go-sso issueshttps://git.autistici.org/id/go-sso/-/issues2024-03-04T19:35:36Zhttps://git.autistici.org/id/go-sso/-/issues/17Dependency Dashboard2024-03-04T19:35:36ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbo...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- [ ] <!-- rebase-branch=renovate/github.com-gorilla-securecookie-1.x -->[Update module github.com/gorilla/securecookie to v1.1.2](!29)
- [ ] <!-- rebase-branch=renovate/golang.org-x-crypto-0.x -->[Update module golang.org/x/crypto to v0.21.0](!28)
## Detected dependencies
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.14`
- `github.com/gorilla/securecookie v1.1.1`
- `golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90@c86fa9a7ed90`
</details>
</blockquote>
</details>https://git.autistici.org/id/go-sso/-/issues/16Link to fallback to OTP when U2F is enabled doesn't work2020-11-11T09:31:30ZgodogLink to fallback to OTP when U2F is enabled doesn't workWith u2f and otp enabled I get the "Use a numeric one-time token instead." after username/password. The link points to https://accounts.autistici.org/sso/login?2fa=otp which prompts me again for username/password and then back to u2f screenWith u2f and otp enabled I get the "Use a numeric one-time token instead." after username/password. The link points to https://accounts.autistici.org/sso/login?2fa=otp which prompts me again for username/password and then back to u2f screenhttps://git.autistici.org/id/go-sso/-/issues/15Switch to WebAuthN2021-05-23T10:09:12ZaleSwitch to WebAuthNWebAuthN should replace U2F.WebAuthN should replace U2F.https://git.autistici.org/id/go-sso/-/issues/14Investigate and fix presumed goroutine leak2020-01-04T17:09:15ZaleInvestigate and fix presumed goroutine leakCPU and memory usage look like this over a couple of weeks:
![dump](/uploads/df357dcfa18081bb1e7d4d98ec070d6e/dump.png)
this seems like some sort of goroutine leak (at least the CPU usage would hint towards something like that)...CPU and memory usage look like this over a couple of weeks:
![dump](/uploads/df357dcfa18081bb1e7d4d98ec070d6e/dump.png)
this seems like some sort of goroutine leak (at least the CPU usage would hint towards something like that)...https://git.autistici.org/id/go-sso/-/issues/13Set CORS headers on requests with method OPTIONS2019-06-21T09:02:01ZaleSet CORS headers on requests with method OPTIONS> `XHR failed loading: OPTIONS "https://accounts.autistici.org/sso//?s=1.webmail.autistici.org%2f&d=https%3a%2f%2f1.webmail.autistici.org%2f%3f_task%3dmail%26_action%3drefresh&n=blah&g=users".`> `XHR failed loading: OPTIONS "https://accounts.autistici.org/sso//?s=1.webmail.autistici.org%2f&d=https%3a%2f%2f1.webmail.autistici.org%2f%3f_task%3dmail%26_action%3drefresh&n=blah&g=users".`https://git.autistici.org/id/go-sso/-/issues/12sso-proxy leaks a bit of memory2020-01-04T17:09:30Zalesso-proxy leaks a bit of memoryIn the long run it tends to use quite a lot of memory.In the long run it tends to use quite a lot of memory.https://git.autistici.org/id/go-sso/-/issues/11Fix navigation2019-12-19T09:12:23ZaleFix navigationThe fact that we're controlling state server-side via the session breaks user navigation (back/forward buttons) and it's not very user-friendly. We should move states to different URIs and switch to the standard model of redirect-on-vali...The fact that we're controlling state server-side via the session breaks user navigation (back/forward buttons) and it's not very user-friendly. We should move states to different URIs and switch to the standard model of redirect-on-valid-submit (possibly keeping session control as well, to validate progression).https://git.autistici.org/id/go-sso/-/issues/10Remove private attributes from Config2023-06-07T09:54:12ZaleRemove private attributes from ConfigThe Compile() idiom is ugly. Create appropriate runtime types and corresponding Parse() functions.The Compile() idiom is ugly. Create appropriate runtime types and corresponding Parse() functions.https://git.autistici.org/id/go-sso/-/issues/9State is lost on failed login attempts?2019-12-19T09:12:40ZaleState is lost on failed login attempts?It seems that state (such as the r= redirection target) is lost when a login attempt fails (but succeeds on the second attempt).It seems that state (such as the r= redirection target) is lost when a login attempt fails (but succeeds on the second attempt).https://git.autistici.org/id/go-sso/-/issues/8Drop confirmation from logout2019-01-29T11:34:50ZaleDrop confirmation from logoutConfirmation on logout is actually harmful, as users might forget to click the button.Confirmation on logout is actually harmful, as users might forget to click the button.https://git.autistici.org/id/go-sso/-/issues/7Make it possible to serve the app below a URL path prefix2018-11-03T09:13:17ZaleMake it possible to serve the app below a URL path prefixThis includes fixing rewrites and cookie paths. It's not strictly required, given that we are assuming a reverse proxy setup, as modern reverse proxies should be able to properly rewrite cookies and headers, but making the url prefix a c...This includes fixing rewrites and cookie paths. It's not strictly required, given that we are assuming a reverse proxy setup, as modern reverse proxies should be able to properly rewrite cookies and headers, but making the url prefix a configurable parameter would make things a lot easier. Also, we generate absolute URLs to static content so we'd have to rewrite the page content in the proxy... brrrhttps://git.autistici.org/id/go-sso/-/issues/6Change sso homepage2019-01-27T14:46:36ZgodogChange sso homepageAt the moment `bad service` is returned, what's displayed should be configurable (maybe a redirect elsewhere is enough?)At the moment `bad service` is returned, what's displayed should be configurable (maybe a redirect elsewhere is enough?)https://git.autistici.org/id/go-sso/-/issues/5Password recovery2019-01-27T14:51:38ZalePassword recoveryShould password recovery even be part of the login server? The alternative would be to direct the user at a dedicated service (which may have more sense if it's the only reason to introduce an accountserver dependency).
Pros of the form...Should password recovery even be part of the login server? The alternative would be to direct the user at a dedicated service (which may have more sense if it's the only reason to introduce an accountserver dependency).
Pros of the former:
* easier to achieve UI / visual consistency, also just one endpoint to protect
Pros of alt service:
* isolate new dependency on accountserver (recovery bypasses the basic auth API)
* easier to iterate on UI or workflow changeshttps://git.autistici.org/id/go-sso/-/issues/4Implement forced user workflows2023-06-07T09:54:21ZaleImplement forced user workflowsSometimes we want to force the user onto a particular workflow on login (canonical example: mandating a password change), this should be implemented in the login server (call to accountserver?).Sometimes we want to force the user onto a particular workflow on login (canonical example: mandating a password change), this should be implemented in the login server (call to accountserver?).https://git.autistici.org/id/go-sso/-/issues/3Drop nonce from the /exchange endpoint2023-06-07T09:53:25ZaleDrop nonce from the /exchange endpointIt's silly for it to be there - it's just to satisfy the underlying sso API requirements.It's silly for it to be there - it's just to satisfy the underlying sso API requirements.https://git.autistici.org/id/go-sso/-/issues/2Split IDP and SSO server into separate packages2023-06-07T09:53:03ZaleSplit IDP and SSO server into separate packagesSince they're separate components, splitting the code might make it more obvious which parts of the stack are replaceable.
Possibly still within the same binary though, no reason to come up with yet another callback protocol.Since they're separate components, splitting the code might make it more obvious which parts of the stack are replaceable.
Possibly still within the same binary though, no reason to come up with yet another callback protocol.https://git.autistici.org/id/go-sso/-/issues/1Consider moving /exchange to a separate HTTPS address2023-06-07T09:53:18ZaleConsider moving /exchange to a separate HTTPS addressMight make it easier to isolate traffic flows that way -- are exchange requests only internal?Might make it easier to isolate traffic flows that way -- are exchange requests only internal?