go/authboss
1
0
Fork 0
mirror of https://github.com/volatiletech/authboss.git synced 2024-11-24 08:42:17 +02:00
Code Issues Releases Activity
5af4d392ab
authboss/config.go

185 lines
6.4 KiB
Go
Raw Normal View History

Add some more infrastructure. - Add module system. - Add storer interface.
2015-01-03 22:03:57 +02:00
package authboss
Add a lot of module related stuff. - Leave a failing test to make hate not love.
2015-01-05 10:18:41 +02:00
import (
Add beginnings of lock package. - Adjust configuration for some lock variables and better XML Names.
2015-01-24 02:25:12 +02:00
"time"
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
"golang.org/x/crypto/bcrypt"
First part of recover module reworking
2015-02-09 09:08:33 +02:00
)
Add a lot of module related stuff. - Leave a failing test to make hate not love.
2015-01-05 10:18:41 +02:00
// Config holds all the configuration for both authboss and it's modules.
started work on auth module. redefined how configuration is going to work and where core is going to reside
2015-01-04 20:33:53 +02:00
type Config struct {
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
Paths struct {
// Mount is the path to mount authboss's routes at (eg /auth).
Mount string
WIP
2018-07-17 16:09:38 +02:00
// NotAuthorized is the default URL to kick users back to when
// they attempt an action that requires them to be logged in and they're not auth'd
NotAuthorized string
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
// AuthLoginOK is the redirect path after a successful authentication.
AuthLoginOK string
Finish implementing and testing confirm - Rejig tests to remember to test the smtp mailer
2018-02-27 17:14:30 +02:00
// ConfirmOK once a user has confirmed their account, where should they go
ConfirmOK string
// ConfirmNotOK is used by the middleware, when a user is still supposed to
// confirm their account, this is where they should be redirected to.
ConfirmNotOK string
Rewrite the lock module - Add lock module pieces to those that needed it (mocks/user)
2018-02-28 07:20:55 +02:00
// LockNotOK is a path to go to when the user fails
LockNotOK string
Extract logout to it's own module - This may seems silly but the functionality is shared between oauth2 and auth with no changes so it makes it nicer not to have an oauth2/logout route like before
2018-03-07 21:41:14 +02:00
// LogoutOK is the redirect path after a log out.
LogoutOK string
Rewrite oauth module - Tried to be clear about OAuth2 vs OAuth in all places. - Allow users to be locked from OAuth logins (if done manually for some reason other than failed logins) - Cleaned up some docs and wording around the previously very confusing (now hopefully only somewhat confusing) oauth2 module.
2018-03-09 04:39:51 +02:00
// OAuth2LoginOK is the redirect path after a successful oauth2 login
OAuth2LoginOK string
// OAuth2LoginNotOK is the redirect path after an unsuccessful oauth2 login
OAuth2LoginNotOK string
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
// RecoverOK is the redirect path after a successful recovery of a password.
RecoverOK string
// RegisterOK is the redirect path after a successful registration.
RegisterOK string
// RootURL is the scheme+host+port of the web application (eg https://www.happiness.com:8080) for url generation. No trailing slash.
RootURL string
}
Modules struct {
Fully re-implement recover - Add back the feature to log in after password recovery - Add new storer functionality to mocks - Add RecoveringServerStorer - Add RecoverableUser - Add RecoverStartValuer, RecoverMiddleValuer, RecoverEndValuer - Change storers to differentiate between tokens (recover vs confirm) - Change BCryptCost to be a generic module configuration (doesn't belong to register)
2018-03-06 03:47:11 +02:00
// BCryptCost is the cost of the bcrypt password hashing function.
BCryptCost int
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
// ExpireAfter controls the time an account is idle before being logged out
// by the ExpireMiddleware.
ExpireAfter time.Duration
// LockAfter this many tries.
LockAfter int
// LockWindow is the waiting time before the number of attemps are reset.
LockWindow time.Duration
// LockDuration is how long an account is locked for.
LockDuration time.Duration
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
Extract logout to it's own module - This may seems silly but the functionality is shared between oauth2 and auth with no changes so it makes it nicer not to have an oauth2/logout route like before
2018-03-07 21:41:14 +02:00
// LogoutMethod is the method the logout route should use (default should be DELETE)
LogoutMethod string
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
// RegisterPreserveFields are fields used with registration that are to be rendered when
Adjust mocks and code to fit new register - Document various gotchas about Preserve fields. - Move configuration around to the proper modules.
2018-02-26 01:20:57 +02:00
// post fails in a normal way (for example validation errors), they will be passed
// back in the data of the response under the key DataPreserve which will be a map[string]string.
//
// All fields that are to be preserved must be able to be returned by the ArbitraryValuer.GetValues()
//
// This means in order to have a field named "address" you would need to have that returned by
// the ArbitraryValuer.GetValues() method and then it would be available to be whitelisted by this
// configuration variable.
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
RegisterPreserveFields []string
// RecoverTokenDuration controls how long a token sent via email for password
// recovery is valid for.
RecoverTokenDuration time.Duration
Fully re-implement recover - Add back the feature to log in after password recovery - Add new storer functionality to mocks - Add RecoveringServerStorer - Add RecoverableUser - Add RecoverStartValuer, RecoverMiddleValuer, RecoverEndValuer - Change storers to differentiate between tokens (recover vs confirm) - Change BCryptCost to be a generic module configuration (doesn't belong to register)
2018-03-06 03:47:11 +02:00
// RecoverLoginAfterRecovery says for the recovery module after a user has successfully
// recovered the password, are they simply logged in, or are they redirected to
// the login page with an "updated password" message.
RecoverLoginAfterRecovery bool
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
// OAuth2Providers lists all providers that can be used. See
// OAuthProvider documentation for more details.
OAuth2Providers map[string]OAuth2Provider
Add totp2fa module
2018-08-23 06:34:38 +02:00
// TOTP2FAIssuer is the issuer that appears in the url when scanning a qr code
// for google authenticator.
TOTP2FAIssuer string
Fix redirects using Middleware
2018-08-31 23:57:22 +02:00
// TwoFactorRedirectOnUnauthed controls whether or not a user is redirected or given
// a 404 when they are unauthenticated. The two factor modules all use authboss.Middleware
// to protect their routes and this is the redirectToLogin parameter in that middleware
// that they pass through.
TwoFactorRedirectOnUnauthed bool
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
}
Mail struct {
// From is the email address authboss e-mails come from.
From string
Port FromName fix from master Originally contributed by Max Howald <maxhowald@gmail.com>
2018-05-14 20:47:34 +02:00
// FromName is the name authboss e-mails come from.
FromName string
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
// SubjectPrefix is used to add something to the front of the authboss
// email subjects.
SubjectPrefix string
}
Storage struct {
// Storer is the interface through which Authboss accesses the web apps database
// for user operations.
Server ServerStorer
// CookieState must be defined to provide an interface capapable of
// storing cookies for the given response, and reading them from the request.
CookieState ClientStateReadWriter
// SessionState must be defined to provide an interface capable of
// storing session-only values for the given response, and reading them
// from the request.
SessionState ClientStateReadWriter
}
Core struct {
// Router is the entity that controls all routing to authboss routes
// modules will register their routes with it.
Router Router
Work on logging and error handling some more
2018-02-03 01:41:24 +02:00
// ErrorHandler wraps http requests with centralized error handling.
ErrorHandler ErrorHandler
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
// Responder takes a generic response from a controller and prepares
// the response, uses a renderer to create the body, and replies to the
// http request.
Responder HTTPResponder
// Redirector can redirect a response, similar to Responder but responsible
// only for redirection.
Redirector HTTPRedirector
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces
2018-02-05 07:24:55 +02:00
// BodyReader reads validatable data from the body of a request to be able
// to get data from the user's client.
BodyReader BodyReader
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
// ViewRenderer loads the templates for the application.
ViewRenderer Renderer
// MailRenderer loads the templates for mail. If this is nil, it will
// fall back to using the Renderer created from the ViewLoader instead.
MailRenderer Renderer
// Mailer is the mailer being used to send e-mails out via smtp
Mailer Mailer
Abstract logger and error handling - Replace the old logging mechanisms with a leveled one. This is important as authboss needs to start saying a lot more about what's happening in the Info log, which will end up like Debug but that's okay. - Replace the error handling mechanisms with something different. This allows people to define their own error handlers.
2018-02-02 22:11:47 +02:00
// Logger implies just a few log levels for use, can optionally
// also implement the ContextLogger to be able to upgrade to a
// request specific logger.
Logger Logger
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
}
Add a lot of module related stuff. - Leave a failing test to make hate not love.
2015-01-05 10:18:41 +02:00
}
started work on auth module. redefined how configuration is going to work and where core is going to reside
2015-01-04 20:33:53 +02:00
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly.
2015-03-31 21:34:03 +02:00
// Defaults sets the configuration's default values.
func (c *Config) Defaults() {
Fully re-implement recover - Add back the feature to log in after password recovery - Add new storer functionality to mocks - Add RecoveringServerStorer - Add RecoverableUser - Add RecoverStartValuer, RecoverMiddleValuer, RecoverEndValuer - Change storers to differentiate between tokens (recover vs confirm) - Change BCryptCost to be a generic module configuration (doesn't belong to register)
2018-03-06 03:47:11 +02:00
c.Paths.Mount = "/auth"
WIP
2018-07-17 16:09:38 +02:00
c.Paths.NotAuthorized = "/"
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
c.Paths.AuthLoginOK = "/"
Fully re-implement recover - Add back the feature to log in after password recovery - Add new storer functionality to mocks - Add RecoveringServerStorer - Add RecoverableUser - Add RecoverStartValuer, RecoverMiddleValuer, RecoverEndValuer - Change storers to differentiate between tokens (recover vs confirm) - Change BCryptCost to be a generic module configuration (doesn't belong to register)
2018-03-06 03:47:11 +02:00
c.Paths.ConfirmOK = "/"
c.Paths.ConfirmNotOK = "/"
Doc fixes and ensure proper default config
2018-03-10 00:46:33 +02:00
c.Paths.LockNotOK = "/"
Extract logout to it's own module - This may seems silly but the functionality is shared between oauth2 and auth with no changes so it makes it nicer not to have an oauth2/logout route like before
2018-03-07 21:41:14 +02:00
c.Paths.LogoutOK = "/"
Doc fixes and ensure proper default config
2018-03-10 00:46:33 +02:00
c.Paths.OAuth2LoginOK = "/"
c.Paths.OAuth2LoginNotOK = "/"
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
c.Paths.RecoverOK = "/"
c.Paths.RegisterOK = "/"
Doc fixes and ensure proper default config
2018-03-10 00:46:33 +02:00
c.Paths.RootURL = "http://localhost:8080"
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
Fully re-implement recover - Add back the feature to log in after password recovery - Add new storer functionality to mocks - Add RecoveringServerStorer - Add RecoverableUser - Add RecoverStartValuer, RecoverMiddleValuer, RecoverEndValuer - Change storers to differentiate between tokens (recover vs confirm) - Change BCryptCost to be a generic module configuration (doesn't belong to register)
2018-03-06 03:47:11 +02:00
c.Modules.BCryptCost = bcrypt.DefaultCost
Doc fixes and ensure proper default config
2018-03-10 00:46:33 +02:00
c.Modules.ExpireAfter = time.Hour
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
c.Modules.LockAfter = 3
c.Modules.LockWindow = 5 * time.Minute
Doc fixes and ensure proper default config
2018-03-10 00:46:33 +02:00
c.Modules.LockDuration = 12 * time.Hour
Extract logout to it's own module - This may seems silly but the functionality is shared between oauth2 and auth with no changes so it makes it nicer not to have an oauth2/logout route like before
2018-03-07 21:41:14 +02:00
c.Modules.LogoutMethod = "DELETE"
Doc fixes and ensure proper default config
2018-03-10 00:46:33 +02:00
c.Modules.RecoverLoginAfterRecovery = false
c.Modules.RecoverTokenDuration = 24 * time.Hour
started work on auth module. redefined how configuration is going to work and where core is going to reside
2015-01-04 20:33:53 +02:00
}
Reference in New Issue Copy Permalink