github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-02-14 17:49:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,249 Commits 2 Branches 0 Tags
master
Commit Graph

234 Commits

Author SHA1 Message Date
Trong Huu Nguyen
5febe7c766 feat: remove support for legacy cookie 2025-12-03 13:54:11 +01:00
Trong Huu Nguyen
4e1c8e68f8 feat(openid): retry front-channel logouts 2025-06-16 09:55:44 +02:00
Trong Huu Nguyen
1a138c66a3 refactor: move retry package 2025-06-16 09:55:42 +02:00
Trong Huu Nguyen
192cd86022 feat: use id_token instead of access_token for forward-auth headers 
Co-authored-by: Thomas Krampl <thomas.siegfried.krampl@nav.no>
 2025-05-22 11:09:59 +02:00
Trong Huu Nguyen
b21068f522 feat: set response headers for forward-auth behind feature flag 2025-05-22 09:04:58 +02:00
Trong Huu Nguyen
abf235dac6 feat(handler): attach token in forward-auth response 
Co-authored-by: Thomas Krampl <thomas.siegfried.krampl@nav.no>
 2025-05-21 15:16:27 +02:00
Trong Huu Nguyen
259bf635d1 chore(deps): bump github.com/lestrrat-go/jwx from v2 to v3 2025-05-21 10:38:26 +02:00
Trong Huu Nguyen
2ca79b595a test: move upstream struct to reverseproxy file 2025-05-21 10:38:25 +02:00
Trong Huu Nguyen
762b64eff5 fix(reverseproxy): strip incoming id-token header for unauthenticated requests 2025-04-28 10:50:12 +02:00
Trong Huu Nguyen
126db31d25 feat: restrict non-navigational requests to oauth2-routes for all modes 2025-04-02 11:53:29 +02:00
Trong Huu Nguyen
1982d010f9 fix(handler/session): ignore request context cancellations 
We ignore these as they are very likely due to the http request itself
being cancelled by the browser due to navigation and so on.
 2025-03-03 08:48:21 +01:00
Trong Huu Nguyen
1efcf32cc0 fix(router): only disallow non-navigation requests for forward-auth 
Unfortunately, public pages may have older user-agents that does not support Sec-Fetch- headers.
This is mostly Safari <16.3. We only apply this limitation for forward-auth for now.
 2025-02-05 11:10:24 +01:00
Trong Huu Nguyen
2e8c7075ff fix: set content-type header before status 2025-02-03 11:38:35 +01:00
Trong Huu Nguyen
4b1bdef5cd feat: disallow non-navigational requests to login and logout endpoints 2025-01-31 16:42:24 +01:00
Trong Huu Nguyen
79ac15d455 feat(otel): consistency passthrough for spans and attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:39 +01:00
Sindre Rødseth Hansen
07b542a2f5 feat(openid/error): add spans and attributes 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:39 +01:00
Sindre Rødseth Hansen
dd0373b72d feat(openid/client): add spans and attributes 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:38 +01:00
Trong Huu Nguyen
44bb683531 feat(handler): add spans 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:38 +01:00
Trong Huu Nguyen
e6207fe3b4 feat(handler/reverseproxy): more spans 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:37 +01:00
Trong Huu Nguyen
787b54beeb refactor(crypto): move to internal 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:36 +01:00
Trong Huu Nguyen
85230d5403 feat(session): add trace spans and attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:35 +01:00
Trong Huu Nguyen
a157a13b9c refactor(o11y): separate logging and otel packages 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:34 +01:00
Trong Huu Nguyen
21b85c4b54 feat(handler/reverseproxy): add trace spans with attributes 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:34 +01:00
Trong Huu Nguyen
13b11790fe feat(handler): log additional fields for errors and reverseproxy 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-30 14:03:31 +01:00
Sindre Rødseth Hansen
ca77435d6a feat(http): propagate traceparent for httpclient 
Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-30 14:03:30 +01:00
Trong Huu Nguyen
9c8055bcd6 feat(openid/client): fall back to default value for invalid parameter values 
Instead of erroring when receiving non-empty, invalid parameters, we fall back to
the configured (if any) default value for the identity provider, which
is already validated with its metadata document on start-up.

This prevents end-users from being exposed to unnecessary errors.
 2025-01-27 08:44:07 +01:00
Trong Huu Nguyen
39207677b5 feat(middleware/logentry): add fields for sec-fetch headers 2025-01-24 09:13:59 +01:00
Trong Huu Nguyen
110dd64750 refactor(openid/client): extract authorization code parameters 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 12:03:42 +01:00
Trong Huu Nguyen
ab418c456c fix(handler/reverseproxy): add nil check for session 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-23 10:16:13 +01:00
Trong Huu Nguyen
c1dd4f1177 refactor(handler/login): improve logging when rate limiting 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-22 12:03:01 +01:00
Trong Huu Nguyen
b6bfb817a4 feat(handler/login): add rate limit to prevent redirect loops 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-22 09:46:45 +01:00
Trong Huu Nguyen
64e9167e05 refactor(openid/client): remove indirection layer for login callback 
Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-21 09:39:23 +01:00
Trong Huu Nguyen
75f98debc5 feat(openid/client): validate iss parameter if provider declares authorization_response_iss_parameter_supported 
Fixes #306.

Co-authored-by: sindrerh2 <sindre.rodseth.hansen@nav.no>
 2025-01-21 09:39:21 +01:00
Sindre Rødseth Hansen
2feb6a3b77 feat: Add option for propagating id_token to upstream app 
Fixes #315

Co-authored-by: tronghn <trong.huu.nguyen@nav.no>
 2025-01-20 13:07:54 +01:00
Trong Huu Nguyen
3a4f656f33 style: make fmt [ci skip] 2025-01-17 14:22:48 +01:00
Trong Huu Nguyen
3e42d001f0 feat(handler/forwardauth): reduce log severity for not-existent sessions 2025-01-17 14:19:00 +01:00
Trong Huu Nguyen
3143940b08 feat: remove feature flags for session refresh 
These feature flags were enabled by default. We specifically disallowed
the use of automatic refresh with the SSO mode, though this poses some
complexity if using the forward-auth feature.

To simplify configuration and code, we remove the flags in their
entirety as session refresh behaviour is mostly already handled by the
implementation of GetSession() in the handlers. Specifically:

- the Standalone handler needs to refresh sessions when reverse-proxying
  to the upstream.
- the SSO server handler needs to refresh sessions only when using the
  forward-auth feature. It does not have an upstream to reverse proxy
  to.
- the SSO proxy handler is a read-only upstream proxy and does not
  possess the ability to refresh sessions itself, though it will
  delegate traffic for the session endpoints to the configured SSO server.

Automatic refreshing is thus only disabled when running in SSO mode
without the forward-auth feature.
 2025-01-16 10:14:15 +01:00
Trong Huu Nguyen
0258ce7cfd feat: add handler for forward-auth 2025-01-14 13:44:49 +01:00
Trong Huu Nguyen
c96e457675 test: assert unauthenticated response for session endpoints 2025-01-14 13:33:35 +01:00
Trong Huu Nguyen
b7b43e9793 refactor(openid): remove more indirection layers 2024-11-05 21:58:38 +01:00
Trong Huu Nguyen
d2e01b2ead refactor: consolidate cookie config, correct documentation 2024-11-05 21:24:25 +01:00
Trong Huu Nguyen
bfb4929dc7 feat: allow disabling secure cookies for localhost 
This is geerally only necessary when using Safari.
Most other browsers respect the Secure attribute when using localhost.
 2024-11-05 21:14:14 +01:00
Trong Huu Nguyen
db060a4caf feat(handler): do not automatically retry token redemption failures 2024-11-05 19:57:48 +01:00
Trong Huu Nguyen
7c2d6d3f71 feat(templates): clean up error page after feedback 2024-10-16 12:46:29 +02:00
Trong Huu Nguyen
a4b832839c feat(templates): make error page more generic and responsive 
Co-authored-by: Morten Lied Johansen <morten.lied.johansen@nav.no>
 2024-10-09 08:58:36 +02:00
Trong Huu Nguyen
d6b57a6b7d refactor(handler/sso/proxy): correct variable name 2024-09-11 09:27:13 +02:00
Trong Huu Nguyen
9e78ba78be fix(handler/sso/proxy): avoid duplicate headers when proxying to server 2024-09-03 12:08:38 +02:00
Trong Huu Nguyen
155ebc745b docs: clarify forwarded headers 2024-08-23 13:56:21 +02:00
Trong Huu Nguyen
57376643ba build: go 1.23 2024-08-23 13:56:19 +02:00
Trong Huu Nguyen
3876820aee refactor(retry): use DoValue 2024-08-23 13:55:51 +02:00