idp/idpmiddleware: move to within-x-idpmiddleware branding

author: Christine Dodrill <me@christine.website> 2019-01-26 08:52:13 -0800
committer: Christine Dodrill <me@christine.website> 2019-01-26 08:52:13 -0800
commit: cfbbdb4130b89b3caae91dc0bf6a1bf736d527bd (patch)
tree: f6c2aee991f6b65ab95bd9afdd26004c0908d323 /idp
parent: c943adda763750418d68efdde8884cdbec765510 (diff)
download: x-cfbbdb4130b89b3caae91dc0bf6a1bf736d527bd.tar.xz
x-cfbbdb4130b89b3caae91dc0bf6a1bf736d527bd.zip
2 files changed, 29 insertions, 11 deletions
diff --git a/idp/idpmiddleware/middleware.go b/idp/idpmiddleware/middleware.go
index ea7df24..99733f4 100644
--- a/idp/idpmiddleware/middleware.go
+++ b/idp/idpmiddleware/middleware.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strings"
 	"sync"
 	"time"
 
@@ -79,7 +78,7 @@ func Protect(idpServer, me, selfURL string) func(next http.Handler) http.Handler
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
 			ctx = opname.With(ctx, "idpmiddleware.Protect.Handler")
-			if r.URL.Path == "/auth/challenge" {
+			if r.URL.Path == "/.within/x/idpmiddleware/challenge" {
 				v := r.URL.Query()
 				ctx = ln.WithF(ctx, ln.F{"as": me, "state": v.Get("state"), "code": v.Get("code")})
 				ln.Log(ctx, ln.Info("login"))
@@ -109,7 +108,7 @@ func Protect(idpServer, me, selfURL string) func(next http.Handler) http.Handler
 
 					ln.Log(ctx, ln.Info("setting cookie"))
 					http.SetCookie(w, &http.Cookie{
-						Name:     "auth",
+						Name:     "within-x-idpmiddleware",
 						Value:    hash(me, idpServer),
 						HttpOnly: true,
 						Expires:  time.Now().Add(900 * time.Hour),
@@ -118,12 +117,16 @@ func Protect(idpServer, me, selfURL string) func(next http.Handler) http.Handler
 					})
 					delete(codes, cd)
 
-					http.Redirect(w, r, selfURL, http.StatusPermanentRedirect)
+					w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
+					w.Header().Set("Expires", "Thu, 01 Jan 1970 00:00:00 GMT")
+					http.Redirect(w, r, selfURL, http.StatusTemporaryRedirect)
 				}
+
+				http.Error(w, "Programmer error, maybe you have multiple instances of the IDP middleware?", http.StatusInternalServerError)
 				return
 			}
 
-			cookie, err := r.Cookie("auth")
+			cookie, err := r.Cookie("within-x-idpmiddleware")
 			if err != nil || cookie.Value != hash(me, idpServer) {
 				u, err := url.Parse(idpServer)
 				if err != nil {
@@ -131,7 +134,7 @@ func Protect(idpServer, me, selfURL string) func(next http.Handler) http.Handler
 					return
 				}
 
-				code := strings.Replace(uuid.New(), "-", "", 0)
+				code := uuid.New()
 				lock.Lock()
 				codes[code] = code
 				lock.Unlock()
@@ -140,11 +143,13 @@ func Protect(idpServer, me, selfURL string) func(next http.Handler) http.Handler
 				v := url.Values{}
 				v.Set("me", me)
 				v.Set("client_id", selfURL)
-				v.Set("redirect_uri", selfURL+"auth/challenge")
+				v.Set("redirect_uri", selfURL+".within/x/idpmiddleware/challenge")
 				v.Set("state", code)
 				v.Set("response_type", "id")
 				u.RawQuery = v.Encode()
 
+				w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
+				w.Header().Set("Expires", "Thu, 01 Jan 1970 00:00:00 GMT")
 				http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
 				return
 			}
diff --git a/idp/main.go b/idp/main.go
index 884d0b3..349bd5c 100644
--- a/idp/main.go
+++ b/idp/main.go
@@ -10,6 +10,7 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/Xe/x/idp/idpmiddleware"
 	"github.com/Xe/x/internal"
 	"github.com/pborman/uuid"
 	"github.com/xlzd/gotp"
@@ -39,13 +40,23 @@ func main() {
 
 	log.Println(i.t.ProvisioningUri(*domain, *domain))
 
-	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+	def := idpmiddleware.XeProtect("https://" + *domain + "/")(http.DefaultServeMux)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/auth/challenge" {
+			r.URL.Path = "/.within/x/idpmiddleware/challenge"
+			http.Redirect(w, r, r.URL.String(), http.StatusPermanentRedirect)
+			return
+		}
+
 		w.Header().Set("Content-Type", "text/html")
 		w.Write([]byte(rootPageTemplate))
 	})
-	http.HandleFunc("/auth", i.auth)
-	http.HandleFunc("/challenge", i.challenge)
-	http.ListenAndServe(":"+*port, ex.HTTPLog(http.DefaultServeMux))
+	mux.HandleFunc("/auth", i.auth)
+	mux.HandleFunc("/challenge", i.challenge)
+	mux.Handle("/.within/", def)
+	mux.Handle("/debug/", def)
+	http.ListenAndServe(":"+*port, ex.HTTPLog(mux))
 }
 
 type idp struct {
@@ -183,6 +194,8 @@ func (i *idp) challenge(w http.ResponseWriter, r *http.Request) {
 	q.Set("code", bearerToken)
 	u.RawQuery = q.Encode()
 
+	w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
+	w.Header().Set("Expires", "Thu, 01 Jan 1970 00:00:00 GMT")
 	http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
 }
author	Christine Dodrill <me@christine.website>	2019-01-26 08:52:13 -0800
committer	Christine Dodrill <me@christine.website>	2019-01-26 08:52:13 -0800
commit	cfbbdb4130b89b3caae91dc0bf6a1bf736d527bd (patch)
tree	f6c2aee991f6b65ab95bd9afdd26004c0908d323 /idp
parent	c943adda763750418d68efdde8884cdbec765510 (diff)
download	x-cfbbdb4130b89b3caae91dc0bf6a1bf736d527bd.tar.xz x-cfbbdb4130b89b3caae91dc0bf6a1bf736d527bd.zip