Add documentation for keystore_enable_groups

README.md

@@ -61,6 +61,8 @@ attributes:
     * `cert`: path to the client certificate
     * `key`: path to the private key
     * `ca`: path to the CA used to validate the server
+* `keystore_enable_groups`: (a list) if set, the keystore will only be
+  enabled for users that are members of these groups
 * `u2f_app_id`: set the U2F AppID - if unset, it will be autodetected
   based on the domain name in the request
 * `url_path_prefix`: URL path prefix of the SSO server application

server/http_test.go

@@ -24,11 +24,12 @@ type fakeAuthClient struct{}
 
 func (c *fakeAuthClient) Authenticate(_ context.Context, req *auth.Request) (*auth.Response, error) {
 	p := string(req.Password)
+	info := &auth.UserInfo{Shard: "shard1"}
 	switch {
 	case req.Username == "testuser" && p == "password":
-		return &auth.Response{Status: auth.StatusOK}, nil
+		return &auth.Response{Status: auth.StatusOK, UserInfo: info}, nil
 	case req.Username == "test2fa" && p == "password" && req.OTP == "123456":
-		return &auth.Response{Status: auth.StatusOK}, nil
+		return &auth.Response{Status: auth.StatusOK, UserInfo: info}, nil
 	case req.Username == "test2fa" && p == "password":
 		return &auth.Response{
 			Status:    auth.StatusInsufficientCredentials,

server/login.go

@@ -135,7 +135,9 @@ func (l *loginHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 		switch newState {
 		case loginStateSuccess:
-			// Successful login. Delete the login session.
+			// Successful login. Delete the login session and invoke
+			// the login callback, before redirecting to the
+			// original URL.
 			httpSession.Options.MaxAge = -1
 			if err := httpSession.Save(req, w); err != nil {
 				log.Printf("login error saving session: %v", err)