github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-06 16:36:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
848 Commits 2 Branches 0 Tags
16ccb3a6be06673fddf1da3fbac809bffb7a3fd2
Commit Graph

184 Commits

Author SHA1 Message Date
Trong Huu Nguyen
16ccb3a6be feat(config): add explicit toggle for legacy cookies 2024-06-26 12:20:05 +02:00
Trong Huu Nguyen
584f58bb6d refactor(retry): use functional opts, proxy to external lib 2024-05-08 08:39:43 +02:00
Trong Huu Nguyen
fc1454fcbb feat(config) support samesite cookie attribute 2024-04-24 14:47:18 +02:00
Trong Huu Nguyen
10e71a7bb5 feat(handler/reverseproxy): remove x-wonderwall headers 
The use of these headers in upstreams may be risky, espeically
if Wonderwall is accidentally misconfigured or disabled, or requests
are performed directly to the upstream circumventing Wonderwall.

We should prefer using a signed token or similar that can be verified by
the upstreams.
 2024-01-16 08:57:07 +01:00
Trong Huu Nguyen
40497da1b9 feat(handler/reverseproxy): filter relevant access requests 2023-12-20 15:41:29 +01:00
Trong Huu Nguyen
41f4354ce4 revert: "feat(handler/error): remove automatic retry" 
This reverts commit 083cb54df7.
 2023-12-20 11:17:51 +01:00
Trong Huu Nguyen
e71e4a2fda feat(handler/reverseproxy): add toggle for access logs 2023-12-20 08:25:35 +01:00
Trong Huu Nguyen
55839d72f0 feat(handler/login): log existing sid on prompt 2023-12-19 12:19:39 +01:00
Trong Huu Nguyen
50e53330b9 feat(handler/reverseproxy): remove unnecessary log fields 2023-12-19 12:05:01 +01:00
Trong Huu Nguyen
f82c8a7078 feat(handler/login): drop logging sub claim 2023-12-19 11:04:03 +01:00
Trong Huu Nguyen
9c2d1cb520 feat(cookie): remove expiry options 
Always create session cookies instead of
persistent cookies with expiry.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
e00832016b feat(handler/login): remove legacy cookie 
We don't really need to set an additional cookie without SameSite
as we now use SameSite=Lax for the login cookie.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
083cb54df7 feat(handler/error): remove automatic retry 2023-12-19 08:46:06 +01:00
Trong Huu Nguyen
273eb3604a feat(cookie): use samesite lax instead of none for callback 2023-12-19 08:46:03 +01:00
Trong Huu Nguyen
c3904433f2 feat: log and propagate session metadata 
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
 2023-12-19 08:46:02 +01:00
Trong Huu Nguyen
a10da5d0d7 feat(handler/login): add support for prompt param in login 2023-12-19 08:46:01 +01:00
Trong Huu Nguyen
8f3c5cde88 fix(handler/error): redirect callbacks to initial handlers, retry others as-is 2023-12-19 08:45:57 +01:00
Trong Huu Nguyen
de78193361 chore(handler): remove temporary amr-based redirect 2023-11-24 16:52:15 +01:00
J-K. Solbakken
d28579028e removed unused variable 2023-11-23 08:56:52 +01:00
J-K. Solbakken
38b9891caf use otelchi middleware for http tracing 2023-11-23 08:53:36 +01:00
J-K. Solbakken
23268c6762 starting simple 2023-11-21 08:47:42 +01:00
Trong Huu Nguyen
2f351a1388 feat(handler/callback): redirect minid passport users to separate landing page 2023-11-06 11:45:15 +01:00
Trong Huu Nguyen
e3022c7923 feat(handler/session): reduce logging level for not found errors 2023-11-02 08:33:09 +01:00
Trong Huu Nguyen
305ab1786d fix(reverseproxy/autologin): handle multiple accept headers 2023-10-16 12:01:15 +02:00
Trong Huu Nguyen
c363bea556 test(reverseproxy): extract common assertions 2023-10-12 09:18:51 +02:00
Trong Huu Nguyen
f246fc7975 refactor(openid): move acr to own package 2023-10-11 14:25:12 +02:00
Trong Huu Nguyen
7e97fd7a93 revert: "style: go fmt" 
This wasn't actually formatting.

This reverts commit d71ff7ddc3.
 2023-10-10 14:51:12 +02:00
Trong Huu Nguyen
d71ff7ddc3 style: go fmt 2023-10-10 13:41:28 +02:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
a2e939f716 fix(handler/sessionrefresh): handle not found error 2023-10-04 10:06:03 +02:00
Trong Huu Nguyen
c1bdb90566 feat(handler/reverseproxy): don't return json response after all 
Expose fewer interfaces; less maintenance and documentation needed.
 2023-10-04 10:01:03 +02:00
Trong Huu Nguyen
2e21dae33a feat(handler/reverseproxy): return json response for non-navigational autologin requests 2023-10-03 14:21:09 +02:00
Trong Huu Nguyen
7a72586ca8 refactor(autologin): return early if fetch metadata is set 2023-09-25 15:07:11 +02:00
Trong Huu Nguyen
61a641c8d7 fix(url): only add redirect query parameter if non-empty 2023-09-25 14:14:28 +02:00
Trong Huu Nguyen
337723150b fix(reverseproxy/autologin): skip cleaning redirect target 2023-09-25 14:13:15 +02:00
Trong Huu Nguyen
34d90d2c78 fix(autologin): do not return ambiguous 3xx redirect 
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.

A navigation request is assumed to match all of the following:

- uses the GET HTTP method
- either:
  - a) sends the fetch metadata headers, specifically
    `Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
    unsupported by the browser)
  - b) sends the `Accept` header with a value that contains
    `text/html` (which most browsers do by default for navigation
    requests, the exception being IE8 AFAIK)

Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)

With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.

Fixes #156.
 2023-09-22 14:51:35 +02:00
Trong Huu Nguyen
c4911b1344 feat(session): add feature toggle for automatic refreshing 2023-09-15 09:08:42 +02:00
Trong Huu Nguyen
c887cf711e fix(handler/sso/server): wildcard redirects to default url 2023-09-06 12:15:30 +02:00
Trong Huu Nguyen
75567f3016 refactor(handler): split up logout and local logout handlers 2023-07-20 12:01:21 +02:00
Trong Huu Nguyen
1e485aa0f8 refactor(url): embed validator instead of using proxy struct 2023-07-20 11:54:05 +02:00
Trong Huu Nguyen
d0c5e91c45 refactor(url): remove unused field for relative validator 2023-07-20 10:52:47 +02:00
Trong Huu Nguyen
2925ebe9e4 fix(handler/session): return metadata response even if session is inactive 2023-06-09 13:52:36 +02:00
Trong Huu Nguyen
9852b0a290 fix(handler/logout): ignore session validation errors; attempt to delete regardless 2023-06-09 13:52:35 +02:00
Trong Huu Nguyen
b28c91c94c perf(all): use single Transport, set IdleConnTimeout 
Reduces IdleConnTimeout to 5 seconds. Reverse proxying to a server that
has a shorter keep-alive may cause "EOF" and "connection reset by peer"
issues as the connections may be closed by the upstream before our
client notices.
 2023-05-16 08:36:45 +02:00
Trong Huu Nguyen
97f0d078bf feat(handler): validate acr if configured, change auth status if invalid 2023-05-12 08:47:27 +02:00
Trong Huu Nguyen
390cd78e9f feat(handler): set legacy cookie for sso server 2023-05-12 08:47:26 +02:00
Trong Huu Nguyen
5c96d5a0fd feat(all): reduce log level for some spammy statements 2023-05-08 10:56:07 +02:00
Trong Huu Nguyen
350d7ff780 feat(cookie): allow configuration of name prefix 
This is to alleviate issues with deployments on different
subdomains using overlapping cookie names where browsers
behave unpredictably.
 2023-05-08 10:23:27 +02:00
Trong Huu Nguyen
0c531d9ec1 perf: increase max idle connections for http clients 2023-05-04 14:45:45 +02:00
Trong Huu Nguyen
6151aa3279 feat(openid, handler): support runtime override of redirect after single-logout 
Fixes #100.
 2023-05-04 14:45:13 +02:00