Tags: go-authgate/authgate
Tags
docs: update OAuth docs to use email and profile scopes - Update OAuth examples to use email and profile scopes instead of read and write - Align configuration request and response examples with the new email and profile scopes - Revise the documented scope validation logic to replace read and write with email, profile, and offline_access while keeping admin as a custom scope Signed-off-by: Bo-Yi Wu <[email protected]>
refactor: hash access tokens before storing in the database (#65) * refactor: hash access tokens before storing in the database - Store only the SHA-256 hash of tokens in the database instead of the raw token string. - Refactor code to use TokenHash (persisted) and RawToken (in-memory) fields in AccessToken. - Update all token validations, lookups, and revocation logic to operate on the hash, not the raw token. - Add a SHA256Hex utility function for consistent hashing. - Update tests to use RawToken when referencing raw token values, and TokenHash for database interactions. - Ensure response payloads return RawToken, not TokenHash. Signed-off-by: appleboy <[email protected]> * build: run swagger generation as part of generate target - Update the generate target to also run the swagger step before executing go generate Signed-off-by: appleboy <[email protected]> * test: document and test the SHA-256 hashing helper - Clarify the documentation for the SHA-256 helper to better describe when using an unsalted hash is appropriate - Add comprehensive unit tests covering correctness, format, and determinism of the SHA-256 hashing function Signed-off-by: appleboy <[email protected]> * test: refactor hash tests for clarity - Reformat test assertions for better readability by expanding them to multi-line calls - Remove the redundant test that checks identical inputs produce the same hash - Keep functional coverage intact for known hash vectors, empty input, and differing inputs Signed-off-by: appleboy <[email protected]> --------- Signed-off-by: appleboy <[email protected]>
refactor: unify cache access by requiring direct GetWithFetch (#60) * refactor: unify cache access by requiring direct GetWithFetch implementations - Add Redis >= 7.0 requirement notes for `redis-aside` mode in documentation. - Remove the generic `GetWithFetch` helper and require all Cache implementations to provide a `GetWithFetch` method directly. - Implement `GetWithFetch` for `MemoryCache` and `RueidisCache` types. - Update service and metrics code to call the new `GetWithFetch` method directly, removing previous runtime interface assertions and fallbacks. - Refactor tests and cache spies to match the new interface and approach. Signed-off-by: appleboy <[email protected]> * test: add unit test for cache expiration and refetch logic - Add a unit test to verify cache expiration and refetch behavior in MemoryCache Signed-off-by: appleboy <[email protected]> --------- Signed-off-by: appleboy <[email protected]>
feat: enforce Client Credentials Flow restrictions for public clients - Add dynamic disabling of the Client Credentials Flow checkbox for public clients with accompanying "Confidential only" badge - Update help text to clarify Client Credentials Flow requires a confidential client - Introduce a script to manage checkbox and label state based on client type selection - Add CSS styles for disabled checkbox state and confidential-only badge display Signed-off-by: appleboy <[email protected]>
feat: enforce robust token state management and validation - Add methods to distinguish access and refresh tokens by category - Introduce errors for invalid token state transitions (disable/enable) - Enhance token validation to check token type, status, and expiry in database - Replace direct string comparisons with dedicated methods for token category and status checks - Enforce state transition rules for disabling/enabling tokens - Add comprehensive unit tests for token category and status methods - Add tests for token validation, including revoked, disabled, expired, and refresh tokens - Add tests for token state transitions, ensuring only valid transitions are allowed Signed-off-by: Bo-Yi Wu <[email protected]>
fix: enforce URL encoding in authentication redirects and tests (#47) * fix: enforce URL encoding in authentication redirects and tests - Ensure redirect URLs in authentication middleware are properly URL-encoded - Add unit tests to verify URL encoding of redirect parameters during login, timeout, and fingerprint mismatch scenarios Signed-off-by: appleboy <[email protected]> * test: refactor user service setup in tests for reliability - Add createTestUserService helper to set up a test UserService with an in-memory store, preventing nil pointer issues in tests - Update TestRequireAuth_RedirectURLEncoded to use a real test UserService, ensuring middleware stability if code paths change - Add additional imports necessary for the new helper function Signed-off-by: appleboy <[email protected]> --------- Signed-off-by: appleboy <[email protected]>
refactor: modularize application startup with dedicated bootstrap pac… …kage (#46) * refactor: modularize application startup with dedicated bootstrap package - Introduce a new bootstrap package to encapsulate application startup, initialization, and graceful shutdown - Move all bootstrapping, initialization, and shutdown logic from main.go into dedicated internal/bootstrap files - Add structured setup for infrastructure components including database, metrics, cache, Redis, and business services - Consolidate Gin router, HTTP handlers, OAuth providers, and rate limiting middlewares under bootstrap - Add comprehensive unit tests for configuration validation, metrics, OAuth, and rate limiting logic - Replace code in main.go with a single bootstrap.Run entry point, streamlining the application startup - Improve modularity, clarity, and maintainability by separating initialization concerns from main logic Signed-off-by: appleboy <[email protected]> * refactor: switch OAuth client to use NewClient over NewAuthClient - Use httpclient.NewClient instead of httpclient.NewAuthClient for creating the OAuth HTTP client Signed-off-by: appleboy <[email protected]> --------- Signed-off-by: appleboy <[email protected]>
PreviousNext