Trong Huu Nguyen
4ee771856a
deps: bump em
2022-12-02 13:49:27 +01:00
Trong Huu Nguyen
2f6dc9c779
refactor(session/handler): reduce log severity for lock release, adjust lock duration and timeout
2022-12-02 13:47:59 +01:00
Trong Huu Nguyen
185485a6fe
feat(handler/autologin): use doublestar library for nested path matching
...
Fixes #54 .
2022-11-24 11:36:54 +01:00
Trong Huu Nguyen
e76bb5c369
perf: use automaxprocs to prevent cpu throttling under cgroup quotas
2022-11-24 11:36:54 +01:00
Trong Huu Nguyen
16fa07921f
chore: bump dependencies
2022-11-24 11:36:51 +01:00
Trong Huu Nguyen
e7244df4d5
feat: add local logout endpoint
2022-11-24 11:36:49 +01:00
Hans Kristian Flaatten
30f155a644
Add CodeQL Code Scanning ( #58 )
2022-11-10 09:22:14 +01:00
Trong Huu Nguyen
0b381bbb00
test(session/data): fix flaky expire test
2022-10-17 12:06:03 +02:00
Trong Huu Nguyen
82743f76bb
test(session/data): fix flaky timeout test
2022-10-17 12:00:44 +02:00
Trong Huu Nguyen
002e4ac8ea
feat(handler/error): automatically retry errors before displaying error page
2022-10-11 10:55:14 +02:00
Trong Huu Nguyen
bdec8c662c
refactor(router): correct HTTP verb for session refresh endpoint
...
Since this changes the state for a user's session, a POST is more
appropriate than just a GET - even though the POST body is empty.
We keep the GET route temporarily to allow any consumers to migrate.
2022-10-11 09:22:03 +02:00
Trong Huu Nguyen
b651db40e4
refactor(handler/url): remove support for Referer header
...
The header isn't guaranteed to be set or sent with requests, and all of
our users prefer the `redirect` query parameter anyways.
2022-09-22 13:59:37 +02:00
Trong Huu Nguyen
aaaaaaa38d
feat(session): add session inactivity timeout feature
...
Fixes #52 .
2022-09-22 10:03:17 +02:00
Trong Huu Nguyen
55a5f357d5
chore: remove metadata rollout toggle
2022-09-21 09:41:28 +02:00
Trong Huu Nguyen
843bf5dfcd
refactor(handler/error): rename config variable to match intention
2022-09-21 09:39:57 +02:00
Trong Huu Nguyen
f093fd549e
fix(autologin): ignore trailing slash in request paths during matching
2022-09-21 08:41:13 +02:00
Trong Huu Nguyen
4a0f41e8c2
fix(loginstatus): clear more cookies on logout
2022-09-20 10:06:42 +02:00
Trong Huu Nguyen
f6cf60a013
refactor(handler/reverseproxy): improve log messages
2022-09-20 08:00:57 +02:00
Trong Huu Nguyen
e5a285887c
refactor(handler/url): extract redirect url decoder method
2022-09-19 21:14:22 +02:00
Trong Huu Nguyen
80738f2a4b
fix(handler/url): use base64 encoding for redirects to preserve query parameters
...
Load balancers or reverse proxies may rewrite or modify the Location
header and unescape its value, which would result in redirects not
preserving the original set of query parameters. This was especially
evident for autologins where we need to redirect to `/oauth2/login` with
the `redirect` parameter containing the original requested URL so that
the end-user ultimately ends up at the latter URL.
We avoid this issue by base64-encoding the original URL, before passing
it along as the intended redirect for the login route.
To preserve existing behaviour, we use a separate query parameter
for the `/oauth2/login`-endpoint that accepts and handles base64-encoded
values.
2022-09-19 11:51:30 +02:00
Trong Huu Nguyen
97d2a88bb1
fix(handler/url): ensure that parameters for original url aren't dropped
2022-09-19 08:41:25 +02:00
Trong Huu Nguyen
ed56aac3d0
style: follow conventions for error variable names
2022-09-19 08:41:23 +02:00
Trong Huu Nguyen
b8785b7414
style: use shorthand time functions where possible
2022-09-19 08:41:21 +02:00
Trong Huu Nguyen
d718c36595
style(openid/client): remove unused struct field
2022-09-19 08:41:20 +02:00
Trong Huu Nguyen
d732a5b3cd
test(session/store): add missing assertion
2022-09-19 08:41:18 +02:00
Trong Huu Nguyen
62f0359438
fix(handler/autologin): ensure path has prefix
2022-09-19 08:41:17 +02:00
Trong Huu Nguyen
9af867bf91
chore: bump deps
2022-09-19 08:41:14 +02:00
Trong Huu Nguyen
889e0c8edf
feat(middleware/correlationid): use x-request-id header if found in request
2022-09-19 08:41:14 +02:00
Trong Huu Nguyen
b68877b963
fix(ingress): also use X-Forwarded-Host for match operation
2022-09-19 08:41:09 +02:00
Jan-Kåre Solbakken
5a385622d8
Merge pull request #51 from nais/dependabot/go_modules/github.com/spf13/viper-1.13.0
...
build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0
2022-09-19 08:33:43 +02:00
Jan-Kåre Solbakken
4fddbaa4df
Merge branch 'master' into dependabot/go_modules/github.com/spf13/viper-1.13.0
2022-09-19 08:11:47 +02:00
dependabot[bot]
2fd76001d8
build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0
...
Bumps [github.com/spf13/viper](https://github.com/spf13/viper ) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/spf13/viper/releases )
- [Commits](https://github.com/spf13/viper/compare/v1.12.0...v1.13.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/viper
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-09-12 19:24:24 +00:00
Trong Huu Nguyen
b4eecfc663
fix(handler/autologin): only trigger for GET requests
2022-09-12 12:33:42 +02:00
Trong Huu Nguyen
43c39c89ad
refactor(handler/reverseproxy): skip logging for client context cancellation
2022-09-12 12:32:37 +02:00
Trong Huu Nguyen
fcc6a7472c
fix(handler/autologin): return http 303 for autologin redirects
2022-09-09 14:38:46 +02:00
Trong Huu Nguyen
a4ceaeaacc
feat(handler/autologin): add favicon.ico and robots.txt to default ignorelist
2022-09-09 13:09:36 +02:00
Trong Huu Nguyen
7f93c62604
fix(openid/client): handle missing redirect uri for callbacks
2022-09-09 12:31:17 +02:00
Trong Huu Nguyen
27d2bc2c26
fix(session/handler): log errors for lock release failures
2022-09-09 10:19:22 +02:00
Trong Huu Nguyen
69ebd9270f
refactor(handler/reverseproxy): improve log messages
2022-09-09 10:18:39 +02:00
Trong Huu Nguyen
f830ff575c
docs: clarify session refresh cooldown mechanism
2022-09-08 16:42:11 +02:00
Trong Huu Nguyen
84d521e968
feat(reverseproxy): configure errorlog to use logrus implementation
2022-09-06 15:34:32 +02:00
Trong Huu Nguyen
00b39276df
debug(handler/reverseproxy): log proxy errors
2022-09-06 08:46:41 +02:00
Trong Huu Nguyen
3f24537b36
fix(openid/client): set iat for assertion in the past to alleviate clock skew
2022-09-06 08:46:35 +02:00
Trong Huu Nguyen
b22c130e60
fix(session/handler): invalidate session state if refresh attempt is a client error
...
A client error response for the refresh grant is assumed to be an
irrecoverable error; e.g. the refresh token is invalid, the
authorization is invalid, user is logged out, etc. In such cases we will
consider the session state to be invalid, and a new authorization grant
should be performed.
2022-09-04 17:15:40 +02:00
Trong Huu Nguyen
c0138f4b49
feat(session): use locks for refreshing
...
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.
The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
2022-09-04 17:14:35 +02:00
Trong Huu Nguyen
989aa1e998
refactor(middleware/logentry): add fields to default logger
2022-09-03 20:05:28 +02:00
Trong Huu Nguyen
c78674e54a
fix(session/store): check for existence before update
2022-09-03 16:48:37 +02:00
Trong Huu Nguyen
2a80bd7765
refactor(mock/openid): use interface for handler
2022-09-02 18:43:59 +02:00
Trong Huu Nguyen
08eefbf1d5
refactor(openid): clean up client and provider
2022-09-02 18:08:36 +02:00
Trong Huu Nguyen
92ee6313c5
refactor: remove unnecessary interfaces
2022-09-02 17:39:27 +02:00
