This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.

Eric Chiang 72a431dd4b {web,server}: use html/template and reduce use of auth request ID ... Switch from using "text/template" to "html/template", which provides basic XSS preventions. We haven't identified any particular place where unsanitized user data is rendered to the frontend. This is just a preventative step. At the same time, make more templates take pure URL instead of forming an URL themselves using an "authReqID" argument. This will help us stop using the auth req ID in certain places, preventing garbage collection from killing login flows that wait too long at the login screen. Also increase the login session window (time between initial redirect and the user logging in) from 30 minutes to 24 hours, and display a more helpful error message when the session expires. How to test: 1. Spin up dex and example with examples/config-dev.yaml. 2. Login through both the password prompt and the direct redirect. 3. Edit examples/config-dev.yaml removing the "connectors" section. 4. Ensure you can still login with a password. (email/password is "admin@example.com" and "password")		2017-02-02 11:11:00 -08:00
..
approval.html	Address PR comments	2016-12-01 14:06:08 -08:00
error.html	server: add error HTML templates with error description.	2016-12-16 10:42:54 -08:00
footer.html	web/templates: port templates from v1	2016-09-05 17:25:12 -07:00
header.html	web: Updates classes in templates	2016-12-01 13:41:56 -08:00
login.html	{web,server}: use html/template and reduce use of auth request ID	2017-02-02 11:11:00 -08:00
oob.html	web: Updates classes in templates	2016-12-01 13:41:56 -08:00
password.html	{web,server}: use html/template and reduce use of auth request ID	2017-02-02 11:11:00 -08:00