github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 17:06:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
952 Commits 2 Branches 0 Tags
b2cf17a39fdc2cd0dfd063af5ef3044e644e7483
Commit Graph

195 Commits

Author SHA1 Message Date
Trong Huu Nguyen
b7b43e9793 refactor(openid): remove more indirection layers 2024-11-05 21:58:38 +01:00
Trong Huu Nguyen
d2e01b2ead refactor: consolidate cookie config, correct documentation 2024-11-05 21:24:25 +01:00
Trong Huu Nguyen
bfb4929dc7 feat: allow disabling secure cookies for localhost 
This is geerally only necessary when using Safari.
Most other browsers respect the Secure attribute when using localhost.
 2024-11-05 21:14:14 +01:00
Trong Huu Nguyen
db060a4caf feat(handler): do not automatically retry token redemption failures 2024-11-05 19:57:48 +01:00
Trong Huu Nguyen
7c2d6d3f71 feat(templates): clean up error page after feedback 2024-10-16 12:46:29 +02:00
Trong Huu Nguyen
a4b832839c feat(templates): make error page more generic and responsive 
Co-authored-by: Morten Lied Johansen <morten.lied.johansen@nav.no>
 2024-10-09 08:58:36 +02:00
Trong Huu Nguyen
d6b57a6b7d refactor(handler/sso/proxy): correct variable name 2024-09-11 09:27:13 +02:00
Trong Huu Nguyen
9e78ba78be fix(handler/sso/proxy): avoid duplicate headers when proxying to server 2024-09-03 12:08:38 +02:00
Trong Huu Nguyen
155ebc745b docs: clarify forwarded headers 2024-08-23 13:56:21 +02:00
Trong Huu Nguyen
57376643ba build: go 1.23 2024-08-23 13:56:19 +02:00
Trong Huu Nguyen
3876820aee refactor(retry): use DoValue 2024-08-23 13:55:51 +02:00
Trong Huu Nguyen
16ccb3a6be feat(config): add explicit toggle for legacy cookies 2024-06-26 12:20:05 +02:00
Trong Huu Nguyen
584f58bb6d refactor(retry): use functional opts, proxy to external lib 2024-05-08 08:39:43 +02:00
Trong Huu Nguyen
fc1454fcbb feat(config) support samesite cookie attribute 2024-04-24 14:47:18 +02:00
Trong Huu Nguyen
10e71a7bb5 feat(handler/reverseproxy): remove x-wonderwall headers 
The use of these headers in upstreams may be risky, espeically
if Wonderwall is accidentally misconfigured or disabled, or requests
are performed directly to the upstream circumventing Wonderwall.

We should prefer using a signed token or similar that can be verified by
the upstreams.
 2024-01-16 08:57:07 +01:00
Trong Huu Nguyen
40497da1b9 feat(handler/reverseproxy): filter relevant access requests 2023-12-20 15:41:29 +01:00
Trong Huu Nguyen
41f4354ce4 revert: "feat(handler/error): remove automatic retry" 
This reverts commit 083cb54df7.
 2023-12-20 11:17:51 +01:00
Trong Huu Nguyen
e71e4a2fda feat(handler/reverseproxy): add toggle for access logs 2023-12-20 08:25:35 +01:00
Trong Huu Nguyen
55839d72f0 feat(handler/login): log existing sid on prompt 2023-12-19 12:19:39 +01:00
Trong Huu Nguyen
50e53330b9 feat(handler/reverseproxy): remove unnecessary log fields 2023-12-19 12:05:01 +01:00
Trong Huu Nguyen
f82c8a7078 feat(handler/login): drop logging sub claim 2023-12-19 11:04:03 +01:00
Trong Huu Nguyen
9c2d1cb520 feat(cookie): remove expiry options 
Always create session cookies instead of
persistent cookies with expiry.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
e00832016b feat(handler/login): remove legacy cookie 
We don't really need to set an additional cookie without SameSite
as we now use SameSite=Lax for the login cookie.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
083cb54df7 feat(handler/error): remove automatic retry 2023-12-19 08:46:06 +01:00
Trong Huu Nguyen
273eb3604a feat(cookie): use samesite lax instead of none for callback 2023-12-19 08:46:03 +01:00
Trong Huu Nguyen
c3904433f2 feat: log and propagate session metadata 
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
 2023-12-19 08:46:02 +01:00
Trong Huu Nguyen
a10da5d0d7 feat(handler/login): add support for prompt param in login 2023-12-19 08:46:01 +01:00
Trong Huu Nguyen
8f3c5cde88 fix(handler/error): redirect callbacks to initial handlers, retry others as-is 2023-12-19 08:45:57 +01:00
Trong Huu Nguyen
de78193361 chore(handler): remove temporary amr-based redirect 2023-11-24 16:52:15 +01:00
J-K. Solbakken
d28579028e removed unused variable 2023-11-23 08:56:52 +01:00
J-K. Solbakken
38b9891caf use otelchi middleware for http tracing 2023-11-23 08:53:36 +01:00
J-K. Solbakken
23268c6762 starting simple 2023-11-21 08:47:42 +01:00
Trong Huu Nguyen
2f351a1388 feat(handler/callback): redirect minid passport users to separate landing page 2023-11-06 11:45:15 +01:00
Trong Huu Nguyen
e3022c7923 feat(handler/session): reduce logging level for not found errors 2023-11-02 08:33:09 +01:00
Trong Huu Nguyen
305ab1786d fix(reverseproxy/autologin): handle multiple accept headers 2023-10-16 12:01:15 +02:00
Trong Huu Nguyen
c363bea556 test(reverseproxy): extract common assertions 2023-10-12 09:18:51 +02:00
Trong Huu Nguyen
f246fc7975 refactor(openid): move acr to own package 2023-10-11 14:25:12 +02:00
Trong Huu Nguyen
7e97fd7a93 revert: "style: go fmt" 
This wasn't actually formatting.

This reverts commit d71ff7ddc3.
 2023-10-10 14:51:12 +02:00
Trong Huu Nguyen
d71ff7ddc3 style: go fmt 2023-10-10 13:41:28 +02:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
a2e939f716 fix(handler/sessionrefresh): handle not found error 2023-10-04 10:06:03 +02:00
Trong Huu Nguyen
c1bdb90566 feat(handler/reverseproxy): don't return json response after all 
Expose fewer interfaces; less maintenance and documentation needed.
 2023-10-04 10:01:03 +02:00
Trong Huu Nguyen
2e21dae33a feat(handler/reverseproxy): return json response for non-navigational autologin requests 2023-10-03 14:21:09 +02:00
Trong Huu Nguyen
7a72586ca8 refactor(autologin): return early if fetch metadata is set 2023-09-25 15:07:11 +02:00
Trong Huu Nguyen
61a641c8d7 fix(url): only add redirect query parameter if non-empty 2023-09-25 14:14:28 +02:00
Trong Huu Nguyen
337723150b fix(reverseproxy/autologin): skip cleaning redirect target 2023-09-25 14:13:15 +02:00
Trong Huu Nguyen
34d90d2c78 fix(autologin): do not return ambiguous 3xx redirect 
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.

A navigation request is assumed to match all of the following:

- uses the GET HTTP method
- either:
  - a) sends the fetch metadata headers, specifically
    `Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
    unsupported by the browser)
  - b) sends the `Accept` header with a value that contains
    `text/html` (which most browsers do by default for navigation
    requests, the exception being IE8 AFAIK)

Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)

With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.

Fixes #156.
 2023-09-22 14:51:35 +02:00
Trong Huu Nguyen
c4911b1344 feat(session): add feature toggle for automatic refreshing 2023-09-15 09:08:42 +02:00
Trong Huu Nguyen
c887cf711e fix(handler/sso/server): wildcard redirects to default url 2023-09-06 12:15:30 +02:00
Trong Huu Nguyen
75567f3016 refactor(handler): split up logout and local logout handlers 2023-07-20 12:01:21 +02:00