[release] v0.10.4-unstable

2023-10-14 22:37:18 +01:00 · 2023-10-14 22:37:18 +01:00 · 3f39200214
parent 744b98b3db
commit 3f39200214
6 changed files with 19 additions and 7 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,3 +1,8 @@
+## Version 0.10.4
+ - Encode OpenID .well-known to JSON
+ - Fix incompatibility with other apps using .well-known
+ - Secure the OpenID routes that missed the hardening
+
 ## Version 0.10.3
 - Add missing Constellation logs when creating certs
 - Ignore empty links in cosmos-compose
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "cosmos-server",
-  "version": "0.10.3",
+  "version": "0.10.4-unstable",
  "description": "",
  "main": "test-server.js",
  "bugs": {
--- a/src/authorizationserver/oauth2.go
+++ b/src/authorizationserver/oauth2.go
@ -86,8 +86,11 @@ func RegisterHandlers(wellKnown *mux.Router, userRouter *mux.Router, serverRoute
 	serverRouter.HandleFunc("/introspect", introspectionEndpoint)

 	// public endpoints
-	wellKnown.HandleFunc("/openid-configuration", discoverEndpoint)
-	wellKnown.HandleFunc("/jwks.json", jwksEndpoint)
+	// set well-known endpoints to be json encoded
+	wellKnown.Use(utils.AcceptHeader("application/json"))
+	
+	wellKnown.HandleFunc("/.well-known/openid-configuration", discoverEndpoint)
+	wellKnown.HandleFunc("/.well-known/jwks.json", jwksEndpoint)
 }

 // A session is passed from the `/auth` to the `/token` endpoint. You probably want to store data like: "Who made the request",
--- a/src/authorizationserver/oauth2_discover.go
+++ b/src/authorizationserver/oauth2_discover.go
@ -68,7 +68,8 @@ func discoverEndpoint(rw http.ResponseWriter, req *http.Request) {
 		return
 	}

-
+	rw.Header().Del("Content-Type")
+	rw.Header().Set("Content-Type", "application/json")

 	json.NewEncoder(rw).Encode(&oidcConfiguration{
 		Issuer:                                 hostname,
--- a/src/authorizationserver/oauth2_jwks.go
+++ b/src/authorizationserver/oauth2_jwks.go
@ -35,6 +35,9 @@ func jwksEndpoint(rw http.ResponseWriter, req *http.Request) {
 	// RSA Public Key from rsa.GenerateKey
 	publicKey := AuthPrivateKey.Public().(*rsa.PublicKey)

+	rw.Header().Del("Content-Type")
+	rw.Header().Set("Content-Type", "application/json")
+
 	json.NewEncoder(rw).Encode(&JsonWebKeySet{
 		Keys: []JsonWebKey{
 			{
--- a/src/httpServer.go
+++ b/src/httpServer.go
@ -372,10 +372,10 @@ func InitServer() *mux.Router {
 	SecureAPI(userRouter, false)

 	serverRouter := router.PathPrefix("/oauth2").Subrouter()
-	SecureAPI(userRouter, true)
+	SecureAPI(serverRouter, true)

-	wellKnownRouter := router.PathPrefix("/.well-known").Subrouter()
-	SecureAPI(userRouter, true)
+	wellKnownRouter := router.PathPrefix("/").Subrouter()
+	SecureAPI(wellKnownRouter, true)

 	authorizationserver.RegisterHandlers(wellKnownRouter, userRouter, serverRouter)