Multiple improvements.

* Add todo list.

* fixup! Add todo list.

* fixup! fixup! Add todo list.

* fixup! fixup! fixup! Add todo list.

* Improve the session handling and cache.

* Fix an issue where expired session can cause infinite redirect loop

* fixup! Fix an issue where expired session can cause infinite redirect loop

* Add semver setup for automatic releases.

* fixup! Add semver setup for automatic releases.

* fixup! fixup! Add semver setup for automatic releases.

* fixup! fixup! fixup! Add semver setup for automatic releases.

main.go

@@ -62,7 +62,6 @@ type TraefikOidc struct {
 	extractClaimsFunc          func(tokenString string) (map[string]interface{}, error)
 	initComplete               chan struct{}
 	endSessionURL              string
-	baseURL                    string
 	postLogoutRedirectURI      string
 	sessionManager             *SessionManager
 }
@@ -82,8 +81,6 @@ var defaultExcludedURLs = map[string]struct{}{
 	"/favicon": {},
 }
 
-var newTicker = time.NewTicker
-
 // VerifyToken verifies the provided JWT token
 func (t *TraefikOidc) VerifyToken(token string) error {
 	t.logger.Debugf("Verifying token")
@@ -264,7 +261,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 	// Assign the initialized logger
 	t.logger = logger
 
-	t.sessionManager = NewSessionManager(config.SessionEncryptionKey, config.ForceHTTPS, t.logger)
+	t.sessionManager, _ = NewSessionManager(config.SessionEncryptionKey, config.ForceHTTPS, t.logger)
 	t.extractClaimsFunc = extractClaims
 	t.exchangeCodeForTokenFunc = t.exchangeCodeForToken
 	t.initiateAuthenticationFunc = func(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
@@ -531,9 +528,6 @@ func (t *TraefikOidc) determineExcludedURL(currentRequest string) bool {
 
 // determineScheme determines the scheme (http or https) of the request
 func (t *TraefikOidc) determineScheme(req *http.Request) string {
-	if t.forceHTTPS {
-		return "https"
-	}
 	if scheme := req.Header.Get("X-Forwarded-Proto"); scheme != "" {
 		return scheme
 	}
@@ -602,14 +596,17 @@ func (t *TraefikOidc) isUserAuthenticated(session *SessionData) (bool, bool, boo
 // defaultInitiateAuthentication initiates the authentication process
 func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
 	// Generate CSRF token and nonce
-	csrfToken := uuid.New().String()
+	csrfToken := uuid.NewString()
 	nonce, err := generateNonce()
 	if err != nil {
 		http.Error(rw, "Failed to generate nonce", http.StatusInternalServerError)
 		return
 	}
 
-	// Set session values
+	// Clear any existing session data to avoid stale state causing redirect loops
+	session.Clear(req, rw)
+
+	// Set new session values
 	session.SetCSRF(csrfToken)
 	session.SetNonce(nonce)
 	session.SetIncomingPath(req.URL.RequestURI())
@@ -621,7 +618,7 @@ func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req
 		return
 	}
 
-	// Build and redirect to auth URL
+	// Build and redirect to authentication URL
 	authURL := t.buildAuthURL(redirectURL, csrfToken, nonce)
 	http.Redirect(rw, req, authURL, http.StatusFound)
 }
@@ -647,7 +644,7 @@ func (t *TraefikOidc) buildAuthURL(redirectURL, state, nonce string) string {
 
 // startTokenCleanup starts the token cleanup goroutine
 func (t *TraefikOidc) startTokenCleanup() {
-	ticker := newTicker(1 * time.Minute)
+	ticker := time.NewTicker(1 * time.Minute)
 	go func() {
 		for range ticker.C {
 			t.logger.Debug("Cleaning up token cache")