summaryrefslogtreecommitdiff
path: root/auth.go (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Revert "auth.go: Set SameSite=Strict"Runxi Yu6 days1-1/+1
| | | | | | | This reverts commit a6a5db47eb7a2040cd70dbd39e16d7de3fd9bd9f. Users are unable to log in with it. I'll look for another way to prevent CSRF.
* auth.go: Set SameSite=StrictRunxi Yu6 days1-1/+1
| | | | | We use GET requests for some administration endpoints (most importantly, the ones managing the global state).
* auth.go: Remove access token expiration fields and related TODORunxi Yu6 days1-14/+5
| | | | | We're only using the token immediately after it is issued, so it's a bit unnecessary.
* auth.go: Remove TODO about implementing nonce checksRunxi Yu6 days1-7/+0
| | | | It's the OAuth provider that's responsible for checking this nonce.
* auth.go: Remove TODO about using ON CONFLICTRunxi Yu6 days1-7/+0
| | | | | | I think using the pgErr method actually makes the logic easier to follow especially since I'm not updating the "confirmed" field when UPDATEing but it's being initialized to false during INSERT.
* auth.go, schema.sql: Add "confirmed" field to usersRunxi Yu7 days1-1/+1
|
* *.go, tmpl/staff.html: Allow staff to export choicesRunxi Yu7 days1-1/+1
| | | | Implements: https://todo.sr.ht/~runxiyu/cca/3
* *.go: Update commentsRunxi Yu7 days1-7/+0
|
* err.go: Create, and unify some error definitionsRunxi Yu9 days1-19/+13
|
* *.go: Limit to approximately 80 characters per lineRunxi Yu10 days1-20/+77
|
* *: Overhaul structure again and embed everythingRunxi Yu11 days1-0/+374
| | | | | | | | - Remove sub-Makefiles; recursive make is annoying - Just use one top-level Makefile that builds everything - Embed templates and minified static resources into the binary - Embed all compiled documentation into the binary and serve - Embed all source into the binary and serve
* *.go: Move to backendRunxi Yu11 days1-374/+0
| | | | And adjust Makefiles, admin handbook, and lint.sh accordingly.
* auth.go: Improve display of OAuth 2.0 errorsRunxi Yu12 days1-4/+17
| | | | Implements: https://todo.sr.ht/~runxiyu/cca/9
* {auth,utils,ws}.go: randomBytes -> randomStringRunxi Yu2024-10-021-2/+2
|
* {auth,db,wsm}.go: Make 23505 (uniqueness violation) a constantRunxi Yu2024-10-011-1/+1
|
* {auth,ws}.go: Remove unnecessary TODOsRunxi Yu2024-10-011-5/+0
|
* auth.go: Add TODO about INSERTRunxi Yu2024-10-011-0/+7
|
* utils.go, auth.go: Rename random to randomBytesRunxi Yu2024-09-301-2/+2
|
* *: Change license to AGPL-3.0-or-laterRunxi Yu2024-09-301-21/+11
|
* auth.go, config.go, cca.scfg.example: Issue expiring cookiesRunxi Yu2024-09-301-2/+7
|
* {auth,index,ws}.go, schema.sql: Move session cookie into the user tableRunxi Yu2024-09-301-19/+6
| | | | | | | One user shall only have one session at a time. This reduces the possibility of strange race conditions and simplifies the code a lot. References: https://todo.sr.ht/~runxiyu/cca/4
* auth.go: Document why we use a hybrid auth flowRunxi Yu2024-09-291-1/+12
|
* *.go: Wrap errorsRunxi Yu2024-09-261-9/+9
|
* auth.go: Use contexts in getAccessTokenRunxi Yu2024-09-261-3/+8
|
* {auth,index,ws}.go: Add contexts for database callsRunxi Yu2024-09-261-6/+7
|
* auth.go: Close PostForm response bodyRunxi Yu2024-09-241-0/+1
|
* auth.go: Fix json tag, should be access_token not accessTokenRunxi Yu2024-09-241-1/+1
|
* auth.go: Fix grant_type=authorization_codeRunxi Yu2024-09-241-1/+1
| | | | I accidentally changed it to authorizationCode during linting
* *.go: LintingRunxi Yu2024-09-241-80/+80
|
* {utils,auth,index,ws}.go: Handle errors in random number generationRunxi Yu2024-09-241-4/+11
|
* auth.go: Remove unnecessary fmt.SprintfRunxi Yu2024-09-231-1/+1
|
* auth.go, ws.go: Update commentsRunxi Yu2024-09-231-2/+5
|
* auth.go: Use && instead of nested if statementRunxi Yu2024-09-111-14/+12
|
* *.go: Shorter line lengthsRunxi Yu2024-09-091-3/+9
|
* *.go: Add commentsRunxi Yu2024-09-091-2/+40
|
* *.go: Simplify error messages and reformatRunxi Yu2024-09-081-30/+29
|
* auth.go: Expand staff departmentsRunxi Yu2024-09-071-2/+2
|
* *: Call Graph API for department informationRunxi Yu2024-09-071-9/+102
| | | | | | | | | | | | I am using a hybrid flow with "id_token" for OpenID Connect and "code" for an Authorization Code. I would use "token" too but that doesn't seem to be supported for standard web-apps and could result in strange session-hijacking issues. We still need PKCE sometime in the future; however it's not a priority: the worst attack someone could pull off is to use a different user's Authorization Code and steal a Department, which probably isn't too big of a deal as the Authorization Code should be secret anyways.
* *: Basic authentication and templatesRunxi Yu2024-09-071-0/+215
These are imported from FBFP and slightly modified to be specific to YKPS (while not being hard to port to other environments that use APIs that use OAUTH 2.0). Some code is also simplified. Database code still needs an audit, and things are not tested yet.
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-16 15:24:19 +0000