gitlab.com/gitlab-org/gitlab-pages.git - Unnamed repository; edit this file 'description' to name the repository.

Age	Commit message (Collapse)	Author
2023-12-22	Add project prefix in session cookie path	Naman Jagdish Gala

2023-11-28	Add path in session cookie when namespace is provided in path	Naman Jagdish Gala

2023-01-19	Refactor auth constructor to use options struct	Naman Jagdish Gala

2022-12-28	Merge branch 'master' into 'security-arbitrary-protocol-redirection'	Naman Jagdish Gala
	# Conflicts: # internal/auth/auth_test.go
2022-12-28	Reduce race condition on pages authentication	Kassio Borges

2022-11-29	Restrict arbitrary protocol redirection to only https or http URLs	ngala
	This commit restricts arbitrary protocol redirection to only https or http URLs and introduces nolint: gocyclo for auth.handleProxyingAuth method. Changelog: security
2022-11-03	Add auth-cookie-session-timeout flag	Kassio Borges
	Related to: https://gitlab.com/gitlab-org/gitlab-pages/-/issues/806 Changelog: added
2022-04-08	fix: handle context canceled gracefully for auth and artifacts	Jaime Martinez
	Changelog: changed
2022-04-05	Merge branch 'refactor/specialized-require' into 'master'	Jaime Martinez
	test: replace require.Equal with specialized assertions See merge request gitlab-org/gitlab-pages!685
2022-03-24	fix: validate that session was issued on the same host	Vladimir Shushlin
	Currently, sessions are valid across all domains. And our auth tokens are also valid for all pages projects user has access to. This means that cookie from one website can be reused on the another. Attackers can steal cookies in many different ways. The easiest way would be to setup a validated custom domain, then proxy all requests to pages server, but log the cookies. Once you have a cookie for attackers domain, you can reuse it on any other pages domain the target user has access to. This commit saves current domain in the session and validates it when reading the session. Changelog: security
2022-03-15	feat: allow auth http.Client timeout to be configurable	Osman İlge Ünaldı
	Changelog: added
2022-02-24	test: replace require.Equal with specialized assertions	feistel

2022-02-18	refactor: use testhelpers.Close()	yigithankardas

2022-01-26	test: move mocks to their own package	feistel

2021-11-22	chore(auth): add unit tests for domainAllowed	Markus Legner

2021-11-17	test: stop calling mockController.Finish directly	feistel
	This is handled by mockgen 1.5.0+
2021-10-01	test: simplify assertion	feistel
	replace require.Equal with require.False/True
2021-09-09	test: update source mock to use mockgen	feistel

2021-09-09	refactor: move away from ioutil (deprecated)	feistel

2021-09-02	refactor: replace magic numbers with http status codes	feistel

2021-08-19	test: fix response body not being closed	feistel
	nolint is added when the body is nil or if the body can't be closed
2021-07-22	Use internal-gitlab-server in auth-related tasks	feistel
	Update the auth package to use the internal server when fetching access token or checking for authentication. Changelog: changed
2021-02-15	fix(auth): make authentication scope for Pages configurable	Ercan Ucan
	This MR makes required authentication permission scope for Pages configurable. By default, Pages will use `api` scope to authenticate with Pages Application registered on GitLab. With this MR, the scope is configurable and can be set to `read_api` by providing the `auth-scope` variable in the arguments or in the `gitlab-pages.conf` /label ~security Changelog: added
2020-12-17	Encrypt and sign OAuth code	Jaime Martinez
	Add AES GCM encryption/decryption to auth Add signing key to Auth Abstract key generation and Auth init to their own funcs. Cleanup and DRY unit tests. Use same code parameter in auth redirect Cleanup auth and add tests for enc/dec oauth code Add acceptance test for fix Apply suggestion from review Add missing test and apply feedback Fix unit test Simplify acceptance test
2020-07-06	Address MR feedback	Jaime Martinez
	use correct reference
2020-07-06	Move serving 404 logic to domain package	Jaime Martinez
	Simplify responsibilities of auth package and reduce complexity of app.go deciding which content to serve.
2020-07-06	Get namespace domain if auth fails for a private domain	Jaime Martinez
	Add acceptance test and some more domains for testing Move namespace domain serving logic Restore go.sum Remove redundant return Fix linter
2020-06-01	Revert goconst changes in auth_test.go385-enable-second-set-of-linters	Jaime Martinez

2020-06-01	Enable the remaining linters	Jaime Martinez
	- ineffassign - misspell - structcheck - typecheck - unconvert - unused - varcheck - whitespace
2020-06-01	Add .golangci.yml linter configuration	Jaime Martinez
	As part of https://gitlab.com/gitlab-org/gitlab-pages/-/issues/385 we have introduced the use of a custom `.golangci.yml` file with some custom rules for linting. This replaces the need of downloading and using `golint`, `gofmt` `go vet` and `gocyclo` manually. We take advantage of the custom `golangci-lint` docker image as stated in the [Automatic lintinb] (https://docs.gitlab.com/ee/development/go_guide/#automatic-linting) section of the Go standards and style guidelines. This iteration enables a subset of linters, with the remaining of them enabled on a separate MR as described in the issue above. The main changes introduced by this linter include: - gosec: potential hardcoded credentials - goconst: DRY by declaring and using constants - gosimple: reduce statements complexity and improve return statements
2020-02-19	Remove request.WithHTTPSFlag and set directly in tests	Jaime Martinez

2019-11-26	Make new gitlab domains source more testable	Grzegorz Bizon

2019-11-25	Make it possible to pass client config to gitlab source	Grzegorz Bizon

2019-10-02	Merge branch 'backstage/gb/separate-domain-source-storage' into 'master'	Nick Thomas
	Separate domain config source See merge request gitlab-org/gitlab-pages!188
2019-09-27	Create a factory method for Domains to handle mutex better	Grzegorz Bizon

2019-09-26	Add support for previewing artifacts that are not public	Tuomo Ala-Vannesluoma
	Remove some duplicate logic on Auth module Separate handling artifact to own handlers package Unit test handlers by mocking auth and artifact modules Add generate-mock step to Makefile Use additional handler func to simplify TryMakeRequest return type Always try with token if exists Do not log RequestURI, log path only Remove not used logRequest func
2019-09-24	Encapsulate groups config in the source package	Grzegorz Bizon

2019-09-22	Separate domain config source from a domain	Grzegorz Bizon

2019-09-12	Remove github.com/stretchr/testify/assert	Nick Thomas
	The "assert" form is difficult to use correctly and complicates test understanding. I think we should insist on using require only in our tests across GitLab.
2019-09-09	Set max-age and secure flag for auth cookies	Vladimir Shushlin

2019-08-21	Fix https downgrade for pages behind proxy	Vladimir Shushlin
	We can't rely on r.TLS when pages are served behind proxy So we save https flag to a context for later usage Right now I'm trying to keep changes to a minimum since I'm planning to backport this to older versions That's why https flag is not refactored throughout the codebase The alternative way would be to use gorilla's proxy headers I'm planning to refactor to that version later
2019-07-30	Fix recovering gitlab api token from sessionsecurity-master-encrypt-cookies	Vladimir Shushlin
	Generate signing and encryption secrets from one auth-secret using hkdf
2018-10-24	Fix import paths for goimport	Nick Thomas

2018-08-10	Allow auth proxying only for configured domains and everything under pages ↵	Tuomo Ala-Vannesluoma
	domain
2018-07-19	Update to new endpoint and switch to better (user) endpoint when checking ↵	Tuomo Ala-Vannesluoma
	for token validity
2018-06-30	Refactor logic to avoid existence leak	Tuomo Ala-Vannesluoma

2018-06-30	Use header authentication instead of query parameter	Tuomo Ala-Vannesluoma

2018-06-30	Add support for private projects and authentication with GitLab API	Tuomo Ala-Vannesluoma