github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-08 09:27:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
360 Commits 2 Branches 0 Tags
a4ceaeaacca8a7055f3eeb2ee19f0f7c4bb742e5
Commit Graph

298 Commits

Author SHA1 Message Date
Trong Huu Nguyen
a4ceaeaacc feat(handler/autologin): add favicon.ico and robots.txt to default ignorelist 2022-09-09 13:09:36 +02:00
Trong Huu Nguyen
7f93c62604 fix(openid/client): handle missing redirect uri for callbacks 2022-09-09 12:31:17 +02:00
Trong Huu Nguyen
27d2bc2c26 fix(session/handler): log errors for lock release failures 2022-09-09 10:19:22 +02:00
Trong Huu Nguyen
69ebd9270f refactor(handler/reverseproxy): improve log messages 2022-09-09 10:18:39 +02:00
Trong Huu Nguyen
84d521e968 feat(reverseproxy): configure errorlog to use logrus implementation 2022-09-06 15:34:32 +02:00
Trong Huu Nguyen
00b39276df debug(handler/reverseproxy): log proxy errors 2022-09-06 08:46:41 +02:00
Trong Huu Nguyen
3f24537b36 fix(openid/client): set iat for assertion in the past to alleviate clock skew 2022-09-06 08:46:35 +02:00
Trong Huu Nguyen
b22c130e60 fix(session/handler): invalidate session state if refresh attempt is a client error 
A client error response for the refresh grant is assumed to be an
irrecoverable error; e.g. the refresh token is invalid, the
authorization is invalid, user is logged out, etc. In such cases we will
consider the session state to be invalid, and a new authorization grant
should be performed.
 2022-09-04 17:15:40 +02:00
Trong Huu Nguyen
c0138f4b49 feat(session): use locks for refreshing 
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.

The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
 2022-09-04 17:14:35 +02:00
Trong Huu Nguyen
989aa1e998 refactor(middleware/logentry): add fields to default logger 2022-09-03 20:05:28 +02:00
Trong Huu Nguyen
c78674e54a fix(session/store): check for existence before update 2022-09-03 16:48:37 +02:00
Trong Huu Nguyen
2a80bd7765 refactor(mock/openid): use interface for handler 2022-09-02 18:43:59 +02:00
Trong Huu Nguyen
08eefbf1d5 refactor(openid): clean up client and provider 2022-09-02 18:08:36 +02:00
Trong Huu Nguyen
92ee6313c5 refactor: remove unnecessary interfaces 2022-09-02 17:39:27 +02:00
Trong Huu Nguyen
c8f48335d4 refactor(openid/config): extract getter for ingresses 2022-09-02 15:17:36 +02:00
Trong Huu Nguyen
9144056e28 refactor(handler): split up request handlers into separate modules 2022-09-02 14:53:11 +02:00
Trong Huu Nguyen
5d00d132dd refactor: decouple handler implementation from router and middleware 2022-09-01 19:39:47 +02:00
Trong Huu Nguyen
d9cc60c4cc refactor: move autologin to handler pkg 2022-09-01 19:35:58 +02:00
Trong Huu Nguyen
619ae52d45 refactor: separate refresh-specific fields from session info; enable endpoint without refresh feature 2022-09-01 19:35:48 +02:00
Trong Huu Nguyen
cdba90bc5b test(session/data): add missing tests 2022-08-29 14:48:39 +02:00
Trong Huu Nguyen
af48778bf7 fix(session/handler): lock metadata operations behind feature gate until rollout 2022-08-29 10:00:43 +02:00
Trong Huu Nguyen
cdd07838f4 refactor(session/data): separate into object groups 2022-08-29 08:35:03 +02:00
Trong Huu Nguyen
1d9339e139 refactor(session/handler): extract predicates for readability 2022-08-26 18:09:40 +02:00
Trong Huu Nguyen
5ec969981d fix(session/handler): ensure access token is not expired before proxying 2022-08-26 17:58:39 +02:00
Trong Huu Nguyen
d5bbca9897 feat: rudimentary support for refresh tokens 2022-08-26 14:32:39 +02:00
Trong Huu Nguyen
dc0741f79f refactor(middleware): extract handlers for consistency 2022-08-26 08:34:07 +02:00
Trong Huu Nguyen
4d7502a4be refactor(middleware/logentry): strip query and fragment from referer logs 2022-08-25 22:31:01 +02:00
Trong Huu Nguyen
cafebabea5 fix(openid/client): set redirect_uri param when redeeming auth code 2022-08-23 08:27:34 +02:00
Trong Huu Nguyen
c29501d964 refactor(handler): add utility method for path-aware cookie options 2022-08-19 12:09:21 +02:00
Trong Huu Nguyen
08f570363a refactor(openid): extract magic strings 2022-08-19 11:44:38 +02:00
Trong Huu Nguyen
5990e4bb71 refactor(session): extract session handler 2022-08-19 11:44:13 +02:00
Trong Huu Nguyen
c15e00469b refactor: clean up session error handling 2022-08-18 21:35:15 +02:00
Trong Huu Nguyen
ae8028cc96 refactor: remove cookie session fallback store 
The implementation is error-prone and difficult to maintain.
We instead just assume that the backing session store is highly
available.
 2022-08-17 20:44:07 +02:00
Trong Huu Nguyen
5a50ba7c3a feat: support multiple ingresses 
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.

We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.

The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
 2022-08-17 20:43:56 +02:00
Trong Huu Nguyen
41a10d8fe7 refactor: replace deprecated ioutil method and magic string 2022-08-17 11:39:43 +02:00
Trong Huu Nguyen
5f6c0c01a8 feat: add ingress middleware 2022-08-17 11:39:41 +02:00
Trong Huu Nguyen
a9e9644764 refactor: move context utils to middleware 2022-08-17 11:39:40 +02:00
Trong Huu Nguyen
a088ddd2d0 feat: add ingress package 2022-08-17 11:39:38 +02:00
Trong Huu Nguyen
e460a5eab2 fix(handler/reverseproxy): do not overwrite host header 2022-08-17 11:39:17 +02:00
Trong Huu Nguyen
51075ad9ed refactor(middleware/logentry): remove httplog dependency 2022-08-11 09:54:23 +02:00
Trong Huu Nguyen
cbc49de826 refactor(handler/default): clean up access token getter 2022-08-11 09:31:27 +02:00
Trong Huu Nguyen
13fd194318 refactor(handler/default): extract reverseproxy to avoid unnecessary instantiation 2022-08-11 09:31:10 +02:00
Trong Huu Nguyen
ac45aec044 fix(autologin): filter out empty and duplicate patterns 2022-07-21 17:44:13 +02:00
Trong Huu Nguyen
4646c36b74 refactor(autologin): skip -> ignore 2022-07-21 12:50:55 +02:00
Trong Huu Nguyen
d79f31c18d refactor(autologin): use glob-style matching instead of regex 
Regexes are powerful, but completely overkill and error-prone for this
use-case. So instead, we'll use path.Match with its simpler glob-style
patterns.
 2022-07-21 12:01:30 +02:00
Trong Huu Nguyen
31ab8ad3b7 refactor(handler/default): redirect auto-login requests instead of inlining login handler 2022-07-21 08:21:28 +02:00
Trong Huu Nguyen
27ea0793ba refactor(handler): reduce logging severity for spammy statements 2022-07-21 07:49:58 +02:00
Trong Huu Nguyen
595d902dcd fix(handler/default): only assert loginstatus if we already have an active session 2022-07-20 15:56:23 +02:00
Trong Huu Nguyen
242dc12be9 refactor(openid/config): remove unused field 2022-07-20 15:25:28 +02:00
Trong Huu Nguyen
b4e6e97448 refactor(metrics): use const label for hpa, ensure provider label is set 2022-07-20 14:50:13 +02:00