This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.
dex/server
Eric Chiang 72a431dd4b {web,server}: use html/template and reduce use of auth request ID
Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")
2017-02-02 11:11:00 -08:00
..
internal server/internal: generate protobuf types 2017-01-11 12:07:48 -08:00
api.go Merge pull request #740 from ericchiang/fix-comment-typos 2016-12-13 13:17:50 -08:00
api_test.go server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
doc.go initial commit 2016-07-26 15:51:24 -07:00
handlers.go {web,server}: use html/template and reduce use of auth request ID 2017-02-02 11:11:00 -08:00
handlers_test.go Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
oauth2.go server: add at_hash claim support 2017-01-13 10:05:24 -08:00
oauth2_test.go server: add at_hash claim support 2017-01-13 10:05:24 -08:00
rotation.go server: fixes for the implicit and hybrid flow 2017-01-10 16:20:17 -08:00
rotation_test.go initial commit 2016-07-26 15:51:24 -07:00
server.go Allow CORS on keys and token endpoints 2017-01-14 21:15:51 +01:00
server_test.go server: add at_hash claim support 2017-01-13 10:05:24 -08:00
templates.go {web,server}: use html/template and reduce use of auth request ID 2017-02-02 11:11:00 -08:00
templates_test.go *: add theme based frontend configuration 2016-11-30 17:20:21 -08:00