HTTP code 307 aka. StatusTemporaryRedirect is used throughout the
project. However, the endpoints redirected to explicitly expects
the client to make a GET request.
If a HTTP client issues a POST request to a server and receives a
HTTP 307 redirect, it forwards the POST request to the new URL.
When using 302 the HTTP client will issue a GET request.
Fixes#287
TestResetPasswordHandler depended on makeToken begin called twice
during the initialization of a single test case and later assuming
the result would match. Because the token has a timestamp accurate
to the second, occasionally the timestamps would be slightly off
within a single test case and cause the test to fail.
Adding a sleep statement to makeToken would cause the test to fail
reliably.
Define a single token for each test case outside of the struct
initializer so test cases compare the same token.
Closes#274
Additionally remove logging statements that dump entire HTML pages.
Move client authentication into its own middleware and provide
differentiation between HTTP requests that do not provide
credentials (401) and requests that authenticate as a non-admin
user (403).
Closes#152
This cleans up the code that deals with a user attempting to login
through a different connector than they registered with. The only
functional change is that `newLoginURLFromSession` is now called
with register = false when a user has an existing account.
In #210 a field name in the provider config was corrected. However
the old, and incorrect, value was hard coded in the tests. This
change updates the test case to hold the correct field name.
There are no other references to the old name in dex or its
vendored packages.
This commit moves the user.Manage to its own package (user/manager)
so it can import the connector package in a later commit.
For clarity, it renames "Manager" to "UserManager" using gorname.
This commit has no functional changes.
When a user attempts to register an email, trim prefixed and
trailing spaces, then perform a basic sanity check to ensure it's
of form "test@example.com".
Fixes#163
Invite emails are essentially just reset password emails with a
different template (though this can and probably will change (slightly)
in the near future)
Admin API now requires a 128 byte base64 encoded secret to be passed in
Authorization header, closing up a potential security hole for those
who expose this service.
This change disables the URL fixing behavior or the router associated
with the user management schema. After this commit, URLS routing
to /api/$VERSION/users must target exactly the specified paths. In
addition, `/api/$VERSION/users/` will serve a 404
This change allows users to hit the user create endpoint, which
would previously serve a redirect rather than actually making the
associated change.
This enables us to control the length of the bytes that will be bcrypted,
by default it's 64.
Also changed the token's stored form from string('text') to []byte('bytea')
and added some test cases for different types of invalid tokens.
