Commit 009e6615 authored by ale's avatar ale

Refactor Server.Handler method for readability

Should make the subdivision between apps (idp, sso) more obvious.
parent f0382112
Pipeline #811 passed with stages
in 1 minute and 9 seconds
......@@ -295,30 +295,47 @@ func (h *Server) handleExchange(w http.ResponseWriter, req *http.Request) {
// Handler returns the http.Handler for the SSO server application.
func (h *Server) Handler() http.Handler {
m := mux.NewRouter()
// The root HTTP handler. This must be a gorilla/mux.Router since
// sessions depend on it.
root := mux.NewRouter()
var lih, loh http.Handler
lih = h.loginHandler
loh = h.withAuth(h.handleLogout)
if h.csrfSecret != nil {
csrfW := csrf.Protect(h.csrfSecret)
lih = csrfW(lih)
loh = csrfW(loh)
m.Handle("/login", withDynamicHeaders(lih))
m.Handle("/logout", withDynamicHeaders(loh))
m.PathPrefix("/static/").Handler(http.StripPrefix("/static/", http.FileServer(&assetfs.AssetFS{
// Serve static content to anyone.
root.PathPrefix("/static/").Handler(http.StripPrefix("/static/", http.FileServer(&assetfs.AssetFS{
Asset: Asset,
AssetDir: AssetDir,
AssetInfo: AssetInfo,
Prefix: "static",
m.Handle("/exchange", withDynamicHeaders(http.HandlerFunc(h.handleExchange)))
m.Handle("/", withDynamicHeaders(h.withAuth(h.handleHomepage)))
// Build the main IDP application router, with optional CSRF
// protection.
m := http.NewServeMux()
m.Handle("/login", h.loginHandler)
m.Handle("/logout", h.withAuth(h.handleLogout))
idph := http.Handler(m)
if h.csrfSecret != nil {
idph = csrf.Protect(h.csrfSecret)(idph)
// Add the SSO provider endpoints (root path and /exchange),
// which do not need CSRF. We use a HandlerFunc to bypass the
// '/' dispatch semantics of the standard http.ServeMux.
ssoh := h.withAuth(h.handleHomepage)
userh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch {
case r.Method == "GET" && r.URL.Path == "/":
ssoh.ServeHTTP(w, r)
case r.URL.Path == "/exchange":
h.handleExchange(w, r)
idph.ServeHTTP(w, r)
return m
// User-facing routes require cache-busting and CSP headers.
return root
// A relatively strict CSP.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment