♻️ Separate application domain and token issuer
This commit is contained in:
parent
142e7c3434
commit
e4d73b1d31
65
.idea/workspace.xml
generated
65
.idea/workspace.xml
generated
@ -4,65 +4,12 @@
|
|||||||
<option name="autoReloadType" value="ALL" />
|
<option name="autoReloadType" value="ALL" />
|
||||||
</component>
|
</component>
|
||||||
<component name="ChangeListManager">
|
<component name="ChangeListManager">
|
||||||
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":bug: Fix permissions in groups">
|
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":wastebasket: Clean up code">
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/dataSources.local.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources.local.xml" afterDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/dataSources/723637bc-6ce3-4bbe-afb3-d88730c75a1b.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/723637bc-6ce3-4bbe-afb3-d88730c75a1b.xml" afterDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" afterDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/Dockerfile" beforeDir="false" afterPath="$PROJECT_DIR$/Dockerfile" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/server/api/well_known_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/well_known_api.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/go.mod" beforeDir="false" afterPath="$PROJECT_DIR$/go.mod" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/jwt.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/jwt.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/go.sum" beforeDir="false" afterPath="$PROJECT_DIR$/go.sum" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/ticket.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/ticket.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/settings.toml" beforeDir="false" afterPath="$PROJECT_DIR$/settings.toml" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/settings.toml" beforeDir="false" afterPath="$PROJECT_DIR$/settings.toml" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/web/.eslintrc.cjs" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/.gitignore" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/.prettierrc.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/.vite/deps/_metadata.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/.vite/deps/package.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/README.md" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/bun.lockb" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/env.d.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/index.html" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/package.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/public/favicon.png" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/assets/utils.css" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/Copyright.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/GoUseSolian.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/NotificationList.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/UserMenu.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/admin/UserAssignPermsPanel.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/admin/UserDetailPanel.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/admin/UserFactorPanel.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/auth/Authenticate.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/auth/AuthenticateCompleted.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/auth/CallbackNotify.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/auth/FactorApplicator.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/auth/FactorPicker.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/components/navigation/AppBar.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/index.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/layouts/administrator.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/layouts/master.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/layouts/user-center.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/main.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/router/index.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/scripts/request.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/stores/notifications.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/stores/userinfo.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/admin/dashboard.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/admin/users.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/auth/authorize.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/auth/claims.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/auth/sign-in.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/auth/sign-up.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/dashboard.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/flow/confirm.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/flow/password-reset.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/personalize.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/src/views/security.vue" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/tsconfig.app.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/tsconfig.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/tsconfig.node.json" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/uno.config.ts" beforeDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/web/vite.config.ts" beforeDir="false" />
|
|
||||||
</list>
|
</list>
|
||||||
<option name="SHOW_DIALOG" value="false" />
|
<option name="SHOW_DIALOG" value="false" />
|
||||||
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
||||||
@ -209,7 +156,6 @@
|
|||||||
</option>
|
</option>
|
||||||
</component>
|
</component>
|
||||||
<component name="VcsManagerConfiguration">
|
<component name="VcsManagerConfiguration">
|
||||||
<MESSAGE value=":sparkles: Reset password APIs" />
|
|
||||||
<MESSAGE value=":sparkles: Password reset & user lookup API" />
|
<MESSAGE value=":sparkles: Password reset & user lookup API" />
|
||||||
<MESSAGE value=":recycle: Optimized the initial permission system" />
|
<MESSAGE value=":recycle: Optimized the initial permission system" />
|
||||||
<MESSAGE value=":zap: Optimized audit, event logging system :sparkles: Audit logs :sparkles: Admin edit user permissions" />
|
<MESSAGE value=":zap: Optimized audit, event logging system :sparkles: Audit logs :sparkles: Admin edit user permissions" />
|
||||||
@ -234,7 +180,8 @@
|
|||||||
<MESSAGE value=":sparkles: Account groups" />
|
<MESSAGE value=":sparkles: Account groups" />
|
||||||
<MESSAGE value=":sparkles: Default user group" />
|
<MESSAGE value=":sparkles: Default user group" />
|
||||||
<MESSAGE value=":bug: Fix permissions in groups" />
|
<MESSAGE value=":bug: Fix permissions in groups" />
|
||||||
<option name="LAST_COMMIT_MESSAGE" value=":bug: Fix permissions in groups" />
|
<MESSAGE value=":wastebasket: Clean up code" />
|
||||||
|
<option name="LAST_COMMIT_MESSAGE" value=":wastebasket: Clean up code" />
|
||||||
</component>
|
</component>
|
||||||
<component name="VgoProject">
|
<component name="VgoProject">
|
||||||
<settings-migrated>true</settings-migrated>
|
<settings-migrated>true</settings-migrated>
|
||||||
|
@ -12,7 +12,7 @@ func getOidcConfiguration(c *fiber.Ctx) error {
|
|||||||
basepath := fmt.Sprintf("https://%s", domain)
|
basepath := fmt.Sprintf("https://%s", domain)
|
||||||
|
|
||||||
return c.JSON(fiber.Map{
|
return c.JSON(fiber.Map{
|
||||||
"issuer": basepath,
|
"issuer": viper.GetString("security.issuer"),
|
||||||
"authorization_endpoint": fmt.Sprintf("%s/authorize", basepath),
|
"authorization_endpoint": fmt.Sprintf("%s/authorize", basepath),
|
||||||
"token_endpoint": fmt.Sprintf("%s/api/auth/token", basepath),
|
"token_endpoint": fmt.Sprintf("%s/api/auth/token", basepath),
|
||||||
"userinfo_endpoint": fmt.Sprintf("%s/api/users/me", basepath),
|
"userinfo_endpoint": fmt.Sprintf("%s/api/users/me", basepath),
|
||||||
|
@ -20,7 +20,7 @@ type PayloadClaims struct {
|
|||||||
Nick string `json:"preferred_username,omitempty"`
|
Nick string `json:"preferred_username,omitempty"`
|
||||||
Email string `json:"email,omitempty"`
|
Email string `json:"email,omitempty"`
|
||||||
|
|
||||||
// Additonal Stuff
|
// Additional Stuff
|
||||||
AuthorizedParties string `json:"azp,omitempty"`
|
AuthorizedParties string `json:"azp,omitempty"`
|
||||||
Nonce string `json:"nonce,omitempty"`
|
Nonce string `json:"nonce,omitempty"`
|
||||||
Type string `json:"typ"`
|
Type string `json:"typ"`
|
||||||
@ -44,7 +44,7 @@ func EncodeJwt(id string, typ, sub, sed string, nonce *string, aud []string, exp
|
|||||||
RegisteredClaims: jwt.RegisteredClaims{
|
RegisteredClaims: jwt.RegisteredClaims{
|
||||||
Subject: sub,
|
Subject: sub,
|
||||||
Audience: aud,
|
Audience: aud,
|
||||||
Issuer: fmt.Sprintf("https://%s", viper.GetString("domain")),
|
Issuer: viper.GetString("security.issuer"),
|
||||||
ExpiresAt: jwt.NewNumericDate(exp),
|
ExpiresAt: jwt.NewNumericDate(exp),
|
||||||
NotBefore: jwt.NewNumericDate(time.Now()),
|
NotBefore: jwt.NewNumericDate(time.Now()),
|
||||||
IssuedAt: jwt.NewNumericDate(time.Now()),
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
||||||
|
@ -11,7 +11,7 @@ import (
|
|||||||
"github.com/samber/lo"
|
"github.com/samber/lo"
|
||||||
)
|
)
|
||||||
|
|
||||||
const InternalTokenAudience = "passport"
|
const InternalTokenAudience = "solar-network"
|
||||||
|
|
||||||
func DetectRisk(user models.Account, ip, ua string) bool {
|
func DetectRisk(user models.Account, ip, ua string) bool {
|
||||||
var clue int64
|
var clue int64
|
||||||
|
@ -5,6 +5,8 @@ bind = "0.0.0.0:8444"
|
|||||||
grpc_bind = "0.0.0.0:7444"
|
grpc_bind = "0.0.0.0:7444"
|
||||||
domain = "localhost"
|
domain = "localhost"
|
||||||
|
|
||||||
|
domain = "id.solsynth.dev"
|
||||||
|
|
||||||
content_endpoint = "https://usercontent.solsynth.dev"
|
content_endpoint = "https://usercontent.solsynth.dev"
|
||||||
|
|
||||||
default_user_group = 1
|
default_user_group = 1
|
||||||
@ -19,6 +21,7 @@ print_routes = false
|
|||||||
addr = "127.0.0.1:7442"
|
addr = "127.0.0.1:7442"
|
||||||
|
|
||||||
[security]
|
[security]
|
||||||
|
issuer = "https://solsynth.dev"
|
||||||
cookie_domain = "localhost"
|
cookie_domain = "localhost"
|
||||||
cookie_samesite = "Lax"
|
cookie_samesite = "Lax"
|
||||||
access_token_duration = 300
|
access_token_duration = 300
|
||||||
|
Loading…
Reference in New Issue
Block a user