Enforce https #495

julien-nc · 2022-08-31T15:21:31Z

Performing the login flow with HTTP reveals/exposes secret information. Login and code endpoints are now rejecting HTTP requests.

OpenId specs regarding TLS are not very clear but can be interpreted as "better use HTTPS".

I took the opportunity to make some polishing to the Login controller. I hope this is not too out of scope 😁.

juliushaertl · 2022-08-31T15:30:57Z

Can we disable the check in debug mode ? Otherwise local development becomes a bit harder

juliushaertl

Looks good, now running integration tests in debug mode should also pass again :)

Signed-off-by: Julien Veyssier <eneiluj@posteo.net>

julien-nc added enhancement New feature or request security Pull requests that address a security vulnerability labels Aug 31, 2022

julien-nc requested a review from juliushaertl August 31, 2022 15:21

julien-nc force-pushed the fix/noid/enforce-https branch from 48cbb72 to 2bc8b3c Compare August 31, 2022 15:26

julien-nc force-pushed the fix/noid/enforce-https branch from 2bc8b3c to 991fca0 Compare August 31, 2022 15:49

juliushaertl approved these changes Aug 31, 2022

View reviewed changes

enforce https, cleanup login controller

8dd6baf

Signed-off-by: Julien Veyssier <eneiluj@posteo.net>

julien-nc force-pushed the fix/noid/enforce-https branch from 991fca0 to 8dd6baf Compare August 31, 2022 16:18

julien-nc merged commit 95daf74 into master Aug 31, 2022

julien-nc deleted the fix/noid/enforce-https branch August 31, 2022 16:34

Provide feedback