github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-06 00:17:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
745 Commits 2 Branches 0 Tags
e00832016bc21e092189d5ef0ffa44c7e3c287eb
Commit Graph

508 Commits

Author SHA1 Message Date
Trong Huu Nguyen
e00832016b feat(handler/login): remove legacy cookie 
We don't really need to set an additional cookie without SameSite
as we now use SameSite=Lax for the login cookie.
 2023-12-19 08:46:08 +01:00
Trong Huu Nguyen
083cb54df7 feat(handler/error): remove automatic retry 2023-12-19 08:46:06 +01:00
Trong Huu Nguyen
273eb3604a feat(cookie): use samesite lax instead of none for callback 2023-12-19 08:46:03 +01:00
Trong Huu Nguyen
c3904433f2 feat: log and propagate session metadata 
- stop using jti, use sid instead
- store amr and auth_time from id_token in session
- log more metadata on login callback
- log session id where possible
- propagate acr, amr, auth_time, sid to upstreams in headers
- log authenticated reverseproxy requests
 2023-12-19 08:46:02 +01:00
Trong Huu Nguyen
a10da5d0d7 feat(handler/login): add support for prompt param in login 2023-12-19 08:46:01 +01:00
Trong Huu Nguyen
8f3c5cde88 fix(handler/error): redirect callbacks to initial handlers, retry others as-is 2023-12-19 08:45:57 +01:00
Trong Huu Nguyen
3f7af9e232 chore(config): set new default value for idporten acr 2023-12-12 09:12:41 +01:00
Trong Huu Nguyen
6d32363d13 feat(config): drop dirty modifier from version string 2023-11-29 09:21:04 +01:00
Trong Huu Nguyen
70a45e1522 style: formatting 2023-11-28 10:15:32 +01:00
Trong Huu Nguyen
423bb4f22f fix(router): skip middleware if otel is not enabled 2023-11-28 10:12:15 +01:00
Trong Huu Nguyen
35e4953557 fix(session/redis): skip setup if otel is not enabled 2023-11-28 10:08:31 +01:00
Trong Huu Nguyen
de78193361 chore(handler): remove temporary amr-based redirect 2023-11-24 16:52:15 +01:00
Trong Huu Nguyen
b3a7dbf081 refactor(otel): move configuration 2023-11-24 16:52:05 +01:00
Trong Huu Nguyen
14735484c3 refactor(otel): remove unneeded meter provider 2023-11-24 16:39:49 +01:00
J-K. Solbakken
894cc35e47 telemetry for redis 2023-11-23 13:16:43 +01:00
J-K. Solbakken
3e00f8105a add request method to span name 2023-11-23 09:37:43 +01:00
J-K. Solbakken
d28579028e removed unused variable 2023-11-23 08:56:52 +01:00
J-K. Solbakken
38b9891caf use otelchi middleware for http tracing 2023-11-23 08:53:36 +01:00
J-K. Solbakken
5f11c2a5d7 use recommended otel reporting intervals 2023-11-23 08:20:56 +01:00
J-K. Solbakken
795c91950d change otel exporter from stdout to grpc 2023-11-22 10:03:22 +01:00
Jan-Kåre Solbakken
757b9c987c Merge branch 'master' into otel 2023-11-21 09:21:53 +01:00
J-K. Solbakken
23268c6762 starting simple 2023-11-21 08:47:42 +01:00
Trong Huu Nguyen
1b3ba8a7ad refactor(session): skip logging for client context cancellations 
We use the context from the inbound http.Request, which means that this
error generally occurs due to the user agent disconnecting mid-request.
Skip logging these errors as they're not really actionable.
 2023-11-16 14:52:10 +01:00
Trong Huu Nguyen
191f3c3ca8 fix(router): enable cors on session endpoints for sso proxies 2023-11-15 08:42:42 +01:00
Trong Huu Nguyen
2f351a1388 feat(handler/callback): redirect minid passport users to separate landing page 2023-11-06 11:45:15 +01:00
Trong Huu Nguyen
e3022c7923 feat(handler/session): reduce logging level for not found errors 2023-11-02 08:33:09 +01:00
Trong Huu Nguyen
d2d281f38c fix(server): correcter error equality check 2023-10-25 10:37:56 +02:00
Trong Huu Nguyen
305ab1786d fix(reverseproxy/autologin): handle multiple accept headers 2023-10-16 12:01:15 +02:00
Trong Huu Nguyen
3da0ed1019 fix(middleware/prometheus): filter out irrelevant paths 2023-10-16 11:41:57 +02:00
Trong Huu Nguyen
c363bea556 test(reverseproxy): extract common assertions 2023-10-12 09:18:51 +02:00
Trong Huu Nguyen
b910d3e65a feat(config): redis username and password flags overrides uri 2023-10-12 08:21:34 +02:00
Trong Huu Nguyen
f246fc7975 refactor(openid): move acr to own package 2023-10-11 14:25:12 +02:00
Trong Huu Nguyen
320176d48b refactor(config): consolidate, don't parse/bind/load flags twice 2023-10-11 14:24:19 +02:00
Trong Huu Nguyen
6dbc747aad feat(config): enable refresh tokens and automatic refreshing by default, increase default session lifetime 2023-10-11 14:16:53 +02:00
Trong Huu Nguyen
7e97fd7a93 revert: "style: go fmt" 
This wasn't actually formatting.

This reverts commit d71ff7ddc3.
 2023-10-10 14:51:12 +02:00
Trong Huu Nguyen
8bbd947d5b feat(config): add support for Redis URI 2023-10-10 14:48:50 +02:00
Trong Huu Nguyen
d71ff7ddc3 style: go fmt 2023-10-10 13:41:28 +02:00
Trong Huu Nguyen
af6642fe90 refactor(openid): use pkce implementation from golang.org/x/oauth2 2023-10-10 10:18:01 +02:00
Trong Huu Nguyen
a2e939f716 fix(handler/sessionrefresh): handle not found error 2023-10-04 10:06:03 +02:00
Trong Huu Nguyen
c1bdb90566 feat(handler/reverseproxy): don't return json response after all 
Expose fewer interfaces; less maintenance and documentation needed.
 2023-10-04 10:01:03 +02:00
Trong Huu Nguyen
91cd58d18b docs: update sections on autologin and sessions 2023-10-03 14:21:09 +02:00
Trong Huu Nguyen
2e21dae33a feat(handler/reverseproxy): return json response for non-navigational autologin requests 2023-10-03 14:21:09 +02:00
Trong Huu Nguyen
52331a93db refactor(ingress): simplify and remove unnecessary variables 2023-10-03 14:21:08 +02:00
Trong Huu Nguyen
7a72586ca8 refactor(autologin): return early if fetch metadata is set 2023-09-25 15:07:11 +02:00
Trong Huu Nguyen
61a641c8d7 fix(url): only add redirect query parameter if non-empty 2023-09-25 14:14:28 +02:00
Trong Huu Nguyen
337723150b fix(reverseproxy/autologin): skip cleaning redirect target 2023-09-25 14:13:15 +02:00
Trong Huu Nguyen
34d90d2c78 fix(autologin): do not return ambiguous 3xx redirect 
If autologin is enabled, check for headers that indicate that the request is a navigation request
and respond appropriately.

A navigation request is assumed to match all of the following:

- uses the GET HTTP method
- either:
  - a) sends the fetch metadata headers, specifically
    `Sec-Fetch-Mode=navigate` and `Sec-Fetch-Dest=document`, or (if
    unsupported by the browser)
  - b) sends the `Accept` header with a value that contains
    `text/html` (which most browsers do by default for navigation
    requests, the exception being IE8 AFAIK)

Non-navigation requests (e.g. fetch / xhr / ajax requests) will receive a
401 Unauthorized, with the Location header set to the login endpoint.
The redirect parameter is also set to point back to the URL found in the
Referer header (though with the scheme and host removed to only allow
redirects relative to the origin host.)

With this fix, autologin will also intercept requests other than GET.
This is to improve the security posture of upstreams that assume that autologin
enforces authentication for all methods.

Fixes #156.
 2023-09-22 14:51:35 +02:00
Trong Huu Nguyen
c4911b1344 feat(session): add feature toggle for automatic refreshing 2023-09-15 09:08:42 +02:00
Trong Huu Nguyen
4a72a01496 feat(server): support wait before triggering graceful shutdown 2023-09-06 15:23:11 +02:00
Trong Huu Nguyen
c887cf711e fix(handler/sso/server): wildcard redirects to default url 2023-09-06 12:15:30 +02:00