In #393 the format of the static user file in --no-db mode changed.
However, the old format loads without error, which has caused
issues for developers with existing user files.
Add an explicit check to ensure the file is not using the old
format. If they are, print a better error message.
In --no-db mode, load passwords from the users file instead of the
connectors file. This allows us to remove the password infos field
from the local connector and stop loading them during connector
registration, a case that was causing panics when using a real
database (see #286).
Fixes#286Closes#340
This commit fix problem with response_type param, which is required according to OIDC spec, when it is missing.
At now, when connector_id url query param is not set, connector view use response_type that client request instead of default "code".
Fixes#370
This change solves the User's API problem when you want to create an user that its email hasn't been verified yet but it exist.
At now, you can resend invitation email using endpoint /users/{id}/resend-invitation
Fixes#184
The DB implementation expects secrets to be base64 encoded blobs.
Because of this a bunch of tests broke moving to sqlite.
A lot of this commit is fixing those tests.
HTTP code 307 aka. StatusTemporaryRedirect is used throughout the
project. However, the endpoints redirected to explicitly expects
the client to make a GET request.
If a HTTP client issues a POST request to a server and receives a
HTTP 307 redirect, it forwards the POST request to the new URL.
When using 302 the HTTP client will issue a GET request.
Fixes#287
TestResetPasswordHandler depended on makeToken begin called twice
during the initialization of a single test case and later assuming
the result would match. Because the token has a timestamp accurate
to the second, occasionally the timestamps would be slightly off
within a single test case and cause the test to fail.
Adding a sleep statement to makeToken would cause the test to fail
reliably.
Define a single token for each test case outside of the struct
initializer so test cases compare the same token.
Closes#274
Additionally remove logging statements that dump entire HTML pages.
Move client authentication into its own middleware and provide
differentiation between HTTP requests that do not provide
credentials (401) and requests that authenticate as a non-admin
user (403).
Closes#152
This cleans up the code that deals with a user attempting to login
through a different connector than they registered with. The only
functional change is that `newLoginURLFromSession` is now called
with register = false when a user has an existing account.
In #210 a field name in the provider config was corrected. However
the old, and incorrect, value was hard coded in the tests. This
change updates the test case to hold the correct field name.
There are no other references to the old name in dex or its
vendored packages.