summaryrefslogtreecommitdiff
path: root/pkg/web
AgeCommit message (Collapse)Author
2025-05-28refactor: delete jwt verification codemo khan
2025-05-24fix: register oidc provider oncemo khan
2025-05-23feat: add external authorization service (authzd) with JWT authenticationmo khan
- Add new authzd gRPC service implementing Envoy's external authorization API - Integrate JWT authentication filter in Envoy configuration with claim extraction - Update middleware to support both cookie-based and header-based user authentication - Add comprehensive test coverage for authorization service and server - Configure proper service orchestration with authzd, sparkled, and Envoy - Update build system and Docker configuration for multi-service deployment - Add grpcurl tool for gRPC service debugging and testing This enables fine-grained authorization control through Envoy's ext_authz filter while maintaining backward compatibility with existing cookie-based authentication.
2025-05-15refactor: rename TestServer to OIDCServermo khan
2025-05-15refactor: move NewOIDCProvider to web packagemo khan
2025-05-11refactor: inline unncessary methodmo khan
2025-05-11refactor: use same cookie names as envoy pluginmo khan
2025-05-11feat: read HMAC_SESSION_SECRET env variablemo khan
2025-05-09refactor: delegate to WriteCookie to validate cookiemo khan
2025-05-09feat: attempt to sign cookies on staging/productionmo khan
2025-05-08feat: use a cookie prefix to lock down the session cookiemo khan
> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
2025-05-08chore: add link to signed cookie issuemo khan
2025-05-08fix: temporarily disable signed cookies in staging/productionmo khan
2025-05-07feat: fallback to unsigned valuemo khan
2025-05-07feat: check if cookie is validmo khan
2025-05-07feat: digitally sign and verify cookie using randomly generated keymo khan
2025-05-07refactor: inline options variablemo khan
2025-05-07refactor: move cookie to web packagemo khan
2025-05-07refactor: delegate to cookie packagemo khan
2025-04-30fix: strict same site mode breaks redirectsmo khan
2025-04-30fix: adjust cookie expiration calculationmo khan
2025-04-30test: add test for each cookie optionmo khan
2025-04-30refactor: delegate to cookie.Reset to overload with optionsmo khan
2025-04-30test: add test for resetting a cookiemo khan
2025-04-30test: ensure tests work offlinemo khan
2025-04-30refactor: delegate to x packagemo khan
2025-04-30refactor: using existing helpersmo khan
2025-04-30feat: extract other cookie optionsmo khan
2025-04-30fix: prepend default optionmo khan
2025-04-30refactor: extract generic function to create and initialize any typemo khan
2025-04-30refactor: extract Option[T] and cleaner API for creating cookiesmo khan
2025-04-30refactor: extract cookie optionsmo khan
2025-04-30fix: the CSRF cookie needs to have a same site lax modemo khan
2025-04-30fix: disable secure cookies in development modemo khan
2025-04-29feat: use same site strict modemo khan
> Strict causes the browser to only send the cookie in response to > requests originating from the cookie's origin site. This should be > used when you have cookies relating to functionality that will > always be behind an initial navigation, such as authentication or > storing shopping cart information. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#controlling_third-party_cookies_with_samesite
2025-04-29Use secure and http flag on cookies everywheremo khan
> A cookie with the Secure attribute is only sent to the server with > an encrypted request over the HTTPS protocol. It's never sent with > unsecured HTTP (except on localhost), which means man-in-the-middle > attackers can't access it easily. Insecure sites (with http: in the > URL) can't set cookies with the Secure attribute. However, don't > assume that Secure prevents all access to sensitive information in > cookies. For example, someone with access to the client's hard disk > (or JavaScript if the HttpOnly attribute isn't set) can read and > modify the information. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies
2025-04-29feat: ensure cookie is not accessible to js and one transmitted over tls in ↵mo khan
production
2025-04-28test: temporarily disable http and secure flagsmo khan
2025-04-28feat: add logout endpointmo khan
2025-04-28feat: do not allow js to access cookiemo khan
2025-04-25refactor: move db and mountable to appmo khan
2025-04-25refactor: move domain package into appmo khan
2025-04-25refactor: move Repository interface to domainmo khan
2025-04-25refactor: move id and entity to domain packagemo khan
2025-04-24feat: add middleware to require a logged in usermo khan
2025-04-22refactor: convert id token to user in mappermo khan
2025-04-21feat: provision new users on-demandmo khan
2025-04-21feat: attach current user if they are in the dbmo khan
2025-04-21feat: start to build middleware to attach the current usermo khan
2025-04-21refactor: rename middlewaremo khan
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 15:35:42 +0000