Merge branch 'main' into v2-releases

2023-10-23 17:18:29 +03:00 · 2023-10-23 17:18:29 +03:00 · cc59572cca
commit cc59572cca
parent dd3de212bf 9c0696306f
13 changed files with 18 additions and 45 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,6 +1,6 @@
 # Security Policy

-At ZITADEL we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
+Please refer to the security policy [on zitadel/zitadel](https://github.com/zitadel/zitadel/blob/main/SECURITY.md) which is applicable for all open source repositories of our organization.

 ## Supported Versions

@ -18,33 +18,3 @@ We currently support the following version of the OIDC framework:
 [2]: https://github.com/zitadel/oidc/discussions/458
 [3]: https://github.com/zitadel/oidc/tree/main
 [4]: https://github.com/zitadel/oidc/tree/next
-
-## Reporting a vulnerability
-
-To file a incident, please disclose by email to security@zitadel.com with the security details.
-
-At the moment GPG encryption is no yet supported, however you may sign your message at will.
-
-### When should I report a vulnerability
-
-* You think you discovered a ...
-  * ... potential security vulnerability in the SDK
-  * ... vulnerability in another project that this SDK bases on
-* For projects with their own vulnerability reporting and disclosure process, please report it directly there
-
-### When should I NOT report a vulnerability
-
-* You need help applying security related updates
-* Your issue is not security related
-
-## Security Vulnerability Response
-
-TBD
-
-## Public Disclosure
-
-All accepted and mitigated vulnerabilities will be published on the [Github Security Page](https://github.com/zitadel/oidc/security/advisories)
-
-### Timing
-
-We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.
--- a/example/client/api/api.go
+++ b/example/client/api/api.go
@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/sirupsen/logrus"

 	"github.com/zitadel/oidc/v3/pkg/client/rs"
--- a/example/server/dynamic/login.go
+++ b/example/server/dynamic/login.go
@ -6,7 +6,7 @@ import (
 	"html/template"
 	"net/http"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"

 	"github.com/zitadel/oidc/v3/pkg/op"
 )
--- a/example/server/dynamic/op.go
+++ b/example/server/dynamic/op.go
@ -7,7 +7,7 @@ import (
 	"log"
 	"net/http"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"golang.org/x/text/language"

 	"github.com/zitadel/oidc/v3/example/server/storage"
--- a/example/server/exampleop/device.go
+++ b/example/server/exampleop/device.go
@ -8,7 +8,7 @@ import (
 	"net/http"
 	"net/url"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/gorilla/securecookie"
 	"github.com/sirupsen/logrus"
 	"github.com/zitadel/oidc/v3/pkg/op"
--- a/example/server/exampleop/login.go
+++ b/example/server/exampleop/login.go
@ -5,7 +5,7 @@ import (
 	"fmt"
 	"net/http"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/zitadel/oidc/v3/pkg/op"
 )

--- a/example/server/exampleop/op.go
+++ b/example/server/exampleop/op.go
@ -7,7 +7,7 @@ import (
 	"sync/atomic"
 	"time"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/zitadel/logging"
 	"golang.org/x/exp/slog"
 	"golang.org/x/text/language"
--- a/go.mod
+++ b/go.mod
@ -3,7 +3,7 @@ module github.com/zitadel/oidc/v3
 go 1.19

 require (
-	github.com/go-chi/chi v1.5.4
+	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-github/v31 v31.0.0
--- a/go.sum
+++ b/go.sum
@ -1,8 +1,8 @@
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
-github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
+github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
+github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
 github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -6,7 +6,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	jose "github.com/go-jose/go-jose/v3"
 	"github.com/rs/cors"
 	"github.com/zitadel/schema"
--- a/pkg/op/server_http.go
+++ b/pkg/op/server_http.go
@ -5,7 +5,7 @@ import (
 	"net/http"
 	"net/url"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/rs/cors"
 	"github.com/zitadel/logging"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
--- a/pkg/op/server_legacy.go
+++ b/pkg/op/server_legacy.go
@ -6,7 +6,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@ -51,8 +51,11 @@ func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Cli
 		if err != nil {
 			return nil, err
 		}
+		// only implicit flow requires state to be returned.
+		if code == "" {
 			state = authRequest.GetState()
 		}
+	}

 	exp := uint64(validity.Seconds())
 	return &oidc.AccessTokenResponse{