github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 08:57:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
442 Commits 2 Branches 0 Tags
ce2698f2bb54629c28bf0b32577e33dbc87fe865
Commit Graph

95 Commits

Author SHA1 Message Date
Trong Huu Nguyen
ce2698f2bb refactor(cookie): use rawurlencoding for base64 2023-02-13 20:15:12 +01:00
Trong Huu Nguyen
66dec32de0 feat(sso/proxy): implement handlers for session routes 2023-02-10 14:58:19 +01:00
Trong Huu Nguyen
ea0756784d refactor(handler/reverseproxy): use ReverseProxy.Rewrite instead of Director 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
473e4a95a7 refactor: remove loginstatus 
Loginstatus is no longer needed with the SSO setup.
Fixes #50.
 2023-02-10 14:58:17 +01:00
Trong Huu Nguyen
c8f148d892 refactor(handler/error): remove custom redirect 
Reduce the risk of exposing oauth query parameters in "dirty dancing" attacks.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
42dcba8367 refactor: replace relative canonical redirect with handler 
This also ensure that we clean any urls that may stem from user input (e.g.
url parameter or login cookie) before performing redirects.
 2023-02-10 14:58:14 +01:00
Trong Huu Nguyen
5f74ee08bc refactor(url): extract utility functions 2023-02-10 14:58:12 +01:00
Trong Huu Nguyen
d13525f8a2 fix(handler/error): correct retry url for local logout 2023-02-10 14:58:12 +01:00
Trong Huu Nguyen
0e73c9b4d8 refactor(mock): configure relying party ingress before server start 2023-02-10 14:58:11 +01:00
Trong Huu Nguyen
1fdbe75c9e feat(sso/proxy): implement login handler 2023-02-10 14:58:11 +01:00
Trong Huu Nguyen
c3c0c01926 feat(sso): partially implement handlers 2023-02-10 14:58:09 +01:00
Trong Huu Nguyen
a4e4fc752e refactor(handler): remove provider name getter from handler 2023-02-10 14:57:57 +01:00
Trong Huu Nguyen
3d08d0b4b0 feat: initial skeleton setup for SSO mode 2023-02-10 14:57:56 +01:00
Trong Huu Nguyen
bd748b9cef refactor(openid/provider): use name from config instead of indirection layer 2023-02-10 14:57:56 +01:00
Trong Huu Nguyen
2f6a3682d9 fix(all): use url.ParseRequestURI instead of just url.Parse where necessary 2023-02-10 14:57:55 +01:00
Trong Huu Nguyen
f4bba075a6 refactor(handler/error): reduce log severity for context canceled errors 2023-02-10 14:57:55 +01:00
Trong Huu Nguyen
61a7a8f161 refactor: clean up errors and reverseproxy logging 2023-02-10 14:57:53 +01:00
Trong Huu Nguyen
ce177fb4a5 refactor(handler/url): remove unneeded redirect parameter encoding 2023-02-10 14:57:52 +01:00
Trong Huu Nguyen
07fc0e24dd perf(handler/autologin): cache NeedsLogin results 2023-02-10 14:57:51 +01:00
Trong Huu Nguyen
bd53417f8b refactor(handler): move handler tests to separate files 2023-02-10 14:57:48 +01:00
Trong Huu Nguyen
f51fe97b23 refactor(handler): flatten handler modules 2023-02-10 14:57:48 +01:00
Trong Huu Nguyen
6a142cf5a5 refactor(handler): use session cookie for frontchannel logout if available, clean up logout handlers 2023-02-10 14:57:48 +01:00
Trong Huu Nguyen
67d3977cc1 refactor(handler/sessionrefresh): use found session key instead of looking up key again 2023-02-10 14:57:47 +01:00
Trong Huu Nguyen
c3a5033968 test(handler): add test for authorization headers, ensure upstream validates token 2023-02-10 14:57:45 +01:00
Trong Huu Nguyen
0485074829 refactor(handler/reverseproxy): reduce log severity for invalid auth state 2022-12-16 14:53:35 +01:00
Trong Huu Nguyen
1d754baabe feat(handler/reverseproxy): preserve incoming authorization for unauthenticated sessions 2022-12-16 14:53:27 +01:00
Trong Huu Nguyen
185485a6fe feat(handler/autologin): use doublestar library for nested path matching 
Fixes #54.
 2022-11-24 11:36:54 +01:00
Trong Huu Nguyen
e7244df4d5 feat: add local logout endpoint 2022-11-24 11:36:49 +01:00
Trong Huu Nguyen
002e4ac8ea feat(handler/error): automatically retry errors before displaying error page 2022-10-11 10:55:14 +02:00
Trong Huu Nguyen
bdec8c662c refactor(router): correct HTTP verb for session refresh endpoint 
Since this changes the state for a user's session, a POST is more
appropriate than just a GET - even though the POST body is empty.

We keep the GET route temporarily to allow any consumers to migrate.
 2022-10-11 09:22:03 +02:00
Trong Huu Nguyen
b651db40e4 refactor(handler/url): remove support for Referer header 
The header isn't guaranteed to be set or sent with requests, and all of
our users prefer the `redirect` query parameter anyways.
 2022-09-22 13:59:37 +02:00
Trong Huu Nguyen
aaaaaaa38d feat(session): add session inactivity timeout feature 
Fixes #52.
 2022-09-22 10:03:17 +02:00
Trong Huu Nguyen
843bf5dfcd refactor(handler/error): rename config variable to match intention 2022-09-21 09:39:57 +02:00
Trong Huu Nguyen
f093fd549e fix(autologin): ignore trailing slash in request paths during matching 2022-09-21 08:41:13 +02:00
Trong Huu Nguyen
f6cf60a013 refactor(handler/reverseproxy): improve log messages 2022-09-20 08:00:57 +02:00
Trong Huu Nguyen
e5a285887c refactor(handler/url): extract redirect url decoder method 2022-09-19 21:14:22 +02:00
Trong Huu Nguyen
80738f2a4b fix(handler/url): use base64 encoding for redirects to preserve query parameters 
Load balancers or reverse proxies may rewrite or modify the Location
header and unescape its value, which would result in redirects not
preserving the original set of query parameters. This was especially
evident for autologins where we need to redirect to `/oauth2/login` with
the `redirect` parameter containing the original requested URL so that
the end-user ultimately ends up at the latter URL.

We avoid this issue by base64-encoding the original URL, before passing
it along as the intended redirect for the login route.
To preserve existing behaviour, we use a separate query parameter
for the `/oauth2/login`-endpoint that accepts and handles base64-encoded
values.
 2022-09-19 11:51:30 +02:00
Trong Huu Nguyen
97d2a88bb1 fix(handler/url): ensure that parameters for original url aren't dropped 2022-09-19 08:41:25 +02:00
Trong Huu Nguyen
ed56aac3d0 style: follow conventions for error variable names 2022-09-19 08:41:23 +02:00
Trong Huu Nguyen
62f0359438 fix(handler/autologin): ensure path has prefix 2022-09-19 08:41:17 +02:00
Trong Huu Nguyen
b4eecfc663 fix(handler/autologin): only trigger for GET requests 2022-09-12 12:33:42 +02:00
Trong Huu Nguyen
43c39c89ad refactor(handler/reverseproxy): skip logging for client context cancellation 2022-09-12 12:32:37 +02:00
Trong Huu Nguyen
fcc6a7472c fix(handler/autologin): return http 303 for autologin redirects 2022-09-09 14:38:46 +02:00
Trong Huu Nguyen
a4ceaeaacc feat(handler/autologin): add favicon.ico and robots.txt to default ignorelist 2022-09-09 13:09:36 +02:00
Trong Huu Nguyen
69ebd9270f refactor(handler/reverseproxy): improve log messages 2022-09-09 10:18:39 +02:00
Trong Huu Nguyen
84d521e968 feat(reverseproxy): configure errorlog to use logrus implementation 2022-09-06 15:34:32 +02:00
Trong Huu Nguyen
00b39276df debug(handler/reverseproxy): log proxy errors 2022-09-06 08:46:41 +02:00
Trong Huu Nguyen
b22c130e60 fix(session/handler): invalidate session state if refresh attempt is a client error 
A client error response for the refresh grant is assumed to be an
irrecoverable error; e.g. the refresh token is invalid, the
authorization is invalid, user is logged out, etc. In such cases we will
consider the session state to be invalid, and a new authorization grant
should be performed.
 2022-09-04 17:15:40 +02:00
Trong Huu Nguyen
989aa1e998 refactor(middleware/logentry): add fields to default logger 2022-09-03 20:05:28 +02:00
Trong Huu Nguyen
08eefbf1d5 refactor(openid): clean up client and provider 2022-09-02 18:08:36 +02:00