wonderwall

mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 00:46:56 +00:00

Author	SHA1	Message	Date
Trong Huu Nguyen	f4ae907a2b	refactor(handler/reverseproxy): clean up error handling	2023-02-21 13:30:29 +01:00
Trong Huu Nguyen	fb28da7241	refactor: consolidate handlers	2023-02-16 10:55:50 +01:00
Trong Huu Nguyen	3274cc5c65	refactor: move redirect package into url, clean up naming	2023-02-16 09:24:39 +01:00
Trong Huu Nguyen	2c5d964983	refactor(handler/reverseproxy): reduce log severity for cookie decrypt failures	2023-02-15 08:43:25 +01:00
Trong Huu Nguyen	0537c8172f	feat(session): use tickets for per-session data encryption Replace the usage of a single application-wide session crypter with per-session crypters. The application is no longer able to decrypt any session encrypted with its symmetric key alone. Instead, a session ticket with its associated data encryption key (DEK) is also required in order to decrypt the associated session data. The ticket itself is encrypted with the application's crypter; the latter of which is effectively a key-encryption key (KEK). Fixes #49.	2023-02-14 21:50:19 +01:00
Trong Huu Nguyen	d17feacc34	refactor(handler/autologin): use sync.Map for cache	2023-02-14 14:20:46 +01:00
Trong Huu Nguyen	ce2698f2bb	refactor(cookie): use rawurlencoding for base64	2023-02-13 20:15:12 +01:00
Trong Huu Nguyen	66dec32de0	feat(sso/proxy): implement handlers for session routes	2023-02-10 14:58:19 +01:00
Trong Huu Nguyen	ea0756784d	refactor(handler/reverseproxy): use ReverseProxy.Rewrite instead of Director	2023-02-10 14:58:17 +01:00
Trong Huu Nguyen	473e4a95a7	refactor: remove loginstatus Loginstatus is no longer needed with the SSO setup. Fixes #50.	2023-02-10 14:58:17 +01:00
Trong Huu Nguyen	c8f148d892	refactor(handler/error): remove custom redirect Reduce the risk of exposing oauth query parameters in "dirty dancing" attacks.	2023-02-10 14:58:14 +01:00
Trong Huu Nguyen	42dcba8367	refactor: replace relative canonical redirect with handler This also ensure that we clean any urls that may stem from user input (e.g. url parameter or login cookie) before performing redirects.	2023-02-10 14:58:14 +01:00
Trong Huu Nguyen	5f74ee08bc	refactor(url): extract utility functions	2023-02-10 14:58:12 +01:00
Trong Huu Nguyen	d13525f8a2	fix(handler/error): correct retry url for local logout	2023-02-10 14:58:12 +01:00
Trong Huu Nguyen	0e73c9b4d8	refactor(mock): configure relying party ingress before server start	2023-02-10 14:58:11 +01:00
Trong Huu Nguyen	1fdbe75c9e	feat(sso/proxy): implement login handler	2023-02-10 14:58:11 +01:00
Trong Huu Nguyen	c3c0c01926	feat(sso): partially implement handlers	2023-02-10 14:58:09 +01:00
Trong Huu Nguyen	a4e4fc752e	refactor(handler): remove provider name getter from handler	2023-02-10 14:57:57 +01:00
Trong Huu Nguyen	3d08d0b4b0	feat: initial skeleton setup for SSO mode	2023-02-10 14:57:56 +01:00
Trong Huu Nguyen	bd748b9cef	refactor(openid/provider): use name from config instead of indirection layer	2023-02-10 14:57:56 +01:00
Trong Huu Nguyen	2f6a3682d9	fix(all): use url.ParseRequestURI instead of just url.Parse where necessary	2023-02-10 14:57:55 +01:00
Trong Huu Nguyen	f4bba075a6	refactor(handler/error): reduce log severity for context canceled errors	2023-02-10 14:57:55 +01:00
Trong Huu Nguyen	61a7a8f161	refactor: clean up errors and reverseproxy logging	2023-02-10 14:57:53 +01:00
Trong Huu Nguyen	ce177fb4a5	refactor(handler/url): remove unneeded redirect parameter encoding	2023-02-10 14:57:52 +01:00
Trong Huu Nguyen	07fc0e24dd	perf(handler/autologin): cache NeedsLogin results	2023-02-10 14:57:51 +01:00
Trong Huu Nguyen	bd53417f8b	refactor(handler): move handler tests to separate files	2023-02-10 14:57:48 +01:00
Trong Huu Nguyen	f51fe97b23	refactor(handler): flatten handler modules	2023-02-10 14:57:48 +01:00
Trong Huu Nguyen	6a142cf5a5	refactor(handler): use session cookie for frontchannel logout if available, clean up logout handlers	2023-02-10 14:57:48 +01:00
Trong Huu Nguyen	67d3977cc1	refactor(handler/sessionrefresh): use found session key instead of looking up key again	2023-02-10 14:57:47 +01:00
Trong Huu Nguyen	c3a5033968	test(handler): add test for authorization headers, ensure upstream validates token	2023-02-10 14:57:45 +01:00
Trong Huu Nguyen	0485074829	refactor(handler/reverseproxy): reduce log severity for invalid auth state	2022-12-16 14:53:35 +01:00
Trong Huu Nguyen	1d754baabe	feat(handler/reverseproxy): preserve incoming authorization for unauthenticated sessions	2022-12-16 14:53:27 +01:00
Trong Huu Nguyen	185485a6fe	feat(handler/autologin): use doublestar library for nested path matching Fixes #54.	2022-11-24 11:36:54 +01:00
Trong Huu Nguyen	e7244df4d5	feat: add local logout endpoint	2022-11-24 11:36:49 +01:00
Trong Huu Nguyen	002e4ac8ea	feat(handler/error): automatically retry errors before displaying error page	2022-10-11 10:55:14 +02:00
Trong Huu Nguyen	bdec8c662c	refactor(router): correct HTTP verb for session refresh endpoint Since this changes the state for a user's session, a POST is more appropriate than just a GET - even though the POST body is empty. We keep the GET route temporarily to allow any consumers to migrate.	2022-10-11 09:22:03 +02:00
Trong Huu Nguyen	b651db40e4	refactor(handler/url): remove support for Referer header The header isn't guaranteed to be set or sent with requests, and all of our users prefer the `redirect` query parameter anyways.	2022-09-22 13:59:37 +02:00
Trong Huu Nguyen	aaaaaaa38d	feat(session): add session inactivity timeout feature Fixes #52.	2022-09-22 10:03:17 +02:00
Trong Huu Nguyen	843bf5dfcd	refactor(handler/error): rename config variable to match intention	2022-09-21 09:39:57 +02:00
Trong Huu Nguyen	f093fd549e	fix(autologin): ignore trailing slash in request paths during matching	2022-09-21 08:41:13 +02:00
Trong Huu Nguyen	f6cf60a013	refactor(handler/reverseproxy): improve log messages	2022-09-20 08:00:57 +02:00
Trong Huu Nguyen	e5a285887c	refactor(handler/url): extract redirect url decoder method	2022-09-19 21:14:22 +02:00
Trong Huu Nguyen	80738f2a4b	fix(handler/url): use base64 encoding for redirects to preserve query parameters Load balancers or reverse proxies may rewrite or modify the Location header and unescape its value, which would result in redirects not preserving the original set of query parameters. This was especially evident for autologins where we need to redirect to `/oauth2/login` with the `redirect` parameter containing the original requested URL so that the end-user ultimately ends up at the latter URL. We avoid this issue by base64-encoding the original URL, before passing it along as the intended redirect for the login route. To preserve existing behaviour, we use a separate query parameter for the `/oauth2/login`-endpoint that accepts and handles base64-encoded values.	2022-09-19 11:51:30 +02:00
Trong Huu Nguyen	97d2a88bb1	fix(handler/url): ensure that parameters for original url aren't dropped	2022-09-19 08:41:25 +02:00
Trong Huu Nguyen	ed56aac3d0	style: follow conventions for error variable names	2022-09-19 08:41:23 +02:00
Trong Huu Nguyen	62f0359438	fix(handler/autologin): ensure path has prefix	2022-09-19 08:41:17 +02:00
Trong Huu Nguyen	b4eecfc663	fix(handler/autologin): only trigger for GET requests	2022-09-12 12:33:42 +02:00
Trong Huu Nguyen	43c39c89ad	refactor(handler/reverseproxy): skip logging for client context cancellation	2022-09-12 12:32:37 +02:00
Trong Huu Nguyen	fcc6a7472c	fix(handler/autologin): return http 303 for autologin redirects	2022-09-09 14:38:46 +02:00
Trong Huu Nguyen	a4ceaeaacc	feat(handler/autologin): add favicon.ico and robots.txt to default ignorelist	2022-09-09 13:09:36 +02:00

1 2 3

101 Commits