proxy: add userinfo and webauthn endpoints (#3755)

* proxy: add userinfo and webauthn endpoints * use TLD for RP id * use EffectiveTLDPlusOne * upgrade webauthn * fix test * Update internal/handlers/jwks.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-05-18 03:27:16 +02:00 · 2022-11-22 10:26:35 -07:00 · 2022-11-22 10:26:35 -07:00 · c1a522cd82
commit c1a522cd82
parent 81053ac8ef
33 changed files with 498 additions and 216 deletions
--- a/internal/httputil/handlers.go
+++ b/internal/httputil/handlers.go
@ -2,34 +2,12 @@ package httputil

 import (
 	"bytes"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
-
-	"github.com/go-jose/go-jose/v3"
-	"github.com/rs/cors"
-
-	"github.com/pomerium/csrf"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
 )

-// HealthCheck is a simple healthcheck handler that responds to GET and HEAD
-// http requests.
-func HealthCheck(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet && r.Method != http.MethodHead {
-		http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
-		return
-	}
-	w.Header().Set("Content-Type", "text/plain")
-	w.WriteHeader(http.StatusOK)
-	if r.Method == http.MethodGet {
-		fmt.Fprintln(w, http.StatusText(http.StatusOK))
-	}
-}
-
 // Redirect wraps the std libs's redirect method indicating that pomerium is
 // the origin of the response.
 func Redirect(w http.ResponseWriter, r *http.Request, url string, code int) {
@ -72,41 +50,3 @@ func (f HandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		e.ErrorResponse(r.Context(), w, r)
 	}
 }
-
-// JWKSHandler returns the /.well-known/pomerium/jwks.json handler.
-func JWKSHandler(rawSigningKey string) http.Handler {
-	return cors.AllowAll().Handler(HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		var jwks jose.JSONWebKeySet
-		if rawSigningKey != "" {
-			decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey)
-			if err != nil {
-				return NewError(http.StatusInternalServerError, errors.New("bad signing key"))
-			}
-			jwk, err := cryptutil.PublicJWKFromBytes(decodedCert)
-			if err != nil {
-				return NewError(http.StatusInternalServerError, errors.New("bad signing key"))
-			}
-			jwks.Keys = append(jwks.Keys, *jwk)
-		}
-		RenderJSON(w, http.StatusOK, jwks)
-		return nil
-	}))
-}
-
-// WellKnownPomeriumHandler returns the /.well-known/pomerium handler.
-func WellKnownPomeriumHandler(authenticateURL *url.URL) http.Handler {
-	return cors.AllowAll().Handler(HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		wellKnownURLs := struct {
-			OAuth2Callback        string `json:"authentication_callback_endpoint"` // RFC6749
-			JSONWebKeySetURL      string `json:"jwks_uri"`                         // RFC7517
-			FrontchannelLogoutURI string `json:"frontchannel_logout_uri"`          // https://openid.net/specs/openid-connect-frontchannel-1_0.html
-		}{
-			authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(),
-			authenticateURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
-			authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(),
-		}
-		w.Header().Set("X-CSRF-Token", csrf.Token(r))
-		RenderJSON(w, http.StatusOK, wellKnownURLs)
-		return nil
-	}))
-}