Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDPT-887 auth with nginx cache #612

Merged
merged 9 commits into from
Jul 29, 2024
Merged

CDPT-887 auth with nginx cache #612

merged 9 commits into from
Jul 29, 2024

Conversation

EarthlingDavey
Copy link
Contributor

@EarthlingDavey EarthlingDavey commented Jul 26, 2024
edited
Loading

This PR:

IPs

  • Moves the allowed IP matching from app level to nginx.
  • Utilises the nginx_geo module for assigning a value to a matching IP ranange. i.e. 1 for allow and 2 for deprecated.
  • Uses an nginx- init script to populate a config file from the IPS_FORMATTED env var.
  • A header HTTP_X_IP_GROUP is available to our application incase we want to show a deprecation warning. If we want to do this, we may need to add $geo to the fastcgi_cache_key - or fetch the deprecation warning via an un-cached url like ajax.php

Oauth

  • Creates an /auth/verify endpoint that returns a 200 / 401 status, depending on a valid JWT. This endpoint doesn't load WordPress.
  • Creates a dynamic 401 page that will redirect to login, on 5 failed attempts the 401 page is shown.

Caching

Care has been taken to only serve cached results if the user is allowed.
Previously cached hits were served to non-auth'd users, this has been fixed.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 26, 2024
View reviewed changes
public/app/mu-plugins/moj-auth/moj-auth.php Dismissed Show dismissed Hide dismissed
EarthlingDavey
EarthlingDavey commented Jul 29, 2024
View reviewed changes
public/app/themes/clarity/src/globals/js/auth-heartbeat.js
export default (function ($) {
// Sent a request to the heartbeat endpoint, this will refresh the oauth token.
setInterval(function(){
$.get( "/auth/heartbeat" )
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If 401, modal - your session has ended, please login again for security purposes. Blur bg. Redirect in 5s.

The js can just reload the current page.

Change to 10s

@EarthlingDavey EarthlingDavey merged commit 52fd456 into develop Jul 29, 2024
6 checks passed
@EarthlingDavey EarthlingDavey deleted the CDPT-887-auth-with-nginx-cache branch July 29, 2024 12:50
EarthlingDavey added a commit that referenced this pull request Jul 29, 2024
@EarthlingDavey
Updates from the review of #612
d4221f4
EarthlingDavey added a commit that referenced this pull request Jul 29, 2024
@EarthlingDavey
CDPT-887 amends based on previous PR and workflow update. (#613)
ca995f9 
* Updates from the review of #612

* Update auth-heartbeat.js

* Update moj-auth.php

* Update info.php

* Fix comments and log messages
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@EarthlingDavey