github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 17:06:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
557 Commits 2 Branches 0 Tags
00432bcfd670f28c2ae55ddcfafbf70ad4a0f5bf
Commit Graph

134 Commits

Author SHA1 Message Date
Trong Huu Nguyen
59b2dd1d66 fix(handler/reverseproxy): only trigger acr step up for non-ignored autologin paths 2023-05-02 08:53:51 +02:00
Trong Huu Nguyen
feb27414a5 refactor(handler/acr): only enable if autologin is also enabled 2023-04-29 13:56:13 +02:00
Trong Huu Nguyen
3a239a95c3 feat(reverseproxy): validate acr and redirect if applicable 2023-04-29 11:54:53 +02:00
Trong Huu Nguyen
7c98fe161e refactor(handler/reverseproxy): retrieve both session and token 2023-04-29 11:17:00 +02:00
Trong Huu Nguyen
efcc276ed5 fix(handler/sso/proxy): redirect logout callbacks to logout 2023-04-29 09:00:28 +02:00
Trong Huu Nguyen
87ffee4a34 fix(handler/sso/proxy): proxy frontchannel logouts 2023-04-29 08:55:14 +02:00
Trong Huu Nguyen
ab2a8b6fec fix(handler/sso/proxy): redirect callback requests to login 2023-04-29 08:52:41 +02:00
Trong Huu Nguyen
568f9f7683 feat(handler): use 302 instead of 303 for redirects 2023-04-29 08:42:29 +02:00
Trong Huu Nguyen
bc651d9082 fix: use 303 instead of 307 for redirects 2023-04-28 01:30:17 +02:00
Trong Huu Nguyen
c60f9478a5 fix(metrics): strip urls for login counter 2023-04-26 09:57:29 +02:00
Trong Huu Nguyen
55d2e0ce3b feat(metrics): add redirect label for login counter 2023-04-26 09:28:00 +02:00
Trong Huu Nguyen
ad7160e04d fix(handler/sso/proxy): local logout should be reverse proxied 2023-04-21 16:43:33 +02:00
Trong Huu Nguyen
0ba41e312a feat(handler): local logout returns 204 instead of redirect 
Redirecting after local logout introduces the possibility of matching a
path that automatically performs login, which for a local logout means
the user is automatically logged in again due to having an SSO session -
which nullifies the whole logout operation.

Applications that want local logout must trigger and handle the response
just like any other API call.
 2023-04-21 16:25:26 +02:00
Trong Huu Nguyen
0ba124809a feat(handler): local logout redirects back to preconfigured URL 2023-04-21 15:21:02 +02:00
Trong Huu Nguyen
19b2401831 feat(metrics): add authentication method reference label for successful logins 2023-04-18 12:20:23 +02:00
Trong Huu Nguyen
bab62c072b feat(handler/sso/server): return not found instead of redirect for wildcard handler 2023-04-13 14:20:38 +02:00
Trong Huu Nguyen
5ad603395c fix(handler/sso/proxy): override request path for reverseproxy to sso-server 2023-04-13 14:19:48 +02:00
Trong Huu Nguyen
9cb648917b fix(handler/sso/proxy): only set default query parameters for login handler 2023-04-13 09:20:34 +02:00
Trong Huu Nguyen
163d9e42ad fix(handler/reverseproxy): preserve inbound forwarded/x-forwarded headers 2023-04-12 15:05:55 +02:00
Trong Huu Nguyen
ef8c7d2cca feat(sso/server): redirect to login for wildcard handler 2023-03-29 09:55:16 +02:00
Trong Huu Nguyen
c72093dda9 fix(handler/sso/proxy): use correct query for login url 2023-03-21 09:11:31 +01:00
Trong Huu Nguyen
3dc3c1dee5 feat(sso/server): return not found instead of redirect for wildcard handler 2023-03-08 12:53:25 +01:00
Trong Huu Nguyen
a375ac774d feat(router): add ping route for health probes 2023-03-01 09:27:06 +01:00
Trong Huu Nguyen
442e056b26 refactor(handler): inline error handler, remove unnecessary getters 2023-02-24 19:24:02 +01:00
Trong Huu Nguyen
f346e9e91d refactor(router): use a more apt name for wildcard handler 2023-02-24 18:33:41 +01:00
Trong Huu Nguyen
5342913676 refactor: move cookie options to handler constructors 2023-02-24 18:21:36 +01:00
Trong Huu Nguyen
3e93423464 refactor(sso/server): redirect requests for wildcard routes to default URL 2023-02-22 10:19:26 +01:00
Trong Huu Nguyen
9ecfdb73ef fix(handler): time-to-refresh in session metadata is disabled for sso 2023-02-22 10:11:39 +01:00
Trong Huu Nguyen
492e0b5625 feat(sso/proxy): implement upstream reverseproxy with prerequisites 2023-02-21 14:50:51 +01:00
Trong Huu Nguyen
94a66fac2a refactor(handler): extract path matcher for reuse 2023-02-21 14:45:14 +01:00
Trong Huu Nguyen
59a2e7b7a0 refactor(session): simplify AccessToken method, don't export methods that are only used within package 2023-02-21 14:40:27 +01:00
Trong Huu Nguyen
27897dad63 refactor(handler/standalone): use new sessionmanager, remove unneeded methods 2023-02-21 14:16:51 +01:00
Trong Huu Nguyen
7a52b0d1a3 refactor(handler/reverseproxy): require GetAccessToken from source instead of obsolete session handler 2023-02-21 13:31:06 +01:00
Trong Huu Nguyen
f4ae907a2b refactor(handler/reverseproxy): clean up error handling 2023-02-21 13:30:29 +01:00
Trong Huu Nguyen
fb28da7241 refactor: consolidate handlers 2023-02-16 10:55:50 +01:00
Trong Huu Nguyen
3274cc5c65 refactor: move redirect package into url, clean up naming 2023-02-16 09:24:39 +01:00
Trong Huu Nguyen
2c5d964983 refactor(handler/reverseproxy): reduce log severity for cookie decrypt failures 2023-02-15 08:43:25 +01:00
Trong Huu Nguyen
0537c8172f feat(session): use tickets for per-session data encryption 
Replace the usage of a single application-wide session crypter
with per-session crypters.

The application is no longer able to decrypt any session
encrypted with its symmetric key alone. Instead, a session ticket
with its associated data encryption key (DEK) is also required in order
to decrypt the associated session data. The ticket itself is
encrypted with the application's crypter; the latter of which is
effectively a key-encryption key (KEK).

Fixes #49.
 2023-02-14 21:50:19 +01:00
Trong Huu Nguyen
d17feacc34 refactor(handler/autologin): use sync.Map for cache 2023-02-14 14:20:46 +01:00
Trong Huu Nguyen
ce2698f2bb refactor(cookie): use rawurlencoding for base64 2023-02-13 20:15:12 +01:00
Trong Huu Nguyen
66dec32de0 feat(sso/proxy): implement handlers for session routes 2023-02-10 14:58:19 +01:00
Trong Huu Nguyen
ea0756784d refactor(handler/reverseproxy): use ReverseProxy.Rewrite instead of Director 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
473e4a95a7 refactor: remove loginstatus 
Loginstatus is no longer needed with the SSO setup.
Fixes #50.
 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
c8f148d892 refactor(handler/error): remove custom redirect 
Reduce the risk of exposing oauth query parameters in "dirty dancing" attacks.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
42dcba8367 refactor: replace relative canonical redirect with handler 
This also ensure that we clean any urls that may stem from user input (e.g.
url parameter or login cookie) before performing redirects.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
5f74ee08bc refactor(url): extract utility functions 2023-02-10 14:58:12 +01:00
Trong Huu Nguyen
d13525f8a2 fix(handler/error): correct retry url for local logout 2023-02-10 14:58:12 +01:00
Trong Huu Nguyen
0e73c9b4d8 refactor(mock): configure relying party ingress before server start 2023-02-10 14:58:11 +01:00
Trong Huu Nguyen
1fdbe75c9e feat(sso/proxy): implement login handler 2023-02-10 14:58:11 +01:00
Trong Huu Nguyen
c3c0c01926 feat(sso): partially implement handlers 2023-02-10 14:58:09 +01:00