Move client authentication into its own middleware and provide
differentiation between HTTP requests that do not provide
credentials (401) and requests that authenticate as a non-admin
user (403).
Closes#152
This cleans up the code that deals with a user attempting to login
through a different connector than they registered with. The only
functional change is that `newLoginURLFromSession` is now called
with register = false when a user has an existing account.
In #210 a field name in the provider config was corrected. However
the old, and incorrect, value was hard coded in the tests. This
change updates the test case to hold the correct field name.
There are no other references to the old name in dex or its
vendored packages.
This commit moves the user.Manage to its own package (user/manager)
so it can import the connector package in a later commit.
For clarity, it renames "Manager" to "UserManager" using gorname.
This commit has no functional changes.
When a user attempts to register an email, trim prefixed and
trailing spaces, then perform a basic sanity check to ensure it's
of form "test@example.com".
Fixes#163
Invite emails are essentially just reset password emails with a
different template (though this can and probably will change (slightly)
in the near future)
Admin API now requires a 128 byte base64 encoded secret to be passed in
Authorization header, closing up a potential security hole for those
who expose this service.
This change disables the URL fixing behavior or the router associated
with the user management schema. After this commit, URLS routing
to /api/$VERSION/users must target exactly the specified paths. In
addition, `/api/$VERSION/users/` will serve a 404
This change allows users to hit the user create endpoint, which
would previously serve a redirect rather than actually making the
associated change.
This enables us to control the length of the bytes that will be bcrypted,
by default it's 64.
Also changed the token's stored form from string('text') to []byte('bytea')
and added some test cases for different types of invalid tokens.