From 1724c1785b757857678d5be5707db94a65b705dc Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Fri, 16 Nov 2018 20:22:16 +0000
Subject: [PATCH] Add documentation for keystore_enable_groups

---
 README.md           | 2 ++
 server/http_test.go | 5 +++--
 server/login.go     | 4 +++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 04fedd9..9860c16 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,8 @@ attributes:
     * `cert`: path to the client certificate
     * `key`: path to the private key
     * `ca`: path to the CA used to validate the server
+* `keystore_enable_groups`: (a list) if set, the keystore will only be
+  enabled for users that are members of these groups
 * `u2f_app_id`: set the U2F AppID - if unset, it will be autodetected
   based on the domain name in the request
 * `url_path_prefix`: URL path prefix of the SSO server application
diff --git a/server/http_test.go b/server/http_test.go
index a65b21a..c3fa9a6 100644
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -24,11 +24,12 @@ type fakeAuthClient struct{}
 
 func (c *fakeAuthClient) Authenticate(_ context.Context, req *auth.Request) (*auth.Response, error) {
 	p := string(req.Password)
+	info := &auth.UserInfo{Shard: "shard1"}
 	switch {
 	case req.Username == "testuser" && p == "password":
-		return &auth.Response{Status: auth.StatusOK}, nil
+		return &auth.Response{Status: auth.StatusOK, UserInfo: info}, nil
 	case req.Username == "test2fa" && p == "password" && req.OTP == "123456":
-		return &auth.Response{Status: auth.StatusOK}, nil
+		return &auth.Response{Status: auth.StatusOK, UserInfo: info}, nil
 	case req.Username == "test2fa" && p == "password":
 		return &auth.Response{
 			Status:    auth.StatusInsufficientCredentials,
diff --git a/server/login.go b/server/login.go
index 3685e8c..e2145aa 100644
--- a/server/login.go
+++ b/server/login.go
@@ -135,7 +135,9 @@ func (l *loginHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 		switch newState {
 		case loginStateSuccess:
-			// Successful login. Delete the login session.
+			// Successful login. Delete the login session and invoke
+			// the login callback, before redirecting to the
+			// original URL.
 			httpSession.Options.MaxAge = -1
 			if err := httpSession.Save(req, w); err != nil {
 				log.Printf("login error saving session: %v", err)
-- 
GitLab