Merge pull request #10 from lukaszraczylo/code-improvements

Code improvements

.traefik.yml

@@ -13,7 +13,6 @@ testData:
   clientSecret: secret
   callbackURL: /oauth2/callback
   logoutURL: /oauth2/logout
-  postLogoutRedirectURI: /oidc/different-logout # If not provided it will redirect to the "/" URL
   scopes: # If not provided, default scopes will be used (openid, email, profile)
     - openid
     - email

README.md

@@ -38,7 +38,6 @@ spec:
       sessionEncryptionKey: vvv
       callbackURL: /cool-oidc/callback
       logoutURL: /cool-oidc/logout
-      postLogoutRedirectURI: /my-website/you-have-logged-out # Optional post logout URL redirection
       scopes:
         - openid
         - email

go.mod

@@ -6,7 +6,7 @@ toolchain go1.23.1
 
 require (
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/sessions v1.3.0
+	github.com/gorilla/sessions v1.4.0
 	golang.org/x/time v0.7.0
 )
 

go.sum

@@ -6,5 +6,9 @@ github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kX
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.3.0 h1:XYlkq7KcpOB2ZhHBPv5WpjMIxrQosiZanfoy1HLZFzg=
 github.com/gorilla/sessions v1.3.0/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=

helpers.go

@@ -17,16 +17,6 @@ import (
 	"github.com/gorilla/sessions"
 )
 
-func newSessionOptions(isSecure bool) *sessions.Options {
-	return &sessions.Options{
-			HttpOnly: true,
-			Secure:   isSecure,
-			SameSite: http.SameSiteLaxMode,
-			MaxAge:   ConstSessionTimeout,
-			Path:     "/",
-	}
-}
-
 // generateNonce generates a random nonce
 func generateNonce() (string, error) {
 	nonceBytes := make([]byte, 32)
@@ -37,6 +27,14 @@ func generateNonce() (string, error) {
 	return base64.URLEncoding.EncodeToString(nonceBytes), nil
 }
 
+// buildFullURL constructs a full URL from scheme, host, and path
+func buildFullURL(scheme, host, path string) string {
+	if scheme == "" {
+		scheme = "http"
+	}
+	return fmt.Sprintf("%s://%s%s", scheme, host, path)
+}
+
 // exchangeTokens exchanges a code or refresh token for tokens
 func (t *TraefikOidc) exchangeTokens(ctx context.Context, grantType, codeOrToken, redirectURL string) (*TokenResponse, error) {
 	data := url.Values{
@@ -99,8 +97,51 @@ func (t *TraefikOidc) getNewTokenWithRefreshToken(refreshToken string) (*TokenRe
 	return tokenResponse, nil
 }
 
+// handleLogout handles the user logout
+func (t *TraefikOidc) handleLogout(rw http.ResponseWriter, req *http.Request) {
+	session, err := t.store.Get(req, cookieName)
+	t.logger.Debugf("Logging out user")
+	if err != nil {
+		handleError(rw, "Session error", http.StatusInternalServerError, t.logger)
+		return
+	}
+
+	// Revoke tokens if available
+	if refreshToken, ok := session.Values["refresh_token"].(string); ok && refreshToken != "" {
+		if err := t.RevokeTokenWithProvider(refreshToken, "refresh_token"); err != nil {
+			t.logger.Errorf("Failed to revoke refresh token: %v", err)
+		}
+		t.RevokeToken(refreshToken)
+	}
+	if accessToken, ok := session.Values["access_token"].(string); ok && accessToken != "" {
+		if err := t.RevokeTokenWithProvider(accessToken, "access_token"); err != nil {
+			t.logger.Errorf("Failed to revoke access token: %v", err)
+		}
+		t.RevokeToken(accessToken)
+	}
+
+	// Remove tokens from session
+	delete(session.Values, "id_token")
+	delete(session.Values, "refresh_token")
+	delete(session.Values, "access_token")
+	delete(session.Values, "authenticated")
+
+	// Set session options to delete the session
+	session.Options = defaultSessionOptions
+	session.Options.MaxAge = -1
+
+	if err := session.Save(req, rw); err != nil {
+		handleError(rw, "Failed to save session", http.StatusInternalServerError, t.logger)
+		return
+	}
+
+	// Redirect or display logout message
+	rw.WriteHeader(http.StatusOK)
+	rw.Write([]byte("Logged out successfully"))
+}
+
 // handleExpiredToken handles the case when a token has expired
-func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Request, session *sessions.Session, redirectURL string) {
+func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Request, session *sessions.Session) {
 	// Clear the existing session
 	session.Options.MaxAge = -1
 	for k := range session.Values {
@@ -111,7 +152,7 @@ func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Reque
 	session.Values["csrf"] = uuid.New().String()
 	session.Values["incoming_path"] = req.URL.Path
 	session.Values["nonce"], _ = generateNonce()
-	session.Options = newSessionOptions(t.determineScheme(req) == "https")
+	session.Options = defaultSessionOptions
 
 	// Save the session before initiating authentication
 	if err := session.Save(req, rw); err != nil {
@@ -121,11 +162,11 @@ func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Reque
 	}
 
 	// Initiate a new authentication flow
-	t.initiateAuthenticationFunc(rw, req, session, redirectURL)
+	t.initiateAuthenticationFunc(rw, req, session, t.redirectURL)
 }
 
 // handleCallback handles the callback from the OIDC provider
-func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request, redirectURL string) {
+func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request) {
 	session, err := t.store.Get(req, cookieName)
 	if err != nil {
 		t.logger.Errorf("Session error: %v", err)
@@ -170,7 +211,7 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request,
 		return
 	}
 
-	tokenResponse, err := t.exchangeCodeForTokenFunc(code, redirectURL)
+	tokenResponse, err := t.exchangeCodeForTokenFunc(code)
 	if err != nil {
 		t.logger.Errorf("Failed to exchange code for token: %v", err)
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
@@ -232,7 +273,7 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request,
 	session.Values["email"] = email
 	session.Values["id_token"] = idToken
 	session.Values["refresh_token"] = tokenResponse.RefreshToken
-	session.Options = newSessionOptions(t.determineScheme(req) == "https")
+	session.Options = defaultSessionOptions
 
 	// Remove CSRF and nonce from session
 	delete(session.Values, "csrf")
@@ -356,9 +397,9 @@ func (tc *TokenCache) Cleanup() {
 }
 
 // exchangeCodeForToken exchanges the authorization code for tokens
-func (t *TraefikOidc) exchangeCodeForToken(code string, redirectURL string) (*TokenResponse, error) {
+func (t *TraefikOidc) exchangeCodeForToken(code string) (*TokenResponse, error) {
 	ctx := context.Background()
-	tokenResponse, err := t.exchangeTokens(ctx, "authorization_code", code, redirectURL)
+	tokenResponse, err := t.exchangeTokens(ctx, "authorization_code", code, t.redirectURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
 	}
@@ -373,79 +414,3 @@ func createStringMap(keys []string) map[string]struct{} {
 	}
 	return result
 }
-
-// handleLogout handles the logout request
-func (t *TraefikOidc) handleLogout(rw http.ResponseWriter, req *http.Request) {
-	session, err := t.store.Get(req, cookieName)
-	if err != nil {
-		t.logger.Errorf("Error getting session: %v", err)
-		http.Error(rw, "Session error", http.StatusInternalServerError)
-		return
-	}
-
-	// Get the id_token before clearing the session
-	idToken, _ := session.Values["id_token"].(string)
-
-	// Clear and expire the session
-	session.Values = make(map[interface{}]interface{})
-	session.Options.MaxAge = -1
-	if err := session.Save(req, rw); err != nil {
-		t.logger.Errorf("Error saving session: %v", err)
-		http.Error(rw, "Session error", http.StatusInternalServerError)
-		return
-	}
-
-	// Get the base URL for redirects
-	host := t.determineHost(req)
-	scheme := t.determineScheme(req)
-	baseURL := fmt.Sprintf("%s://%s", scheme, host)
-
-	// Determine post logout redirect URI
-	var postLogoutRedirectURI string
-	if t.postLogoutRedirectURI != "" {
-		// Use explicitly configured postLogoutRedirectURI
-		if strings.HasPrefix(t.postLogoutRedirectURI, "http://") || strings.HasPrefix(t.postLogoutRedirectURI, "https://") {
-			postLogoutRedirectURI = t.postLogoutRedirectURI
-		} else {
-			postLogoutRedirectURI = fmt.Sprintf("%s%s", baseURL, t.postLogoutRedirectURI)
-		}
-	} else {
-		postLogoutRedirectURI = fmt.Sprintf("%s%s", baseURL, "/")
-	}
-
-	t.logger.Debugf("Using post logout redirect URI: %s", postLogoutRedirectURI)
-
-	// If we have an end session endpoint and an ID token, use OIDC end session
-	if t.endSessionURL != "" && idToken != "" {
-		logoutURL, err := BuildLogoutURL(t.endSessionURL, idToken, postLogoutRedirectURI)
-		if err != nil {
-			handleError(rw, fmt.Sprintf("Failed to build logout URL: %v", err), http.StatusInternalServerError, t.logger)
-			return
-		}
-		t.logger.Debugf("Redirecting to end session URL: %s", logoutURL)
-		http.Redirect(rw, req, logoutURL, http.StatusFound)
-		return
-	}
-
-	// If no end session endpoint or no ID token, just redirect to the post logout URI
-	t.logger.Debugf("Redirecting to post logout URI: %s", postLogoutRedirectURI)
-	http.Redirect(rw, req, postLogoutRedirectURI, http.StatusFound)
-}
-
-// BuildLogoutURL constructs the OIDC end session URL
-func BuildLogoutURL(endSessionURL, idToken, postLogoutRedirectURI string) (string, error) {
-	u, err := url.Parse(endSessionURL)
-	if err != nil {
-		return "", fmt.Errorf("failed to parse end session URL: %w", err)
-	}
-
-	q := u.Query()
-	q.Set("id_token_hint", idToken)
-	if postLogoutRedirectURI != "" {
-		// Ensure postLogoutRedirectURI is properly URL encoded
-		q.Set("post_logout_redirect_uri", postLogoutRedirectURI)
-	}
-	u.RawQuery = q.Encode()
-
-	return u.String(), nil
-}

main.go

@@ -53,28 +53,26 @@ type TraefikOidc struct {
 	tokenCache                 *TokenCache
 	httpClient                 *http.Client
 	logger                     *Logger
+	redirectURL                string
 	tokenVerifier              TokenVerifier
 	jwtVerifier                JWTVerifier
 	excludedURLs               map[string]struct{}
 	allowedUserDomains         map[string]struct{}
 	allowedRolesAndGroups      map[string]struct{}
 	initiateAuthenticationFunc func(rw http.ResponseWriter, req *http.Request, session *sessions.Session, redirectURL string)
-	exchangeCodeForTokenFunc   func(code string, redirectURL string) (*TokenResponse, error)
+	exchangeCodeForTokenFunc   func(code string) (*TokenResponse, error)
 	extractClaimsFunc          func(tokenString string) (map[string]interface{}, error)
+	initOnce                   sync.Once
 	initComplete               chan struct{}
-	endSessionURL              string
-	baseURL                    string
-	postLogoutRedirectURI      string
 }
 
 // ProviderMetadata holds OIDC provider metadata
 type ProviderMetadata struct {
-	Issuer        string `json:"issuer"`
-	AuthURL       string `json:"authorization_endpoint"`
-	TokenURL      string `json:"token_endpoint"`
-	JWKSURL       string `json:"jwks_uri"`
-	RevokeURL     string `json:"revocation_endpoint"`
-	EndSessionURL string `json:"end_session_endpoint"`
+	Issuer    string `json:"issuer"`
+	AuthURL   string `json:"authorization_endpoint"`
+	TokenURL  string `json:"token_endpoint"`
+	JWKSURL   string `json:"jwks_uri"`
+	RevokeURL string `json:"revocation_endpoint"`
 }
 
 // defaultExcludedURLs are the paths that are excluded from authentication
@@ -84,14 +82,6 @@ var defaultExcludedURLs = map[string]struct{}{
 
 var newTicker = time.NewTicker
 
-var (
-	globalMetadataCache struct {
-		sync.Once
-		metadata *ProviderMetadata
-		err      error
-	}
-)
-
 // VerifyToken verifies the provided JWT token
 func (t *TraefikOidc) VerifyToken(token string) error {
 	t.logger.Debugf("Verifying token")
@@ -186,9 +176,7 @@ func (t *TraefikOidc) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error
 // New creates a new instance of the OIDC middleware
 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
 	store := sessions.NewCookieStore([]byte(config.SessionEncryptionKey))
-	store.Options = newSessionOptions(func() bool {
-		return config.ForceHTTPS
-	}())
+	store.Options = defaultSessionOptions
 
 	// Setup HTTP client
 	transport := &http.Transport{
@@ -202,7 +190,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		},
 		ForceAttemptHTTP2:     true,
 		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 0,
+		ExpectContinueTimeout: 1 * time.Second,
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   100,
 		IdleConnTimeout:       90 * time.Second,
@@ -229,12 +217,6 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 			}
 			return config.LogoutURL
 		}(),
-		postLogoutRedirectURI: func() string {
-			if config.PostLogoutRedirectURI == "" {
-				return "/"
-			}
-			return config.PostLogoutRedirectURI
-		}(),
 		tokenBlacklist:        NewTokenBlacklist(),
 		jwkCache:              &JWKCache{},
 		clientID:              config.ClientID,
@@ -272,26 +254,20 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 
 // initializeMetadata discovers and initializes the provider metadata
 func (t *TraefikOidc) initializeMetadata(providerURL string) {
-	globalMetadataCache.Once.Do(func() {
-		t.logger.Debug("Starting global provider metadata discovery")
+	t.initOnce.Do(func() {
 		metadata, err := discoverProviderMetadata(providerURL, t.httpClient, t.logger)
-		globalMetadataCache.metadata = metadata
-		globalMetadataCache.err = err
+		if err != nil {
+			t.logger.Errorf("Failed to discover provider metadata: %v", err)
+		} else {
+			t.logger.Debug("Provider metadata discovered successfully")
+			t.jwksURL = metadata.JWKSURL
+			t.authURL = metadata.AuthURL
+			t.tokenURL = metadata.TokenURL
+			t.issuerURL = metadata.Issuer
+			t.revocationURL = metadata.RevokeURL
+		}
+		close(t.initComplete)
 	})
-
-	if globalMetadataCache.err != nil {
-		t.logger.Errorf("Failed to discover provider metadata: %v", globalMetadataCache.err)
-	} else if globalMetadataCache.metadata != nil {
-		t.logger.Debug("Using cached provider metadata")
-		t.jwksURL = globalMetadataCache.metadata.JWKSURL
-		t.authURL = globalMetadataCache.metadata.AuthURL
-		t.tokenURL = globalMetadataCache.metadata.TokenURL
-		t.issuerURL = globalMetadataCache.metadata.Issuer
-		t.revocationURL = globalMetadataCache.metadata.RevokeURL
-		t.endSessionURL = globalMetadataCache.metadata.EndSessionURL
-	}
-
-	close(t.initComplete)
 }
 
 // discoverProviderMetadata fetches the OIDC provider metadata
@@ -379,13 +355,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	// Determine the scheme (http/https) and host
-	scheme := t.determineScheme(req)
+	t.scheme = t.determineScheme(req)
+	defaultSessionOptions.Secure = t.scheme == "https"
 	host := t.determineHost(req)
-	redirectURL := buildFullURL(scheme, host, t.redirURLPath)
+
 	// Build the redirect URL if not already set
-	if redirectURL == "" {
-		redirectURL = buildFullURL(t.scheme, host, t.redirURLPath)
-		t.logger.Debugf("Redirect URL updated to: %s", redirectURL)
+	if t.redirectURL == "" {
+		t.redirectURL = buildFullURL(t.scheme, host, t.redirURLPath)
+		t.logger.Debugf("Redirect URL updated to: %s", t.redirectURL)
 	}
 
 	// Get the session
@@ -396,7 +373,6 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	session.Options = newSessionOptions(scheme == "https")
 	t.logger.Debugf("Session contents at start: %+v", session.Values)
 
 	// Handle logout URL
@@ -407,7 +383,7 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	// Handle callback URL
 	if req.URL.Path == t.redirURLPath {
-		t.handleCallback(rw, req, redirectURL)
+		t.handleCallback(rw, req)
 		return
 	}
 
@@ -415,19 +391,19 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	authenticated, needsRefresh, expired := t.isUserAuthenticated(session)
 
 	if expired {
-		t.handleExpiredToken(rw, req, session, redirectURL)
+		t.handleExpiredToken(rw, req, session)
 		return
 	}
 
 	if !authenticated {
-		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
+		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
 		return
 	}
 
 	if needsRefresh {
 		refreshed := t.refreshToken(rw, req, session)
 		if !refreshed {
-			t.handleExpiredToken(rw, req, session, redirectURL)
+			t.handleExpiredToken(rw, req, session)
 			return
 		}
 	}
@@ -436,21 +412,21 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	idToken, ok := session.Values["id_token"].(string)
 	if !ok || idToken == "" {
 		t.logger.Errorf("No id_token found in session")
-		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
+		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
 		return
 	}
 
 	claims, err := extractClaims(idToken)
 	if err != nil {
 		t.logger.Errorf("Failed to extract claims: %v", err)
-		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
+		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
 		return
 	}
 
 	email, _ := claims["email"].(string)
 	if email == "" {
 		t.logger.Debugf("No email found in token claims")
-		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
+		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
 		return
 	}
 
@@ -584,7 +560,7 @@ func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req
 	csrfToken := uuid.New().String()
 	session.Values["csrf"] = csrfToken
 	session.Values["incoming_path"] = req.URL.Path
-	session.Options = newSessionOptions(t.determineScheme(req) == "https")
+	session.Options = defaultSessionOptions
 	t.logger.Debugf("Setting CSRF token: %s", csrfToken)
 
 	// Generate nonce
@@ -644,9 +620,14 @@ func (t *TraefikOidc) RevokeToken(token string) {
 	// Remove from cache
 	t.tokenCache.Delete(token)
 
-	// Add to blacklist with default expiration
-	expiry := time.Now().Add(24 * time.Hour) // or other appropriate duration
-	t.tokenBlacklist.Add(token, expiry)
+	// Add to blacklist
+	claims, err := extractClaims(token)
+	if err == nil {
+		if exp, ok := claims["exp"].(float64); ok {
+			expTime := time.Unix(int64(exp), 0)
+			t.tokenBlacklist.Add(token, expTime)
+		}
+	}
 }
 
 // RevokeTokenWithProvider revokes the token with the provider
@@ -710,7 +691,7 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 	// Update session with new tokens
 	session.Values["id_token"] = newToken.IDToken
 	session.Values["refresh_token"] = newToken.RefreshToken
-	session.Options = newSessionOptions(t.determineScheme(req) == "https")
+	session.Options = defaultSessionOptions
 	if err := session.Save(req, rw); err != nil {
 		t.logger.Errorf("Failed to save refreshed session: %v", err)
 		return false
@@ -745,48 +726,29 @@ func (t *TraefikOidc) extractGroupsAndRoles(idToken string) ([]string, []string,
 	var groups []string
 	var roles []string
 
-	// Extract groups with type checking
-	if groupsClaim, exists := claims["groups"]; exists {
-		groupsSlice, ok := groupsClaim.([]interface{})
-		if !ok {
-			return nil, nil, fmt.Errorf("groups claim is not an array")
-		}
-		for _, group := range groupsSlice {
-			if groupStr, ok := group.(string); ok {
-				t.logger.Debugf("Found group: %s", groupStr)
-				groups = append(groups, groupStr)
+	// Check for groups claim
+	if groupsClaim, ok := claims["groups"]; ok {
+		if groupsSlice, ok := groupsClaim.([]interface{}); ok {
+			for _, group := range groupsSlice {
+				if groupStr, ok := group.(string); ok {
+					t.logger.Debugf("Found group: %s", groupStr)
+					groups = append(groups, groupStr)
+				}
 			}
 		}
 	}
 
-	// Extract roles with type checking
-	if rolesClaim, exists := claims["roles"]; exists {
-		rolesSlice, ok := rolesClaim.([]interface{})
-		if !ok {
-			return nil, nil, fmt.Errorf("roles claim is not an array")
-		}
-		for _, role := range rolesSlice {
-			if roleStr, ok := role.(string); ok {
-				t.logger.Debugf("Found role: %s", roleStr)
-				roles = append(roles, roleStr)
+	// Check for roles claim
+	if rolesClaim, ok := claims["roles"]; ok {
+		if rolesSlice, ok := rolesClaim.([]interface{}); ok {
+			for _, role := range rolesSlice {
+				if roleStr, ok := role.(string); ok {
+					t.logger.Debugf("Found role: %s", roleStr)
+					roles = append(roles, roleStr)
+				}
 			}
 		}
 	}
 
 	return groups, roles, nil
 }
-
-// buildFullURL constructs a full URL from scheme, host and path
-func buildFullURL(scheme, host, path string) string {
-	// If the path is already a full URL, return it as-is
-	if strings.HasPrefix(path, "http://") || strings.HasPrefix(path, "https://") {
-		return path
-	}
-
-	// Ensure the path starts with a forward slash
-	if !strings.HasPrefix(path, "/") {
-		path = "/" + path
-	}
-
-	return fmt.Sprintf("%s://%s%s", scheme, host, path)
-}

main_test.go

@@ -104,7 +104,7 @@ func (ts *TestSuite) Setup() {
 }
 
 // Helper functions used by TraefikOidc
-func (ts *TestSuite) exchangeCodeForTokenFunc(code string, redirectURL string) (*TokenResponse, error) {
+func (ts *TestSuite) exchangeCodeForTokenFunc(code string) (*TokenResponse, error) {
 	return &TokenResponse{
 		IDToken:      ts.token,
 		RefreshToken: "test-refresh-token",
@@ -452,12 +452,10 @@ func TestHandleCallback(t *testing.T) {
 	ts := &TestSuite{t: t}
 	ts.Setup()
 
-	redirectURL := "http://example.com/"
-
 	tests := []struct {
 		name                 string
 		queryParams          string
-		exchangeCodeForToken func(code string, redirectURL string) (*TokenResponse, error)
+		exchangeCodeForToken func(code string) (*TokenResponse, error)
 		extractClaimsFunc    func(tokenString string) (map[string]interface{}, error)
 		sessionSetupFunc     func(session *sessions.Session)
 		expectedStatus       int
@@ -465,7 +463,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Success",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -495,7 +493,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Exchange Code Error",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return nil, fmt.Errorf("exchange code error")
 			},
 			sessionSetupFunc: func(session *sessions.Session) {
@@ -507,7 +505,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Missing ID Token",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return &TokenResponse{}, nil
 			},
 			sessionSetupFunc: func(session *sessions.Session) {
@@ -519,7 +517,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Disallowed Email",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -540,7 +538,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Invalid State Parameter",
 			queryParams: "?code=test-code&state=invalid-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -561,7 +559,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Nonce Mismatch",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -582,7 +580,7 @@ func TestHandleCallback(t *testing.T) {
 		{
 			name:        "Missing Nonce in Claims",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -635,7 +633,7 @@ func TestHandleCallback(t *testing.T) {
 			rr = httptest.NewRecorder()
 
 			// Call handleCallback
-			tOidc.handleCallback(rr, req, redirectURL)
+			tOidc.handleCallback(rr, req)
 
 			// Check response
 			if rr.Code != tc.expectedStatus {
@@ -690,7 +688,7 @@ func TestOIDCHandler(t *testing.T) {
 	tests := []struct {
 		name                 string
 		queryParams          string
-		exchangeCodeForToken func(code string, redirectURL string) (*TokenResponse, error)
+		exchangeCodeForToken func(code string) (*TokenResponse, error)
 		extractClaimsFunc    func(tokenString string) (map[string]interface{}, error)
 		sessionSetupFunc     func(session *sessions.Session)
 		expectedStatus       int
@@ -706,7 +704,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -730,7 +728,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -753,7 +751,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -777,7 +775,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -822,506 +820,3 @@ func TestOIDCHandler(t *testing.T) {
 		})
 	}
 }
-
-// TestHandleLogout tests the logout functionality
-func TestHandleLogout(t *testing.T) {
-	ts := &TestSuite{t: t}
-	ts.Setup()
-
-	// Create mock revocation endpoint server
-	mockRevocationServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "POST" {
-			t.Errorf("Expected POST request, got %s", r.Method)
-		}
-		if err := r.ParseForm(); err != nil {
-			t.Fatalf("Failed to parse form: %v", err)
-		}
-		// Verify the required parameters are present
-		if r.Form.Get("token") == "" {
-			t.Error("Missing token parameter")
-		}
-		if r.Form.Get("token_type_hint") == "" {
-			t.Error("Missing token_type_hint parameter")
-		}
-		w.WriteHeader(http.StatusOK)
-	}))
-	defer mockRevocationServer.Close()
-
-	tests := []struct {
-		name           string
-		setupSession   func(*sessions.Session)
-		endSessionURL  string
-		expectedStatus int
-		expectedURL    string
-		host           string
-	}{
-		{
-			name: "Successful logout with end session endpoint",
-			setupSession: func(session *sessions.Session) {
-				session.Values["authenticated"] = true
-				session.Values["id_token"] = "test.id.token"
-				session.Values["refresh_token"] = "test-refresh-token"
-				session.Values["access_token"] = "test-access-token"
-			},
-			endSessionURL:  "https://provider/end-session",
-			expectedStatus: http.StatusFound,
-			expectedURL:    "https://provider/end-session?id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
-			host:           "test-host",
-		},
-		{
-			name: "Successful logout without end session endpoint",
-			setupSession: func(session *sessions.Session) {
-				session.Values["authenticated"] = true
-				session.Values["id_token"] = "test.id.token"
-				session.Values["refresh_token"] = "test-refresh-token"
-				session.Values["access_token"] = "test-access-token"
-			},
-			endSessionURL:  "",
-			expectedStatus: http.StatusFound,
-			expectedURL:    "http://example.com/",
-			host:           "test-host",
-		},
-		{
-			name:           "Logout with empty session",
-			setupSession:   func(session *sessions.Session) {},
-			expectedStatus: http.StatusFound,
-			expectedURL:    "http://example.com/",
-			host:           "test-host",
-		},
-		{
-			name: "Logout with invalid end session URL",
-			setupSession: func(session *sessions.Session) {
-				session.Values["authenticated"] = true
-				session.Values["id_token"] = "test.id.token"
-			},
-			endSessionURL:  ":\\invalid-url",
-			expectedStatus: http.StatusInternalServerError,
-			host:           "test-host",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			// Create a new TraefikOidc instance for each test
-			tOidc := &TraefikOidc{
-				store:          sessions.NewCookieStore([]byte("test-secret-key")),
-				revocationURL:  mockRevocationServer.URL,
-				endSessionURL:  tc.endSessionURL,
-				scheme:         "http",
-				logger:         NewLogger("info"),
-				tokenBlacklist: NewTokenBlacklist(),
-				httpClient:     &http.Client{},
-				clientID:       "test-client-id",
-				clientSecret:   "test-client-secret",
-				tokenCache:     NewTokenCache(),
-				forceHTTPS:     false,
-			}
-
-			// Create request with proper headers
-			req := httptest.NewRequest("GET", "/logout", nil)
-			req.Header.Set("Host", tc.host)
-
-			// Create a response recorder
-			rr := httptest.NewRecorder()
-
-			// Get a session
-			session, err := tOidc.store.Get(req, cookieName)
-			if err != nil {
-				t.Fatalf("Failed to get session: %v", err)
-			}
-
-			// Setup session
-			tc.setupSession(session)
-			session.Save(req, rr)
-
-			// Copy session cookie to request
-			for _, cookie := range rr.Result().Cookies() {
-				req.AddCookie(cookie)
-			}
-
-			// Reset response recorder
-			rr = httptest.NewRecorder()
-
-			// Handle logout
-			tOidc.handleLogout(rr, req)
-
-			// Check response
-			if rr.Code != tc.expectedStatus {
-				t.Errorf("Expected status %d, got %d", tc.expectedStatus, rr.Code)
-			}
-
-			// Check redirect URL if expected
-			if tc.expectedURL != "" {
-				location := rr.Header().Get("Location")
-				if location != tc.expectedURL {
-					t.Errorf("Expected redirect to %q, got %q", tc.expectedURL, location)
-				}
-			}
-
-			// Verify session is cleared
-			newSession, _ := tOidc.store.Get(req, cookieName)
-			if len(newSession.Values) > 0 {
-				t.Error("Session was not cleared")
-			}
-			if newSession.Options.MaxAge != -1 {
-				t.Error("Session MaxAge was not set to -1")
-			}
-
-			// Check token blacklist
-			if refreshToken, ok := session.Values["refresh_token"].(string); ok && refreshToken != "" {
-				if !tOidc.tokenBlacklist.IsBlacklisted(refreshToken) {
-					t.Error("Refresh token was not blacklisted")
-				}
-			}
-			if accessToken, ok := session.Values["access_token"].(string); ok && accessToken != "" {
-				if !tOidc.tokenBlacklist.IsBlacklisted(accessToken) {
-					t.Error("Access token was not blacklisted")
-				}
-			}
-		})
-	}
-}
-
-// TestRevokeTokenWithProvider tests the token revocation with provider
-func TestRevokeTokenWithProvider(t *testing.T) {
-	ts := &TestSuite{t: t}
-	ts.Setup()
-
-	tests := []struct {
-		name        string
-		token       string
-		tokenType   string
-		statusCode  int
-		expectError bool
-	}{
-		{
-			name:        "Successful token revocation",
-			token:       "valid-token",
-			tokenType:   "refresh_token",
-			statusCode:  http.StatusOK,
-			expectError: false,
-		},
-		{
-			name:        "Failed token revocation",
-			token:       "invalid-token",
-			tokenType:   "refresh_token",
-			statusCode:  http.StatusBadRequest,
-			expectError: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			// Create test server
-			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				// Verify request method and content type
-				if r.Method != "POST" {
-					t.Errorf("Expected POST request, got %s", r.Method)
-				}
-				if ct := r.Header.Get("Content-Type"); ct != "application/x-www-form-urlencoded" {
-					t.Errorf("Expected Content-Type application/x-www-form-urlencoded, got %s", ct)
-				}
-
-				// Verify form values
-				if err := r.ParseForm(); err != nil {
-					t.Fatalf("Failed to parse form: %v", err)
-				}
-				if got := r.Form.Get("token"); got != tc.token {
-					t.Errorf("Expected token %s, got %s", tc.token, got)
-				}
-				if got := r.Form.Get("token_type_hint"); got != tc.tokenType {
-					t.Errorf("Expected token_type_hint %s, got %s", tc.tokenType, got)
-				}
-				if got := r.Form.Get("client_id"); got != ts.tOidc.clientID {
-					t.Errorf("Expected client_id %s, got %s", ts.tOidc.clientID, got)
-				}
-				if got := r.Form.Get("client_secret"); got != ts.tOidc.clientSecret {
-					t.Errorf("Expected client_secret %s, got %s", ts.tOidc.clientSecret, got)
-				}
-
-				w.WriteHeader(tc.statusCode)
-			}))
-			defer server.Close()
-
-			// Set revocation URL to test server
-			ts.tOidc.revocationURL = server.URL
-
-			// Test token revocation
-			err := ts.tOidc.RevokeTokenWithProvider(tc.token, tc.tokenType)
-			if tc.expectError && err == nil {
-				t.Error("Expected error but got nil")
-			}
-			if !tc.expectError && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-		})
-	}
-}
-
-// TestRevokeToken tests the token revocation functionality
-func TestRevokeToken(t *testing.T) {
-	ts := &TestSuite{t: t}
-	ts.Setup()
-
-	token := "test.token.with.claims"
-	claims := map[string]interface{}{
-		"exp": float64(time.Now().Add(time.Hour).Unix()),
-	}
-
-	// Test token revocation
-	t.Run("Token revocation", func(t *testing.T) {
-		// Create a new instance for this specific test
-		tOidc := &TraefikOidc{
-			tokenBlacklist: NewTokenBlacklist(),
-			tokenCache:     NewTokenCache(),
-		}
-
-		// Cache the token
-		tOidc.tokenCache.Set(token, claims, time.Hour)
-
-		// Revoke the token
-		tOidc.RevokeToken(token)
-
-		// Verify token was removed from cache
-		if _, exists := tOidc.tokenCache.Get(token); exists {
-			t.Error("Token was not removed from cache")
-		}
-
-		// Verify token was added to blacklist
-		if !tOidc.tokenBlacklist.IsBlacklisted(token) {
-			t.Error("Token was not added to blacklist")
-		}
-	})
-}
-
-// Add this new test function
-func TestBuildLogoutURL(t *testing.T) {
-	tests := []struct {
-		name               string
-		endSessionURL      string
-		idToken            string
-		postLogoutRedirect string
-		expectedURL        string
-		expectError        bool
-	}{
-		{
-			name:               "Valid URL",
-			endSessionURL:      "https://provider/end-session",
-			idToken:            "test.id.token",
-			postLogoutRedirect: "http://example.com/",
-			expectedURL:        "https://provider/end-session?id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
-			expectError:        false,
-		},
-		{
-			name:               "Invalid URL",
-			endSessionURL:      "://invalid-url",
-			idToken:            "test.id.token",
-			postLogoutRedirect: "http://example.com/",
-			expectError:        true,
-		},
-		{
-			name:               "URL with existing query parameters",
-			endSessionURL:      "https://provider/end-session?existing=param",
-			idToken:            "test.id.token",
-			postLogoutRedirect: "http://example.com/",
-			expectedURL:        "https://provider/end-session?existing=param&id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
-			expectError:        false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			url, err := BuildLogoutURL(tc.endSessionURL, tc.idToken, tc.postLogoutRedirect)
-
-			if tc.expectError {
-				if err == nil {
-					t.Error("Expected error but got nil")
-				}
-			} else {
-				if err != nil {
-					t.Errorf("Unexpected error: %v", err)
-				}
-				if url != tc.expectedURL {
-					t.Errorf("Expected URL %q, got %q", tc.expectedURL, url)
-				}
-			}
-		})
-	}
-}
-
-// Add this new test function
-func TestHandleExpiredToken(t *testing.T) {
-	ts := &TestSuite{t: t}
-	ts.Setup()
-
-	tests := []struct {
-		name         string
-		setupSession func(*sessions.Session)
-		expectedPath string
-	}{
-		{
-			name: "Basic expired token",
-			setupSession: func(session *sessions.Session) {
-				session.Values["authenticated"] = true
-				session.Values["id_token"] = "expired.token"
-				session.Values["email"] = "test@example.com"
-			},
-			expectedPath: "/original/path",
-		},
-		{
-			name: "Session with additional values",
-			setupSession: func(session *sessions.Session) {
-				session.Values["authenticated"] = true
-				session.Values["id_token"] = "expired.token"
-				session.Values["custom_value"] = "should-be-cleared"
-			},
-			expectedPath: "/another/path",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			// Create a new TraefikOidc instance for each test
-			tOidc := &TraefikOidc{
-				store:         sessions.NewCookieStore([]byte("test-secret-key")),
-				logger:        NewLogger("info"),
-				tokenVerifier: ts.tOidc.tokenVerifier,
-				jwtVerifier:   ts.tOidc.jwtVerifier,
-				initComplete:  make(chan struct{}),
-				// Add this initialization of initiateAuthenticationFunc
-				initiateAuthenticationFunc: func(rw http.ResponseWriter, req *http.Request, session *sessions.Session, redirectURL string) {
-					// Mock implementation for test
-					http.Redirect(rw, req, "/login", http.StatusFound)
-				},
-			}
-			close(tOidc.initComplete)
-
-			// Create request
-			req := httptest.NewRequest("GET", tc.expectedPath, nil)
-			rr := httptest.NewRecorder()
-
-			// Get session
-			session, _ := tOidc.store.New(req, cookieName)
-			tc.setupSession(session)
-
-			// Handle expired token
-			tOidc.handleExpiredToken(rr, req, session, tc.expectedPath)
-
-			// Verify session is cleaned
-			if len(session.Values) != 3 { // Should only have csrf, incoming_path, and nonce
-				t.Errorf("Expected 3 session values, got %d", len(session.Values))
-			}
-
-			// Verify required values are set
-			if _, ok := session.Values["csrf"].(string); !ok {
-				t.Error("CSRF token not set")
-			}
-			if path, ok := session.Values["incoming_path"].(string); !ok || path != tc.expectedPath {
-				t.Errorf("Expected path %s, got %s", tc.expectedPath, path)
-			}
-			if _, ok := session.Values["nonce"].(string); !ok {
-				t.Error("Nonce not set")
-			}
-
-			defaultSessionOptions := newSessionOptions(tOidc.determineScheme(req) == "https")
-
-			// Verify session options
-			if session.Options.MaxAge != defaultSessionOptions.MaxAge {
-				t.Error("Session MaxAge not set correctly")
-			}
-
-			// Verify redirect status
-			if rr.Code != http.StatusFound {
-				t.Errorf("Expected status %d, got %d", http.StatusFound, rr.Code)
-			}
-		})
-	}
-}
-
-// Add this new test function
-func TestExtractGroupsAndRoles(t *testing.T) {
-	ts := &TestSuite{t: t}
-	ts.Setup()
-
-	tests := []struct {
-		name         string
-		claims       map[string]interface{}
-		expectGroups []string
-		expectRoles  []string
-		expectError  bool
-	}{
-		{
-			name: "Valid groups and roles",
-			claims: map[string]interface{}{
-				"groups": []interface{}{"group1", "group2"},
-				"roles":  []interface{}{"role1", "role2"},
-			},
-			expectGroups: []string{"group1", "group2"},
-			expectRoles:  []string{"role1", "role2"},
-			expectError:  false,
-		},
-		{
-			name: "Empty groups and roles",
-			claims: map[string]interface{}{
-				"groups": []interface{}{},
-				"roles":  []interface{}{},
-			},
-			expectGroups: []string{},
-			expectRoles:  []string{},
-			expectError:  false,
-		},
-		{
-			name: "Invalid groups format",
-			claims: map[string]interface{}{
-				"groups": "not-an-array",
-				"roles":  []interface{}{"role1"},
-			},
-			expectError: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			// Create a test token with the claims
-			token, err := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", tc.claims)
-			if err != nil {
-				t.Fatalf("Failed to create test token: %v", err)
-			}
-
-			groups, roles, err := ts.tOidc.extractGroupsAndRoles(token)
-
-			if tc.expectError {
-				if err == nil {
-					t.Error("Expected error but got nil")
-				}
-			} else {
-				if err != nil {
-					t.Errorf("Unexpected error: %v", err)
-				}
-
-				// Compare groups
-				if !stringSliceEqual(groups, tc.expectGroups) {
-					t.Errorf("Expected groups %v, got %v", tc.expectGroups, groups)
-				}
-
-				// Compare roles
-				if !stringSliceEqual(roles, tc.expectRoles) {
-					t.Errorf("Expected roles %v, got %v", tc.expectRoles, roles)
-				}
-			}
-		})
-	}
-}
-
-// Helper function to compare string slices
-func stringSliceEqual(a, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := range a {
-		if a[i] != b[i] {
-			return false
-		}
-	}
-	return true
-}

settings.go

@@ -6,6 +6,8 @@ import (
 	"log"
 	"net/http"
 	"os"
+
+	"github.com/gorilla/sessions"
 )
 
 const (
@@ -28,11 +30,17 @@ type Config struct {
 	ExcludedURLs          []string `json:"excludedURLs"`
 	AllowedUserDomains    []string `json:"allowedUserDomains"`
 	AllowedRolesAndGroups []string `json:"allowedRolesAndGroups"`
-	OIDCEndSessionURL     string   `json:"oidcEndSessionURL"`
-	PostLogoutRedirectURI string   `json:"postLogoutRedirectURI"`
 	HTTPClient            *http.Client
 }
 
+var defaultSessionOptions = &sessions.Options{
+	HttpOnly: true,
+	Secure:   false,
+	SameSite: http.SameSiteLaxMode,
+	MaxAge:   ConstSessionTimeout,
+	Path:     "/",
+}
+
 // CreateConfig creates a new Config with default values
 func CreateConfig() *Config {
 	c := &Config{}

vendor/github.com/gorilla/sessions/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2023 The Gorilla Authors. All rights reserved.
+Copyright (c) 2024 The Gorilla Authors. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are

vendor/github.com/gorilla/sessions/README.md

@@ -1,4 +1,7 @@
-# sessions
+# Gorilla Sessions
+
+> [!IMPORTANT]
+> The latest version of this repository requires go 1.23 because of the new partitioned attribute. The last version that is compatible with older versions of go is v1.3.0.
 
 ![testing](https://github.com/gorilla/sessions/actions/workflows/test.yml/badge.svg)
 [![codecov](https://codecov.io/github/gorilla/sessions/branch/main/graph/badge.svg)](https://codecov.io/github/gorilla/sessions)
@@ -74,6 +77,7 @@ Other implementations of the `sessions.Store` interface:
 - [github.com/dsoprea/go-appengine-sessioncascade](https://github.com/dsoprea/go-appengine-sessioncascade) - Memcache/Datastore/Context in AppEngine
 - [github.com/kidstuff/mongostore](https://github.com/kidstuff/mongostore) - MongoDB
 - [github.com/srinathgs/mysqlstore](https://github.com/srinathgs/mysqlstore) - MySQL
+- [github.com/danielepintore/gorilla-sessions-mysql](https://github.com/danielepintore/gorilla-sessions-mysql) - MySQL
 - [github.com/EnumApps/clustersqlstore](https://github.com/EnumApps/clustersqlstore) - MySQL Cluster
 - [github.com/antonlindstrom/pgstore](https://github.com/antonlindstrom/pgstore) - PostgreSQL
 - [github.com/boj/redistore](https://github.com/boj/redistore) - Redis

vendor/github.com/gorilla/sessions/cookie.go

@@ -1,5 +1,6 @@
-//go:build !go1.11
-// +build !go1.11
+// Copyright 2012 The Gorilla Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 package sessions
 
@@ -8,13 +9,15 @@ import "net/http"
 // newCookieFromOptions returns an http.Cookie with the options set.
 func newCookieFromOptions(name, value string, options *Options) *http.Cookie {
 	return &http.Cookie{
-		Name:     name,
-		Value:    value,
-		Path:     options.Path,
-		Domain:   options.Domain,
-		MaxAge:   options.MaxAge,
-		Secure:   options.Secure,
-		HttpOnly: options.HttpOnly,
+		Name:        name,
+		Value:       value,
+		Path:        options.Path,
+		Domain:      options.Domain,
+		MaxAge:      options.MaxAge,
+		Secure:      options.Secure,
+		HttpOnly:    options.HttpOnly,
+		Partitioned: options.Partitioned,
+		SameSite:    options.SameSite,
 	}
 
 }

vendor/github.com/gorilla/sessions/cookie_go111.go

@@ -1,21 +0,0 @@
-//go:build go1.11
-// +build go1.11
-
-package sessions
-
-import "net/http"
-
-// newCookieFromOptions returns an http.Cookie with the options set.
-func newCookieFromOptions(name, value string, options *Options) *http.Cookie {
-	return &http.Cookie{
-		Name:     name,
-		Value:    value,
-		Path:     options.Path,
-		Domain:   options.Domain,
-		MaxAge:   options.MaxAge,
-		Secure:   options.Secure,
-		HttpOnly: options.HttpOnly,
-		SameSite: options.SameSite,
-	}
-
-}

vendor/github.com/gorilla/sessions/options.go

@@ -1,8 +1,11 @@
-//go:build !go1.11
-// +build !go1.11
+// Copyright 2012 The Gorilla Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 package sessions
 
+import "net/http"
+
 // Options stores configuration for a session or session store.
 //
 // Fields are a subset of http.Cookie fields.
@@ -13,7 +16,9 @@ type Options struct {
 	// deleted after the browser session ends.
 	// MaxAge<0 means delete cookie immediately.
 	// MaxAge>0 means Max-Age attribute present and given in seconds.
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
+	MaxAge      int
+	Secure      bool
+	HttpOnly    bool
+	Partitioned bool
+	SameSite    http.SameSite
 }

vendor/github.com/gorilla/sessions/options_go111.go

@@ -1,23 +0,0 @@
-//go:build go1.11
-// +build go1.11
-
-package sessions
-
-import "net/http"
-
-// Options stores configuration for a session or session store.
-//
-// Fields are a subset of http.Cookie fields.
-type Options struct {
-	Path   string
-	Domain string
-	// MaxAge=0 means no Max-Age attribute specified and the cookie will be
-	// deleted after the browser session ends.
-	// MaxAge<0 means delete cookie immediately.
-	// MaxAge>0 means Max-Age attribute present and given in seconds.
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
-	// Defaults to http.SameSiteDefaultMode
-	SameSite http.SameSite
-}

vendor/modules.txt

@@ -4,8 +4,8 @@ github.com/google/uuid
 # github.com/gorilla/securecookie v1.1.2
 ## explicit; go 1.20
 github.com/gorilla/securecookie
-# github.com/gorilla/sessions v1.3.0
-## explicit; go 1.20
+# github.com/gorilla/sessions v1.4.0
+## explicit; go 1.23
 github.com/gorilla/sessions
 # golang.org/x/time v0.7.0
 ## explicit; go 1.18