Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional handlers and CSRF protection #68

Merged
merged 4 commits into from
Jul 21, 2023
Merged

Add additional handlers and CSRF protection #68

merged 4 commits into from
Jul 21, 2023

Conversation

vikas-reddy
Copy link
Contributor

Issue # (if available):
#65
#66

Description of changes:

  1. Added additional handlers for signIn, parseAuth, refreshToken and signOut
  2. Added the ability to enable CSRF protection (csrfProtectionEnabled, disabled by default)
  3. Added the ability to enable and customize the uri for parseAuth handler
  4. Added a signOut handler that revokes tokens and clears cookies
  5. handle will now log user out if the request path matches the logoutUri param configured

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Vikas Reddy added 2 commits June 12, 2023 09:58
Add additional handlers and CSRF protection
798a7c8 
1. Added additional handlers for signIn, parseAuth, refreshToken and
   signOut
2. Added the ability to enable CSRF protection (csrfProtectionEnabled,
   disabled by default)
3. Added the ability to enable and customize the uri for parseAuth
   handler
4. Added a signOut handler that revokes tokens and clears cookies
5. handle will now log user out if the path matches the logoutUri param
   configured
Update README
37e6866
borisfba
borisfba requested changes Jun 20, 2023
View reviewed changes
Copy link
Member

@borisfba borisfba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your PR!

src/index.ts Show resolved Hide resolved
src/index.ts Outdated Show resolved Hide resolved
@jeandek jeandek self-requested a review June 21, 2023 11:29
jeandek
jeandek reviewed Jun 23, 2023
View reviewed changes
Copy link
Contributor

@jeandek jeandek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments about documentation, logging and one expression typo (?).

README.md Outdated Show resolved Hide resolved
src/util/csrf.ts Outdated Show resolved Hide resolved
src/index.ts Outdated Show resolved Hide resolved
src/index.ts Outdated Show resolved Hide resolved
Vikas Reddy added 2 commits June 30, 2023 15:11
Addressed PR suggestions
9d6e36f 
1. `handle` will now use redirect uri from decoded state param when
   csrfProtection is enabled
2. `logoutConfiguration` now requires `logoutRedirectUri` param
3. Updated explanation of authentication gateway setup
4. `_clearCookies` will now use redirectURI from `logoutRedirectUri`,
   defaulting to one from url query param and then to cfDomain
Moved logger statement after logout in catch block
e47fe29
jeandek
jeandek approved these changes Jul 12, 2023
View reviewed changes
Copy link
Contributor

@jeandek jeandek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. We'll merge and publish a new version as soon as we have the bandwidth.

Thanks again for your contribution!

@jeandek jeandek merged commit 208d88d into awslabs:main Jul 21, 2023
@jeandek jeandek added the added-feature For PRs which containg a new feature (may be in response to a `feature-request`) label Jul 21, 2023
@jeandek jeandek added this to the 1.5 milestone Jul 21, 2023
This was linked to issues Jul 21, 2023
Mitigate CSRF attacks #65
Closed
Configurable cookie domains #64
Closed
Make handler methods public #66
Closed
@jeandek jeandek mentioned this pull request Jul 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borisfba borisfba borisfba approved these changes

@jeandek jeandek jeandek approved these changes

Assignees
No one assigned
Labels
added-feature For PRs which containg a new feature (may be in response to a `feature-request`)
Projects
None yet
Milestone
1.5
Development

Successfully merging this pull request may close these issues.

Make handler methods public Mitigate CSRF attacks Configurable cookie domains
3 participants
@vikas-reddy @jeandek @borisfba