fix: improvements for login and oidc (#227)

* add csrf

* caching

* caching

* caching

* caching

* security headers

* csp and security headers

* error handler csp

* select user with display name

* csp

* user selection styling

* username to loginname

* regenerate grpc

* regenerate

* change to login name

internal/auth/repository/auth_request.go

@@ -13,7 +13,7 @@ type AuthRequestRepository interface {
 	AuthRequestByCode(ctx context.Context, code string) (*model.AuthRequest, error)
 	SaveAuthCode(ctx context.Context, id, code string) error
 	DeleteAuthRequest(ctx context.Context, id string) error
-	CheckUsername(ctx context.Context, id, username string) error
+	CheckLoginName(ctx context.Context, id, loginName string) error
 	SelectUser(ctx context.Context, id, userID string) error
 	VerifyPassword(ctx context.Context, id, userID, password string, info *model.BrowserInfo) error
 	VerifyMfaOTP(ctx context.Context, agentID, authRequestID string, code string, info *model.BrowserInfo) error

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -106,16 +106,16 @@ func (repo *AuthRequestRepo) DeleteAuthRequest(ctx context.Context, id string) e
 	return repo.AuthRequests.DeleteAuthRequest(ctx, id)
 }
 
-func (repo *AuthRequestRepo) CheckUsername(ctx context.Context, id, username string) error {
+func (repo *AuthRequestRepo) CheckLoginName(ctx context.Context, id, loginName string) error {
 	request, err := repo.AuthRequests.GetAuthRequestByID(ctx, id)
 	if err != nil {
 		return err
 	}
-	user, err := repo.View.UserByLoginName(username)
+	user, err := repo.View.UserByLoginName(loginName)
 	if err != nil {
 		return err
 	}
-	request.SetUserInfo(user.ID, user.UserName, user.ResourceOwner)
+	request.SetUserInfo(user.ID, loginName, user.ResourceOwner)
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }
 
@@ -128,7 +128,7 @@ func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID string)
 	if err != nil {
 		return err
 	}
-	request.SetUserInfo(user.ID, user.UserName, user.ResourceOwner)
+	request.SetUserInfo(user.ID, user.PreferredLoginName, user.ResourceOwner)
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }
 
@@ -236,7 +236,8 @@ func (repo *AuthRequestRepo) usersForUserSelection(request *model.AuthRequest) (
 	for i, session := range userSessions {
 		users[i] = model.UserSelection{
 			UserID:           session.UserID,
-			UserName:         session.UserName,
+			DisplayName:      session.DisplayName,
+			LoginName:        session.LoginName,
 			UserSessionState: session.State,
 		}
 	}

internal/auth/repository/eventsourcing/eventstore/auth_request_test.go

@@ -46,8 +46,8 @@ type mockViewUserSession struct {
 }
 
 type mockUser struct {
-	UserID   string
-	UserName string
+	UserID    string
+	LoginName string
 }
 
 func (m *mockViewUserSession) UserSessionByIDs(string, string) (*view_model.UserSessionView, error) {
@@ -61,8 +61,8 @@ func (m *mockViewUserSession) UserSessionsByAgentID(string) ([]*view_model.UserS
 	sessions := make([]*view_model.UserSessionView, len(m.Users))
 	for i, user := range m.Users {
 		sessions[i] = &view_model.UserSessionView{
-			UserID:   user.UserID,
-			UserName: user.UserName,
+			UserID:    user.UserID,
+			LoginName: user.LoginName,
 		}
 	}
 	return sessions, nil
@@ -175,11 +175,11 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 					Users: []mockUser{
 						{
 							"id1",
-							"username1",
+							"loginname1",
 						},
 						{
 							"id2",
-							"username2",
+							"loginname2",
 						},
 					},
 				},
@@ -191,12 +191,12 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				&model.SelectUserStep{
 					Users: []model.UserSelection{
 						{
-							UserID:   "id1",
-							UserName: "username1",
+							UserID:    "id1",
+							LoginName: "loginname1",
 						},
 						{
-							UserID:   "id2",
-							UserName: "username2",
+							UserID:    "id2",
+							LoginName: "loginname2",
 						},
 					},
 				}},

internal/auth/repository/eventsourcing/eventstore/user.go

@@ -203,8 +203,8 @@ func (repo *UserRepo) SkipMfaInit(ctx context.Context, userID string) error {
 	return repo.UserEvents.SkipMfaInit(ctx, userID)
 }
 
-func (repo *UserRepo) RequestPasswordReset(ctx context.Context, username string) error {
-	user, err := repo.View.UserByUsername(username)
+func (repo *UserRepo) RequestPasswordReset(ctx context.Context, loginname string) error {
+	user, err := repo.View.UserByLoginName(loginname)
 	if err != nil {
 		return err
 	}

internal/auth/repository/eventsourcing/handler/user_session.go

@@ -67,7 +67,8 @@ func (u *UserSession) Process(event *models.Event) (err error) {
 		}
 		return u.updateSession(session, event)
 	case es_model.UserPasswordChanged,
-		es_model.MfaOtpRemoved:
+		es_model.MfaOtpRemoved,
+		es_model.UserProfileChanged:
 		sessions, err := u.view.UserSessionsByUserID(event.AggregateID)
 		if err != nil {
 			return err
@@ -91,10 +92,8 @@ func (u *UserSession) OnError(event *models.Event, err error) error {
 func (u *UserSession) updateSession(session *view_model.UserSessionView, event *models.Event) error {
 	session.Sequence = event.Sequence
 	session.AppendEvent(event)
-	if session.UserName == "" {
-		if err := u.fillUserInfo(session, event.AggregateID); err != nil {
-			return err
-		}
+	if err := u.fillUserInfo(session, event.AggregateID); err != nil {
+		return err
 	}
 	return u.view.PutUserSession(session)
 }
@@ -105,5 +104,7 @@ func (u *UserSession) fillUserInfo(session *view_model.UserSessionView, id strin
 		return err
 	}
 	session.UserName = user.UserName
+	session.LoginName = user.PreferredLoginName
+	session.DisplayName = user.DisplayName
 	return nil
 }