Age | Commit message (Collapse) | Author | |
---|---|---|---|
2023-05-08 | Upgrade golangci-lint to v1.52.2 on CI | Jaime Martinez | |
2023-04-12 | Update golangci-lint tool | Kassio Borges | |
2023-01-19 | Refactor auth constructor to use options struct | Naman Jagdish Gala | |
2022-12-28 | Merge branch 'master' into 'security-arbitrary-protocol-redirection' | Naman Jagdish Gala | |
# Conflicts: # internal/auth/auth_test.go | |||
2022-12-28 | Reduce race condition on pages authentication | Kassio Borges | |
2022-11-29 | Restrict arbitrary protocol redirection to only https or http URLs | ngala | |
This commit restricts arbitrary protocol redirection to only https or http URLs and introduces nolint: gocyclo for auth.handleProxyingAuth method. Changelog: security | |||
2022-11-03 | Add auth-cookie-session-timeout flag | Kassio Borges | |
Related to: https://gitlab.com/gitlab-org/gitlab-pages/-/issues/806 Changelog: added | |||
2022-06-28 | Improve consistency of log fields | feistel | |
2022-06-01 | Add comment about https redirect in authorization middleware | feistel | |
2022-06-01 | Add missing newline | Jaime Martinez | |
2022-05-22 | Reduce lookup path requests in the handler pipeline | feistel | |
2022-05-02 | Add nolintlint linter configuration | feistel | |
Require an explanation for nolint rules and warn about unused rules | |||
2022-04-08 | chore: move check outside of fetching token function | Jaime Martinez | |
2022-04-08 | fix: handle context canceled gracefully for auth and artifacts | Jaime Martinez | |
Changelog: changed | |||
2022-04-06 | Add comment details for nonce size | Vishal Tak | |
2022-04-06 | Update nonce to make it of standard size | Vishal Tak | |
Changelog: changed | |||
2022-04-05 | Merge branch 'refactor/specialized-require' into 'master' | Jaime Martinez | |
test: replace require.Equal with specialized assertions See merge request gitlab-org/gitlab-pages!685 | |||
2022-03-24 | fix: validate that session was issued on the same host | Vladimir Shushlin | |
Currently, sessions are valid across all domains. And our auth tokens are also valid for all pages projects user has access to. This means that cookie from one website can be reused on the another. Attackers can steal cookies in many different ways. The easiest way would be to setup a validated custom domain, then proxy all requests to pages server, but log the cookies. Once you have a cookie for attackers domain, you can reuse it on any other pages domain the target user has access to. This commit saves current domain in the session and validates it when reading the session. Changelog: security | |||
2022-03-15 | feat: allow auth http.Client timeout to be configurable | Osman İlge Ünaldı | |
Changelog: added | |||
2022-03-11 | Add correlation_id to all exception captures | Kassio Borges | |
2022-02-24 | test: replace require.Equal with specialized assertions | feistel | |
2022-02-18 | refactor: use testhelpers.Close() | yigithankardas | |
2022-02-04 | Merge branch 'test/move-mocks' into 'master' | Vladimir Shushlin | |
test: move mocks to their own package See merge request gitlab-org/gitlab-pages!671 | |||
2022-01-31 | fix: ensure logging status codes field names are consistent | Stan Hu | |
LabKit logs all HTTP responses with a `status` field of an integer. We ensure that all errors now use this convention and store the full status text as `status_text`. This is needed to enusre Elasticsearch doesn't drop logs due to mapping conflicts. Changelog: fixed | |||
2022-01-26 | test: move mocks to their own package | feistel | |
2022-01-24 | lint: fix gci issues | feistel | |
2021-12-08 | Merge branch 'remove-unused-ctx' into 'master' | Jaime Martinez | |
refactor: enable unparam in .gitlabci.yml See merge request gitlab-org/gitlab-pages!631 | |||
2021-12-07 | refactor: enable unparam in .golangci.yml | Vladimir Shushlin | |
and fix offences | |||
2021-12-07 | chore: upgrade to labkit 1.11.0 | Jaime Martinez | |
And report stack trace with error tracking to Sentry. Changelog: other | |||
2021-11-22 | chore(auth): add unit tests for domainAllowed | Markus Legner | |
2021-11-22 | fix(auth): check suffix correctly in domainAllowed | Markus Legner | |
Changelog: fixed | |||
2021-11-19 | Merge branch 'joernchen-master-patch-26405' into 'master' | Jaime Martinez | |
Escape user supplied code before inserting as a POST parameter See merge request gitlab-org/gitlab-pages!620 | |||
2021-11-19 | Escape user supplied code before inserting as a POST parameter | Joern Schneeweisz | |
2021-11-17 | test: stop calling mockController.Finish directly | feistel | |
This is handled by mockgen 1.5.0+ | |||
2021-10-26 | refactor: rename imported domain packages | Vladimir Shushlin | |
2021-10-25 | refactor: remove domain from request | Jaime Martinez | |
2021-10-01 | Merge branch 'fix/source-mock' into 'master' | Alessio Caiazza | |
test: update source mock to use mockgen Closes #277 See merge request gitlab-org/gitlab-pages!525 | |||
2021-10-01 | test: simplify assertion | feistel | |
replace require.Equal with require.False/True | |||
2021-09-29 | docs: update middlewares method doc for signature change | Jaime Martinez | |
2021-09-28 | refactor: move acl to auth package and update function signature | feistel | |
2021-09-16 | refactor: move middlewares to corresponding packages | feistel | |
2021-09-09 | test: update source mock to use mockgen | feistel | |
2021-09-09 | refactor: move away from ioutil (deprecated) | feistel | |
2021-09-02 | refactor: replace magic numbers with http status codes | feistel | |
2021-08-19 | test: fix response body not being closed | feistel | |
nolint is added when the body is nil or if the body can't be closed | |||
2021-08-10 | Merge branch 'fix/no-ctx' into 'master' | Jaime Martinez | |
fix: propagate context to sub requests See merge request gitlab-org/gitlab-pages!538 | |||
2021-08-09 | feat: capture errors when trying to fetch the access token | feistel | |
2021-08-09 | refactor: improve checkAuthentication logic, check error first and log ↵ | feistel | |
status code during an unexpected response | |||
2021-08-08 | fix: propagate context to sub requests | feistel | |
2021-08-05 | fix: close response body and fix memory leak | feistel | |