
487487 if strings .TrimSpace (payload .SessionID ) == "" {
488- return nil , nil
488+ return unauthenticatedPrincipal ()
489489 }
490490 record , err := sessions .store .LookupSession (ctx , payload .SessionID )
491491 if err != nil {
492492 if errors .Is (err , ErrSessionNotFound ) {
493- return nil , nil
493+ return unauthenticatedPrincipal ()
494494 }
495495 return nil , err
496496 }
497497 now := sessions .now ()
498498 if record .Revoked || record .expired (now ) || strings .TrimSpace (record .Principal .ID ) == "" {
499- return nil , nil
499+ return unauthenticatedPrincipal ()
500500 }
501501 if sessionRecordAuthorizationVersion (record ) != payload .AuthorizationVersion {
502- return nil , nil
502+ return unauthenticatedPrincipal ()
503503 }
504504 if sessions .idleTTL > 0 {
505505 toucher , ok := sessions .store .(SessionToucher )
@@ -516,6 +516,27 @@ func (sessions *Sessions) revocablePrincipal(ctx context.Context, payload sessio
516516 return & principal , nil
517517}
518518
519+ func unauthenticatedPrincipal () (* Principal , error ) {
520+ var principal * Principal
521+ return principal , nil
522+ }
523+
524+ func (sessions * Sessions ) requestCookie (request * http.Request ) (* http.Cookie , bool ) {
525+ cookie , err := request .Cookie (sessions .cookie )
526+ if err != nil {
527+ return nil , false
528+ }
529+ return cookie , true
530+ }
531+
532+ func (sessions * Sessions ) verifiedPayload (token string ) (sessionPayload , bool ) {
533+ payload , err := sessions .verify (token )
534+ if err != nil {
535+ return sessionPayload {}, false
536+ }
537+ return payload , true
538+ }
539+
519540func sessionRecordAuthorizationVersion (record SessionRecord ) string {
520541 if record .Principal .AuthorizationVersion != "" {
521542 return record .Principal .AuthorizationVersion
0 commit comments