github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-11 10:56:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
372 Commits 2 Branches 0 Tags
d718c36595acdbfdb31f46f0dd7fbb6397a3b571
Commit Graph

372 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Trong Huu Nguyen
d718c36595 style(openid/client): remove unused struct field 2022-09-19 08:41:20 +02:00
Trong Huu Nguyen
d732a5b3cd test(session/store): add missing assertion 2022-09-19 08:41:18 +02:00
Trong Huu Nguyen
62f0359438 fix(handler/autologin): ensure path has prefix 2022-09-19 08:41:17 +02:00
Trong Huu Nguyen
9af867bf91 chore: bump deps 2022-09-19 08:41:14 +02:00
Trong Huu Nguyen
889e0c8edf feat(middleware/correlationid): use x-request-id header if found in request 2022-09-19 08:41:14 +02:00
Trong Huu Nguyen
b68877b963 fix(ingress): also use X-Forwarded-Host for match operation 2022-09-19 08:41:09 +02:00
Jan-Kåre Solbakken
5a385622d8 Merge pull request #51 from nais/dependabot/go_modules/github.com/spf13/viper-1.13.0 
build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0
 2022-09-19 08:33:43 +02:00
Jan-Kåre Solbakken
4fddbaa4df Merge branch 'master' into dependabot/go_modules/github.com/spf13/viper-1.13.0 2022-09-19 08:11:47 +02:00
dependabot[bot]
2fd76001d8 build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 
Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-09-12 19:24:24 +00:00
Trong Huu Nguyen
b4eecfc663 fix(handler/autologin): only trigger for GET requests 2022-09-12 12:33:42 +02:00
Trong Huu Nguyen
43c39c89ad refactor(handler/reverseproxy): skip logging for client context cancellation 2022-09-12 12:32:37 +02:00
Trong Huu Nguyen
fcc6a7472c fix(handler/autologin): return http 303 for autologin redirects 2022-09-09 14:38:46 +02:00
Trong Huu Nguyen
a4ceaeaacc feat(handler/autologin): add favicon.ico and robots.txt to default ignorelist 2022-09-09 13:09:36 +02:00
Trong Huu Nguyen
7f93c62604 fix(openid/client): handle missing redirect uri for callbacks 2022-09-09 12:31:17 +02:00
Trong Huu Nguyen
27d2bc2c26 fix(session/handler): log errors for lock release failures 2022-09-09 10:19:22 +02:00
Trong Huu Nguyen
69ebd9270f refactor(handler/reverseproxy): improve log messages 2022-09-09 10:18:39 +02:00
Trong Huu Nguyen
f830ff575c docs: clarify session refresh cooldown mechanism 2022-09-08 16:42:11 +02:00
Trong Huu Nguyen
84d521e968 feat(reverseproxy): configure errorlog to use logrus implementation 2022-09-06 15:34:32 +02:00
Trong Huu Nguyen
00b39276df debug(handler/reverseproxy): log proxy errors 2022-09-06 08:46:41 +02:00
Trong Huu Nguyen
3f24537b36 fix(openid/client): set iat for assertion in the past to alleviate clock skew 2022-09-06 08:46:35 +02:00
Trong Huu Nguyen
b22c130e60 fix(session/handler): invalidate session state if refresh attempt is a client error 
A client error response for the refresh grant is assumed to be an
irrecoverable error; e.g. the refresh token is invalid, the
authorization is invalid, user is logged out, etc. In such cases we will
consider the session state to be invalid, and a new authorization grant
should be performed.
 2022-09-04 17:15:40 +02:00
Trong Huu Nguyen
c0138f4b49 feat(session): use locks for refreshing 
One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.

The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
 2022-09-04 17:14:35 +02:00
Trong Huu Nguyen
989aa1e998 refactor(middleware/logentry): add fields to default logger 2022-09-03 20:05:28 +02:00
Trong Huu Nguyen
c78674e54a fix(session/store): check for existence before update 2022-09-03 16:48:37 +02:00
Trong Huu Nguyen
2a80bd7765 refactor(mock/openid): use interface for handler 2022-09-02 18:43:59 +02:00
Trong Huu Nguyen
08eefbf1d5 refactor(openid): clean up client and provider 2022-09-02 18:08:36 +02:00
Trong Huu Nguyen
92ee6313c5 refactor: remove unnecessary interfaces 2022-09-02 17:39:27 +02:00
Trong Huu Nguyen
c8f48335d4 refactor(openid/config): extract getter for ingresses 2022-09-02 15:17:36 +02:00
Trong Huu Nguyen
9144056e28 refactor(handler): split up request handlers into separate modules 2022-09-02 14:53:11 +02:00
Trong Huu Nguyen
5d00d132dd refactor: decouple handler implementation from router and middleware 2022-09-01 19:39:47 +02:00
Trong Huu Nguyen
d9cc60c4cc refactor: move autologin to handler pkg 2022-09-01 19:35:58 +02:00
Trong Huu Nguyen
619ae52d45 refactor: separate refresh-specific fields from session info; enable endpoint without refresh feature 2022-09-01 19:35:48 +02:00
Trong Huu Nguyen
06b71cf56d docs: clarify endpoint usage, add notes on session management and refresh tokens 2022-09-01 19:33:22 +02:00
Trong Huu Nguyen
9d7732fc25 deps: bump em 2022-08-31 08:50:09 +02:00
Trong Huu Nguyen
cdba90bc5b test(session/data): add missing tests 2022-08-29 14:48:39 +02:00
Trong Huu Nguyen
af48778bf7 fix(session/handler): lock metadata operations behind feature gate until rollout 2022-08-29 10:00:43 +02:00
Trong Huu Nguyen
cdd07838f4 refactor(session/data): separate into object groups 2022-08-29 08:35:03 +02:00
Trong Huu Nguyen
1d9339e139 refactor(session/handler): extract predicates for readability 2022-08-26 18:09:40 +02:00
Trong Huu Nguyen
5ec969981d fix(session/handler): ensure access token is not expired before proxying 2022-08-26 17:58:39 +02:00
Trong Huu Nguyen
d5bbca9897 feat: rudimentary support for refresh tokens 2022-08-26 14:32:39 +02:00
Trong Huu Nguyen
dc0741f79f refactor(middleware): extract handlers for consistency 2022-08-26 08:34:07 +02:00
Trong Huu Nguyen
4d7502a4be refactor(middleware/logentry): strip query and fragment from referer logs 2022-08-25 22:31:01 +02:00
Trong Huu Nguyen
cafebabea5 fix(openid/client): set redirect_uri param when redeeming auth code 2022-08-23 08:27:34 +02:00
Trong Huu Nguyen
f9b7bbe10b deps: bump it 2022-08-22 08:40:27 +02:00
Trong Huu Nguyen
c29501d964 refactor(handler): add utility method for path-aware cookie options 2022-08-19 12:09:21 +02:00
Trong Huu Nguyen
08f570363a refactor(openid): extract magic strings 2022-08-19 11:44:38 +02:00
Trong Huu Nguyen
5990e4bb71 refactor(session): extract session handler 2022-08-19 11:44:13 +02:00
Trong Huu Nguyen
c15e00469b refactor: clean up session error handling 2022-08-18 21:35:15 +02:00
Trong Huu Nguyen
ae8028cc96 refactor: remove cookie session fallback store 
The implementation is error-prone and difficult to maintain.
We instead just assume that the backing session store is highly
available.
 2022-08-17 20:44:07 +02:00
Trong Huu Nguyen
5a50ba7c3a feat: support multiple ingresses 
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.

We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.

The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
 2022-08-17 20:43:56 +02:00