github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-08 17:37:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
587 Commits 2 Branches 0 Tags
cbfa3fe2e23378ffc382fe8983d0d9d4b97c19dc
Commit Graph

70 Commits

Author SHA1 Message Date
Trong Huu Nguyen
46852be025 feat(openid): prepare acr mappings for migration to new idporten 2023-05-25 15:54:29 +02:00
Trong Huu Nguyen
350d7ff780 feat(cookie): allow configuration of name prefix 
This is to alleviate issues with deployments on different
subdomains using overlapping cookie names where browsers
behave unpredictably.
 2023-05-08 10:23:27 +02:00
Trong Huu Nguyen
2a0c376c4b feat(openid): validate acr in id_token if sent in auth request 2023-04-29 10:27:23 +02:00
Trong Huu Nguyen
9eeb6f5e96 feat(router): root path for sso server should redireect to login 2023-04-13 14:30:21 +02:00
Trong Huu Nguyen
ec4ac2b8e9 fix(redis): set ConnMaxIdleTime, not ConnMaxLifetime 2023-03-29 21:43:11 +02:00
Trong Huu Nguyen
e761810630 feat(redis): allow configuration of idle connection timeout 2023-03-29 09:55:17 +02:00
Trong Huu Nguyen
07cf8e12b3 feat(cookie): support overriding session cookie name 2023-03-01 11:27:26 +01:00
Trong Huu Nguyen
3e93423464 refactor(sso/server): redirect requests for wildcard routes to default URL 2023-02-22 10:19:26 +01:00
Trong Huu Nguyen
9074547163 docs: clarifications for refresh behaviour 2023-02-21 15:32:43 +01:00
Trong Huu Nguyen
925a1c70e7 fix(config): require redis when sso is enabled 2023-02-21 14:54:29 +01:00
Trong Huu Nguyen
473e4a95a7 refactor: remove loginstatus 
Loginstatus is no longer needed with the SSO setup.
Fixes #50.
 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
c81297c401 build(deps): various bumps, use go-redis v9 2023-02-10 14:58:15 +01:00
Trong Huu Nguyen
c8f148d892 refactor(handler/error): remove custom redirect 
Reduce the risk of exposing oauth query parameters in "dirty dancing" attacks.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
42dcba8367 refactor: replace relative canonical redirect with handler 
This also ensure that we clean any urls that may stem from user input (e.g.
url parameter or login cookie) before performing redirects.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
3d08d0b4b0 feat: initial skeleton setup for SSO mode 2023-02-10 14:57:56 +01:00
Trong Huu Nguyen
185485a6fe feat(handler/autologin): use doublestar library for nested path matching 
Fixes #54.
 2022-11-24 11:36:54 +01:00
Trong Huu Nguyen
aaaaaaa38d feat(session): add session inactivity timeout feature 
Fixes #52.
 2022-09-22 10:03:17 +02:00
Trong Huu Nguyen
55a5f357d5 chore: remove metadata rollout toggle 2022-09-21 09:41:28 +02:00
Trong Huu Nguyen
843bf5dfcd refactor(handler/error): rename config variable to match intention 2022-09-21 09:39:57 +02:00
Trong Huu Nguyen
b4eecfc663 fix(handler/autologin): only trigger for GET requests 2022-09-12 12:33:42 +02:00
Trong Huu Nguyen
af48778bf7 fix(session/handler): lock metadata operations behind feature gate until rollout 2022-08-29 10:00:43 +02:00
Trong Huu Nguyen
d5bbca9897 feat: rudimentary support for refresh tokens 2022-08-26 14:32:39 +02:00
Trong Huu Nguyen
5a50ba7c3a feat: support multiple ingresses 
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.

We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.

The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
 2022-08-17 20:43:56 +02:00
Trong Huu Nguyen
4646c36b74 refactor(autologin): skip -> ignore 2022-07-21 12:50:55 +02:00
Trong Huu Nguyen
d79f31c18d refactor(autologin): use glob-style matching instead of regex 
Regexes are powerful, but completely overkill and error-prone for this
use-case. So instead, we'll use path.Match with its simpler glob-style
patterns.
 2022-07-21 12:01:30 +02:00
Trong Huu Nguyen
13f1713fc2 refactor(config): move loading and setup into init 2022-07-20 11:21:54 +02:00
Trong Huu Nguyen
eac2d5789d refactor: passthrough for consistency in openid configuration 2022-07-20 09:58:49 +02:00
Trong Huu Nguyen
3e62683cad refactor: use pointer receivers when possible 2022-07-19 19:24:28 +02:00
Trong Huu Nguyen
4ab07e9dc2 refactor: clean up logging 2022-07-19 08:39:02 +02:00
Trong Huu Nguyen
ef649e7aaa feat: add allowlisting of paths for autologin 2022-07-17 20:11:55 +02:00
Trong Huu Nguyen
184102d365 perf(session/redis): set minIdleConns to alleviate cold start performance 2022-06-14 14:26:42 +02:00
Trong Huu Nguyen
b3dfa54768 refactor: change default post-logout redirect uri for idporten 2022-05-09 11:49:44 +02:00
Trong Huu Nguyen
3d45cfb998 refactor(config): remove features stanza 2022-02-03 13:52:48 +01:00
Trong Huu Nguyen
fcba6815b9 feat: add feature toggled support for loginstatus 
Co-Authored-By: Youssef Bel Mekki <youssef.bel.mekki@nav.no>
Co-Authored-By: Tommy Trøen <tommy.troen@nav.no>
 2022-02-03 11:41:40 +01:00
Trong Huu Nguyen
c70037bd4c refactor: clean up main 2021-11-01 11:04:54 +01:00
Trong Huu Nguyen
3a35584a21 refactor: restructure and group related packages into subpackages 2021-10-20 09:03:14 +02:00
Trong Huu Nguyen
1b4ce5cab7 Revert "Revert "refactor: infer redirect URI from configured ingress"" 
This reverts commit 8cf9d22324.
 2021-10-18 14:12:41 +02:00
Trong Huu Nguyen
8cf9d22324 Revert "refactor: infer redirect URI from configured ingress" 
This reverts commit 5f0b0df7cf.
 2021-10-18 14:06:10 +02:00
Trong Huu Nguyen
5f0b0df7cf refactor: infer redirect URI from configured ingress 2021-10-18 11:26:55 +02:00
Trong Huu Nguyen
be585f9902 refactor: simplify config for acr_values and ui_locales; validate on startup 2021-10-17 20:24:34 +02:00
Trong Huu Nguyen
c1482d09e1 refactor: generalize config to allow more providers; add azure 2021-10-16 12:44:59 +02:00
Trong Huu Nguyen
2f0243b69a refactor: move openid related structs to own pkg 2021-10-16 10:39:00 +02:00
Trong Huu Nguyen
d0482b3490 refactor: log session store unavailability, ensure fallback cookies are deleted when no longer needed 2021-10-13 08:49:53 +02:00
Trong Huu Nguyen
f7f476db87 refactor: add toggle for redis tls negotiation 2021-10-13 08:47:58 +02:00
Morten Lied Johansen
6152b94aba Configure HA redis 
Co-authored-by: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Co-authored-by: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-12 15:56:30 +02:00
Trong Huu Nguyen
e209516d32 feat: add toggle for auto redirect to login handler for default route 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-11 12:50:11 +02:00
Trong Huu Nguyen
2e10801d0e refactor: move client assertion generation, replace go-jose with jwx 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-11 11:46:11 +02:00
Trong Huu Nguyen
3bdbfd0030 refactor: only handle single ingress 
As OIDC is very specific on using complete redirect URIs
for the authorization-step, it does not really make sense
to handle multiple ingresses in Wonderwall.

We could dynamically figure out which ingress was used
by looking at the scheme and host for the request and
decide which redirect URI we would use, but such an
implementation is both time-consuming and prone to
errors and vulnerabilities without the proper precautions.
 2021-10-07 08:16:49 +02:00
sindrerh2
1f939d603d feat: add configurable redirect to custom error page 
Co-authored-by: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
 2021-10-06 14:49:04 +02:00
Trong Huu Nguyen
77d0438411 feat: use latest go-chi v5, add middlewares for panic recovery and logging 
Co-Authored-By: Sindre Rødseth Hansen <sindre.rodseth.hansen@nav.no>
 2021-10-05 11:45:42 +02:00