-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SDK-1714] [SDK-1723] Session cookie checks #111
Conversation
lib/transientHandler.js
Outdated
const getPayload = (cookie, value) => Buffer.from(`${cookie}=${value}`); | ||
const flattenedJWSFromCookie = (cookie, value, signature) => ({ | ||
protected: HEADER, | ||
protected: Buffer.from(JSON.stringify(header)).toString('base64'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, this only works because there are no specific base64url chars in the output.
This would be the correct way of encoding it that works if we'd change the header.
base64url.encode(JSON.stringify({ alg: 'HS256', b64: false, crit: ['b64'] }))
I didn't want to pull in base64url as a dependency just for this so i hardcoded the header value instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, I thought there might be a reason
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's do base64url properly this way.
Co-authored-by: Filip Skokan <[email protected]>
* Update beta version * Initial commit of Beta 2 branch Co-authored-by: Filip Skokan <[email protected]> * Add PKCE tests and fix multiple servers in tests (#110) * [SDK-1714] [SDK-1723] Session cookie checks (#111) * Refactor the tests a little to use a server * simplify test * tests for unordered cookie chunks * Test format changes for transient handler * Update lib/transientHandler.js Co-authored-by: Filip Skokan <[email protected]> * [SDK-1715] Configuration and API updates (#109) * Simplify the config tests, test more with less code * Validate config fixes and tests * Add comment, update tests * `Issuer.discover` only takes a fully qualified url * Simpler scope assertion and keep all config tests in same file * Let auth server set default for response_type: code * clientSecret is required for HS* algs regardless of response_type Co-authored-by: Filip Skokan <[email protected]> * [SDK-1712] Test token set (#108) * Add tests for TokenSet * Refactor the tests a little * Split up code flow tests * Add tests for access token expiry * Add Prettier for style formatting (#112) * Add prettier * Run `prettier --write .` * [SDK-1716] Add tests for claim* MW (#113) * Add tests for claim* MW * Fix tests * Add some tests for session duration behaviour * Revert "Add some tests for session duration behaviour" This reverts commit e3ce510. * Add some tests for session duration behaviour (#114) * Add test for passing custom param to logout (#115) * [SDK-1721] Auto generated docs (#117) * Auto generated docs with typedoc * fix lgtm * Fix auth params * Fix incorrect import of `requiresAuth` (#118) * Add TROUBLESHOOTING and update debug logging (#120) * Add TROUBLESHOOTING and update debug logging * fix tests * Update lib/context.js Co-authored-by: Filip Skokan <[email protected]> Co-authored-by: Filip Skokan <[email protected]> * attemptSilentLogin feature (#121) * attemptSilentLogin feature * Resume silent login after successful login so that users try silent login again after their session's expire * `postLogoutRedirectUri` isn't always a URI and login needs a check for `response_type` (#123) * [SDK-1877] Add refresh method to access token (#124) * Add refresh method to access token * Add method to fetch userinfo * Add refresh example to docs * Not all refresh token grants get a new refresh token back (eg non rotating) and remove unneeded opts * Scope all cookies (skipSilentLogin, transient and appSession) to the app session cookie path and domain config (if specified) (#125) * [SDK-1722] Architecture (#128) * Default Login flow docs * Add logout * add link from readme * [SDK-1876] [SDK-1726] Add samples and smoke tests (#127) * Add samples and smoke tests * Fix CI * Make the test clearer that discovery alg is ignored (#130) * Make the test clearer that discovery alg is ignored * Add test to show "none" disallowed for idTokenSigningAlg * Disallow "none" in any case (#131) * Disallow "none" in any case * Fix puppeteer in CircleCI https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#running-puppeteer-on-circleci * Revert "Fix puppeteer in CircleCI https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#running-puppeteer-on-circleci" This reverts commit c0fd31e * use active lts * [SDK-1914] Add a migration guide for v1 to v2 (#129) * Add a migration guide for v1 to v2 * Apply suggestions from code review Co-authored-by: Filip Skokan <[email protected]> * Updates per PR comments Co-authored-by: Filip Skokan <[email protected]> * Release 2.0.0-beta.0 (#132) * Release 2.0.0-beta.0 * Ignore docs from lint * Fixes the numbering on examples (#136) * chore: update jose and openid-client (#134) Co-authored-by: Filip Skokan <[email protected]> Co-authored-by: David Patrick <[email protected]>
Description
Testing
Checklist
master