chore: house cleaning of the caos name and update sec (#232)

* chore: house cleaning of the caos name and update sec

* some typos

* make fix non breakable

* Update SECURITY.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update SECURITY.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

Co-authored-by: Livio Spring <livio.a@gmail.com>

README.md

@@ -96,7 +96,7 @@ Versions that also build are marked with :warning:.
 
 ## Why another library
 
-As of 2020 there are not a lot of `OIDC` library's in `Go` which can handle server and client implementations. CAOS is strongly committed to the general field of IAM (Identity and Access Management) and as such, we need solid frameworks to implement services.
+As of 2020 there are not a lot of `OIDC` library's in `Go` which can handle server and client implementations. ZITADEL is strongly committed to the general field of IAM (Identity and Access Management) and as such, we need solid frameworks to implement services.
 
 ### Goals
 

SECURITY.md

@@ -1,6 +1,6 @@
 # Security Policy
 
-At CAOS we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
+At ZITADEL we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
 
 ## Supported Versions
 
@@ -8,12 +8,13 @@ After the initial Release the following version support will apply
 
 | Version | Supported                               |
 | ------- | ------------------                      |
-| 1.x.x   | :white_check_mark: (not yet available)  |
 | 0.x.x   | :x:                                     |
+| 1.x.x   | :white_check_mark:                      |
+| 2.x.x   | :white_check_mark: (not released)       |
 
 ## Reporting a vulnerability
 
-To file a incident, please disclose by email to security@caos.ch with the security details.
+To file a incident, please disclose by email to security@zitadel.com with the security details.
 
 At the moment GPG encryption is no yet supported, however you may sign your message at will.
 
@@ -35,8 +36,8 @@ TBD
 
 ## Public Disclosure
 
-All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/zitadel/oidc/security/advisories)
+All accepted and mitigated vulnerabilities will be published on the [Github Security Page](https://github.com/zitadel/oidc/security/advisories)
 
 ### Timing
 
-We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.
+We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.

example/client/api/api.go

@@ -62,7 +62,7 @@ func main() {
 
 	// protected url which needs an active token and checks if the response of the introspect endpoint
 	// contains a requested claim with the required (string) value
-	// e.g. /protected/username/livio@caos.ch
+	// e.g. /protected/username/livio@zitadel.example
 	router.HandleFunc(protectedClaimURL, func(w http.ResponseWriter, r *http.Request) {
 		ok, token := checkToken(w, r)
 		if !ok {

pkg/op/config.go

@@ -8,7 +8,11 @@ import (
 	"golang.org/x/text/language"
 )
 
-const OidcDevMode = "CAOS_OIDC_DEV"
+const (
+	OidcDevMode = "ZITADEL_OIDC_DEV"
+	// deprecated: use OidcDevMode (ZITADEL_OIDC_DEV=true)
+	devMode = "CAOS_OIDC_DEV"
+)
 
 type Configuration interface {
 	Issuer() string
@@ -62,8 +66,12 @@ func ValidateIssuer(issuer string) error {
 
 func devLocalAllowed(url *url.URL) bool {
 	_, b := os.LookupEnv(OidcDevMode)
+	if !b {
+		// check the old / current env var as well
+		_, b = os.LookupEnv(devMode)
 		if !b {
 			return b
 		}
+	}
 	return url.Scheme == "http"
 }