Bump mcdsl to v1.6.0 (SSO redirect fix)

Fixes SSO login redirect loop where the return-to cookie stored /sso/redirect, bouncing users back to MCIAS after successful login. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Show SSO landing page instead of immediate redirect
2026-03-31 14:55:46 -07:00 · 2026-03-30 16:40:25 -07:00
8 changed files with 24 additions and 7 deletions
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module git.wntrmute.dev/mc/mcr
 go 1.25.7

 require (
-	git.wntrmute.dev/mc/mcdsl v1.5.0
+	git.wntrmute.dev/mc/mcdsl v1.6.0
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/google/uuid v1.6.0
 	github.com/spf13/cobra v1.10.2
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,7 @@
 git.wntrmute.dev/mc/mcdsl v1.5.0 h1:JUlSYuvETRCycf+cZ56Gxp/1XZn0T7fOfWezM3m89qE=
 git.wntrmute.dev/mc/mcdsl v1.5.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
+git.wntrmute.dev/mc/mcdsl v1.6.0 h1:Vn1uy6b1yZ4Y8fsl1+kLucVprrFKlQ4SN2cjUH/Eg2k=
+git.wntrmute.dev/mc/mcdsl v1.6.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
--- a/internal/webserver/auth.go
+++ b/internal/webserver/auth.go
@@ -133,8 +133,17 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/", http.StatusSeeOther)
 }

-// handleSSOLogin redirects the user to MCIAS for SSO login.
+// handleSSOLogin renders a landing page with a "Sign in" button that
+// initiates the SSO redirect to MCIAS.
 func (s *Server) handleSSOLogin(w http.ResponseWriter, r *http.Request) {
+	s.templates.render(w, "login", map[string]any{
+		"SSO":     true,
+		"Session": false,
+	})
+}
+
+// handleSSORedirect initiates the SSO redirect to MCIAS.
+func (s *Server) handleSSORedirect(w http.ResponseWriter, r *http.Request) {
 	if err := mcdsso.RedirectToLogin(w, r, s.ssoClient, "mcr"); err != nil {
 		log.Printf("sso: redirect to login: %v", err)
 		http.Error(w, "internal error", http.StatusInternalServerError)
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -95,6 +95,7 @@ func (s *Server) buildRouter() chi.Router {
 	// Public routes (no session required).
 	if s.ssoClient != nil {
 		r.Get("/login", s.handleSSOLogin)
+		r.Get("/sso/redirect", s.handleSSORedirect)
 		r.Get("/sso/callback", s.handleSSOCallback)
 	} else {
 		r.Get("/login", s.handleLoginPage)
--- a/internal/webserver/server_test.go
+++ b/internal/webserver/server_test.go
@@ -245,8 +245,8 @@ func TestLoginPageRenders(t *testing.T) {
 	}

 	body := rec.Body.String()
-	if !strings.Contains(body, "MCR Login") {
-		t.Error("login page does not contain 'MCR Login'")
+	if !strings.Contains(body, "Metacircular Container Registry") {
+		t.Error("login page does not contain 'Metacircular Container Registry'")
 	}
 	if !strings.Contains(body, "_csrf") {
 		t.Error("login page does not contain CSRF token field")
--- a/vendor/git.wntrmute.dev/mc/mcdsl/sso/sso.go
+++ b/vendor/git.wntrmute.dev/mc/mcdsl/sso/sso.go
@@ -229,7 +229,7 @@ func ValidateStateCookie(w http.ResponseWriter, r *http.Request, prefix, querySt
 // redirect back to it after SSO login completes.
 func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) {
 	path := r.URL.Path
-	if path == "" || path == "/login" || path == "/sso/callback" {
+	if path == "" || path == "/login" || strings.HasPrefix(path, "/sso/") {
 		path = "/"
 	}
 	http.SetCookie(w, &http.Cookie{
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,4 +1,4 @@
-# git.wntrmute.dev/mc/mcdsl v1.5.0
+# git.wntrmute.dev/mc/mcdsl v1.6.0
 ## explicit; go 1.25.7
 git.wntrmute.dev/mc/mcdsl/auth
 git.wntrmute.dev/mc/mcdsl/config
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -2,10 +2,14 @@

 {{define "content"}}
 <div class="login-container">
-    <h1>MCR Login</h1>
+    <h1>Metacircular Container Registry</h1>
    {{if .Error}}
    <div class="error">{{.Error}}</div>
    {{end}}
+    {{if .SSO}}
+    <p>Sign in to manage container images, policies, and audit logs.</p>
+    <a href="/sso/redirect" class="btn">Sign in with MCIAS</a>
+    {{else}}
    <form method="POST" action="/login">
        <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
        <div class="form-group">
@@ -18,5 +22,6 @@
        </div>
        <button type="submit">Sign In</button>
    </form>
+    {{end}}
 </div>
 {{end}}