github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 00:46:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
681 Commits 2 Branches 0 Tags
b910d3e65a2ca9cda686a8999fd25dd79fccfdf8
Commit Graph

478 Commits

Author SHA1 Message Date
Trong Huu Nguyen
b910d3e65a feat(config): redis username and password flags overrides uri 2023-10-12 08:21:34 +02:00
Trong Huu Nguyen
f246fc7975 refactor(openid): move acr to own package 2023-10-11 14:25:12 +02:00
Trong Huu Nguyen
320176d48b refactor(config): consolidate, don't parse/bind/load flags twice 2023-10-11 14:24:19 +02:00
Trong Huu Nguyen
6dbc747aad feat(config): enable refresh tokens and automatic refreshing by default, increase default session lifetime 2023-10-11 14:16:53 +02:00
Trong Huu Nguyen
7e97fd7a93 revert: "style: go fmt" 
This wasn't actually formatting.

This reverts commit d71ff7ddc3.
 2023-10-10 14:51:12 +02:00
Trong Huu Nguyen
8bbd947d5b feat(config): add support for Redis URI 2023-10-10 14:48:50 +02:00
Trong Huu Nguyen
d71ff7ddc3 style: go fmt 2023-10-10 13:41:28 +02:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
a2e939f716 fix(handler/sessionrefresh): handle not found error 2023-10-04 10:06:03 +02:00
Trong Huu Nguyen
c1bdb90566 feat(handler/reverseproxy): don't return json response after all 
Expose fewer interfaces; less maintenance and documentation needed.
 2023-10-04 10:01:03 +02:00
Trong Huu Nguyen
91cd58d18b docs: update sections on autologin and sessions 2023-10-03 14:21:09 +02:00
Trong Huu Nguyen
2e21dae33a feat(handler/reverseproxy): return json response for non-navigational autologin requests 2023-10-03 14:21:09 +02:00
Trong Huu Nguyen
52331a93db refactor(ingress): simplify and remove unnecessary variables 2023-10-03 14:21:08 +02:00
Trong Huu Nguyen
7a72586ca8 refactor(autologin): return early if fetch metadata is set 2023-09-25 15:07:11 +02:00
Trong Huu Nguyen
61a641c8d7 fix(url): only add redirect query parameter if non-empty 2023-09-25 14:14:28 +02:00
Trong Huu Nguyen
337723150b fix(reverseproxy/autologin): skip cleaning redirect target 2023-09-25 14:13:15 +02:00
Trong Huu Nguyen
34d90d2c78 fix(autologin): do not return ambiguous 3xx redirect 
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.

A navigation request is assumed to match all of the following:

- uses the GET HTTP method
- either:
  - a) sends the fetch metadata headers, specifically
    `Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
    unsupported by the browser)
  - b) sends the `Accept` header with a value that contains
    `text/html` (which most browsers do by default for navigation
    requests, the exception being IE8 AFAIK)

Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)

With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.

Fixes #156.
 2023-09-22 14:51:35 +02:00
Trong Huu Nguyen
c4911b1344 feat(session): add feature toggle for automatic refreshing 2023-09-15 09:08:42 +02:00
Trong Huu Nguyen
4a72a01496 feat(server): support wait before triggering graceful shutdown 2023-09-06 15:23:11 +02:00
Trong Huu Nguyen
c887cf711e fix(handler/sso/server): wildcard redirects to default url 2023-09-06 12:15:30 +02:00
Trong Huu Nguyen
80d1415fbc fix(logentry): reduce log level for response entries 2023-09-06 12:15:27 +02:00
Trong Huu Nguyen
7029bd1210 fix(router): correct cors setup for session routes 2023-08-22 07:46:24 +02:00
Trong Huu Nguyen
7987ad767e feat(config): allow specifying upstream ip and port separately 2023-08-17 08:41:53 +02:00
Trong Huu Nguyen
185701d53b refactor(openid): clean up tests 2023-08-16 12:18:58 +02:00
Trong Huu Nguyen
e7799204b2 feat(openid): harden id_token validation 2023-08-15 21:30:41 +02:00
Trong Huu Nguyen
75567f3016 refactor(handler): split up logout and local logout handlers 2023-07-20 12:01:21 +02:00
Trong Huu Nguyen
1e485aa0f8 refactor(url): embed validator instead of using proxy struct 2023-07-20 11:54:05 +02:00
Trong Huu Nguyen
d0c5e91c45 refactor(url): remove unused field for relative validator 2023-07-20 10:52:47 +02:00
Trong Huu Nguyen
cf3a445656 fix(url/redirect): fallback url must be absolute 2023-07-13 12:45:35 +02:00
Trong Huu Nguyen
c44fb9889b fix(url/redirect): ensure fragments are preserved 2023-07-13 12:34:47 +02:00
Trong Huu Nguyen
2925ebe9e4 fix(handler/session): return metadata response even if session is inactive 2023-06-09 13:52:36 +02:00
Trong Huu Nguyen
9852b0a290 fix(handler/logout): ignore session validation errors; attempt to delete regardless 2023-06-09 13:52:35 +02:00
Trong Huu Nguyen
2a8d410425 feat(session/reader): return session on validation error 2023-06-09 13:52:35 +02:00
Trong Huu Nguyen
cbfa3fe2e2 refactor(session): extract inactive session error 2023-06-09 13:52:33 +02:00
Trong Huu Nguyen
46852be025 feat(openid): prepare acr mappings for migration to new idporten 2023-05-25 15:54:29 +02:00
Trong Huu Nguyen
021e7551f4 fix(crypto): set max plaintext size 2023-05-24 12:32:52 +02:00
Trong Huu Nguyen
b28c91c94c perf(all): use single Transport, set IdleConnTimeout 
Reduces IdleConnTimeout to 5 seconds. Reverse proxying to a server that
has a shorter keep-alive may cause "EOF" and "connection reset by peer"
issues as the connections may be closed by the upstream before our
client notices.
 2023-05-16 08:36:45 +02:00
Trong Huu Nguyen
97f0d078bf feat(handler): validate acr if configured, change auth status if invalid 2023-05-12 08:47:27 +02:00
Trong Huu Nguyen
390cd78e9f feat(handler): set legacy cookie for sso server 2023-05-12 08:47:26 +02:00
Trong Huu Nguyen
5c96d5a0fd feat(all): reduce log level for some spammy statements 2023-05-08 10:56:07 +02:00
Trong Huu Nguyen
350d7ff780 feat(cookie): allow configuration of name prefix 
This is to alleviate issues with deployments on different
subdomains using overlapping cookie names where browsers
behave unpredictably.
 2023-05-08 10:23:27 +02:00
Trong Huu Nguyen
0c531d9ec1 perf: increase max idle connections for http clients 2023-05-04 14:45:45 +02:00
Trong Huu Nguyen
6151aa3279 feat(openid, handler): support runtime override of redirect after single-logout 
Fixes #100.
 2023-05-04 14:45:13 +02:00
Trong Huu Nguyen
b0bb1aa8ea feat(url): add logout url constructor 2023-05-03 09:07:03 +02:00
Trong Huu Nguyen
6ebc95a8e0 feat: add logout cookie 2023-05-03 09:05:42 +02:00
Trong Huu Nguyen
d7d5f00554 chore(url): remove unused field from struct 2023-05-03 09:04:07 +02:00
Trong Huu Nguyen
00432bcfd6 fix(url/validator): return early if allowed domain is empty 2023-05-03 08:38:12 +02:00
Trong Huu Nguyen
59b2dd1d66 fix(handler/reverseproxy): only trigger acr step up for non-ignored autologin paths 2023-05-02 08:53:51 +02:00
Trong Huu Nguyen
feb27414a5 refactor(handler/acr): only enable if autologin is also enabled 2023-04-29 13:56:13 +02:00
Trong Huu Nguyen
3a239a95c3 feat(reverseproxy): validate acr and redirect if applicable 2023-04-29 11:54:53 +02:00