Rename to match actual use

banjax-config.yaml

@@ -109,5 +109,5 @@ session_cookie_hmac_secret: some_secret
 session_cookie_ttl_seconds: 3600
 sites_to_disable_baskerville:
   localhost: true
-use_user_agent_in_sha_inv:
+use_user_agent_in_cookie:
   localhost: true

internal/config.go

@@ -45,7 +45,7 @@ type Config struct {
 	SitesToProtectedPathExceptions         map[string][]string `yaml:"password_protected_path_exceptions"`
 	SitesToPasswordHashesRoaming           map[string]string   `yaml:"password_hash_roaming"`
 	SitesToPasswordCookieTtlSeconds        map[string]int      `yaml:"password_persite_cookie_ttl_seconds"`
-	SitesToUseUserAgentInShaInv            map[string]bool     `yaml:"use_user_agent_in_sha_inv"`
+	SitesToUseUserAgentInCookie            map[string]bool     `yaml:"use_user_agent_in_cookie"`
 	ExpiringDecisionTtlSeconds             int                 `yaml:"expiring_decision_ttl_seconds"`
 	TooManyFailedChallengesIntervalSeconds int                 `yaml:"too_many_failed_challenges_interval_seconds"`
 	TooManyFailedChallengesThreshold       int                 `yaml:"too_many_failed_challenges_threshold"`

internal/http_server.go

@@ -230,7 +230,7 @@ func challenge(
 	cookieTtlSeconds int,
 	secret string,
 	setDomainScope bool) {
-	newCookie := NewChallengeCookie(secret, cookieTtlSeconds, getShaInvBinding(c, config))
+	newCookie := NewChallengeCookie(secret, cookieTtlSeconds, getUserAgentOrIp(c, config))
 	// log.Println("Serving new cookie: ", newCookie)
 	domainScope := "" // Provide "" to domain so that the cookie is not set for subdomains, EX: example.com
 	if setDomainScope {
@@ -241,9 +241,9 @@ func challenge(
 	c.Header("Cache-Control", "no-cache,no-store")
 }
 
-func getShaInvBinding(c *gin.Context, config *Config) string {
+func getUserAgentOrIp(c *gin.Context, config *Config) string {
 	// Get binding either from IP or User-Agent base on config
-	_, ok := config.SitesToUseUserAgentInShaInv[c.Request.Header.Get("X-Requested-Host")]
+	_, ok := config.SitesToUseUserAgentInCookie[c.Request.Header.Get("X-Requested-Host")]
 	if ok {
 		return c.Request.Header.Get("X-Client-User-Agent")
 	}
@@ -471,7 +471,7 @@ func sendOrValidateShaChallenge(
 	challengeCookie, err := c.Cookie("deflect_challenge3")
 	requestedMethod := c.Request.Method
 	if err == nil {
-		err := ValidateShaInvCookie(config.HmacSecret, challengeCookie, time.Now(), getShaInvBinding(c, config), 10) // XXX config
+		err := ValidateShaInvCookie(config.HmacSecret, challengeCookie, time.Now(), getUserAgentOrIp(c, config), 10) // XXX config
 		if err != nil {
 			// log.Println("Sha-inverse challenge failed")
 			// log.Println(err)
@@ -581,13 +581,13 @@ func sendOrValidatePassword(
 			return sendOrValidatePasswordResult
 		}
 		// XXX maybe don't call this err?
-		err := ValidatePasswordCookie(config.HmacSecret, passwordCookie, time.Now(), getShaInvBinding(c, config), expectedHashedPassword)
+		err := ValidatePasswordCookie(config.HmacSecret, passwordCookie, time.Now(), getUserAgentOrIp(c, config), expectedHashedPassword)
 		if err != nil {
 			// Password fail, but provide second chance if password_hash_roaming is set
 			expectedHashedPassword2, hasPasswordRoaming := passwordProtectedPaths.SiteToRoamingPasswordHash[requestedHost]
 			if hasPasswordRoaming {
 				// log.Printf("Password challenge failed, but password_hash_roaming is set for %s, checking that", requestedHost)
-				err := ValidatePasswordCookie(config.HmacSecret, passwordCookie, time.Now(), getShaInvBinding(c, config), expectedHashedPassword2)
+				err := ValidatePasswordCookie(config.HmacSecret, passwordCookie, time.Now(), getUserAgentOrIp(c, config), expectedHashedPassword2)
 				if err == nil {
 					// roaming password passed, we do not record fail specifically for roaming fail
 					accessGranted(c, config, PasswordChallengeResultToString[PasswordChallengeRoamingPassed])