| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2025-05-15 | refactor: delete code that is now handled by envoy | mo khan | |
| 2025-05-14 | refactor: remove unnecessary params from ctor | mo khan | |
| 2025-05-14 | feat: provider a fallback provider that defaults to hard-coded paths | mo khan | |
| 2025-05-11 | fix: redirect to dashboard when already logged in at callback url | mo khan | |
| 2025-05-11 | refactor: use same cookie names as envoy plugin | mo khan | |
| 2025-05-11 | feat: add endpoint to reflect JWT body | mo khan | |
| 2025-05-08 | feat: test out a redirect page in staging | mo khan | |
| 2025-05-08 | feat: use a cookie prefix to lock down the session cookie | mo khan | |
| > __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes | |||
| 2025-05-07 | fix: do not clear set-cookie header | mo khan | |
| 2025-05-07 | fix: use same site lax mode to allow setting cooking on redirect | mo khan | |
| 2025-05-07 | feat: digitally sign and verify cookie using randomly generated key | mo khan | |
| 2025-05-07 | refactor: move test server to oidc package | mo khan | |
| 2025-05-07 | refactor: move cookie to web package | mo khan | |
| 2025-05-07 | refactor: delegate to cookie package | mo khan | |
| 2025-04-30 | fix: prepend default option | mo khan | |
| 2025-04-30 | refactor: extract Option[T] and cleaner API for creating cookies | mo khan | |
| 2025-04-29 | Use secure and http flag on cookies everywhere | mo khan | |
| > A cookie with the Secure attribute is only sent to the server with > an encrypted request over the HTTPS protocol. It's never sent with > unsecured HTTP (except on localhost), which means man-in-the-middle > attackers can't access it easily. Insecure sites (with http: in the > URL) can't set cookies with the Secure attribute. However, don't > assume that Secure prevents all access to sensitive information in > cookies. For example, someone with access to the client's hard disk > (or JavaScript if the HttpOnly attribute isn't set) can read and > modify the information. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies | |||
| 2025-04-28 | feat: validate the csrf token | mo khan | |
| 2025-04-28 | feat: redirect to login page when session is established | mo khan | |
| 2025-04-28 | feat: generate a nonce to validate the OAuth callback | mo khan | |
| 2025-04-28 | feat: add logout endpoint | mo khan | |
| 2025-04-25 | feat: print error to describe token exchange issue | mo khan | |
| 2025-04-17 | test: validate the stored tokens in the session cookie | mo khan | |
| 2025-04-17 | test: extract test helper to convert and verify raw id token | mo khan | |
| 2025-04-17 | test: extract method to generate a valid authorization code grant | mo khan | |
| 2025-04-17 | test: remove the test oidc server | mo khan | |
| 2025-04-16 | refactor: verify the id token on every request | mo khan | |
| 2025-04-15 | feat: create session cookie tied to access token | mo khan | |
| 2025-04-15 | feat: store tokens in sessio cookie | mo khan | |
| 2025-04-15 | feat: store tokens in a session cookie | mo khan | |
| 2025-04-14 | test: add placeholder for missing tests | mo khan | |
| 2025-04-14 | feat: connect the sessions controller to oidc provider | mo khan | |
| 2025-04-14 | test: add target audience for oidc transaction | mo khan | |
| 2025-04-14 | feat: start to build a session controller to interact with an oidc provider | mo khan | |
 |
index : gitlab/sparkled.git | |
| GitLab CI/CD utilities | git |
| summaryrefslogtreecommitdiff |