mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: mc:v1.3.0
Branches Tags
mc:master
mc:v1.4.1 mc:v1.4.0 mc:v1.3.2 mc:v1.3.1 mc:v1.3.0 mc:v1.2.1 mc:v1.2.0 mc:v1.1.0 mc:v1.0.0
..
compare: mc:v1.3.2
Branches Tags
mc:master
mc:v1.4.1 mc:v1.4.0 mc:v1.3.2 mc:v1.3.1 mc:v1.3.0 mc:v1.2.1 mc:v1.2.0 mc:v1.1.0 mc:v1.0.0

2 Commits
v1.3.0 ... v1.3.2

Author SHA1 Message Date
Kyle Isom
bf206ae67c Bump mcdsl to v1.6.0 (SSO redirect fix) 
Fixes SSO login redirect loop where the return-to cookie stored
/sso/redirect, bouncing users back to MCIAS after successful login.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-31 14:55:46 -07:00
Kyle Isom
8eeab91cbd Show SSO landing page instead of immediate redirect 
The login page now shows the service name and a "Sign in with MCIAS"
button instead of immediately redirecting to MCIAS. This lets the user
know what service they are logging into before the redirect.

- GET /login renders the landing page with SSO button
- GET /sso/redirect initiates the actual SSO redirect
- Non-SSO login form still works when SSO is not configured

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 16:40:25 -07:00
8 changed files with 24 additions and 7 deletions
Expand all files Collapse all files

2
go.mod
View File

@@ -3,7 +3,7 @@ module git.wntrmute.dev/mc/mcr
go 1.25.7 go 1.25.7
require ( require (
git.wntrmute.dev/mc/mcdsl v1.5.0 git.wntrmute.dev/mc/mcdsl v1.6.0
github.com/go-chi/chi/v5 v5.2.5 github.com/go-chi/chi/v5 v5.2.5
github.com/google/uuid v1.6.0 github.com/google/uuid v1.6.0
github.com/spf13/cobra v1.10.2 github.com/spf13/cobra v1.10.2

2
go.sum
View File

@@ -1,5 +1,7 @@
git.wntrmute.dev/mc/mcdsl v1.5.0 h1:JUlSYuvETRCycf+cZ56Gxp/1XZn0T7fOfWezM3m89qE= git.wntrmute.dev/mc/mcdsl v1.5.0 h1:JUlSYuvETRCycf+cZ56Gxp/1XZn0T7fOfWezM3m89qE=
git.wntrmute.dev/mc/mcdsl v1.5.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc= git.wntrmute.dev/mc/mcdsl v1.5.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
git.wntrmute.dev/mc/mcdsl v1.6.0 h1:Vn1uy6b1yZ4Y8fsl1+kLucVprrFKlQ4SN2cjUH/Eg2k=
git.wntrmute.dev/mc/mcdsl v1.6.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=

11
internal/webserver/auth.go
View File

@@ -133,8 +133,17 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "/", http.StatusSeeOther) http.Redirect(w, r, "/", http.StatusSeeOther)
} }
// handleSSOLogin redirects the user to MCIAS for SSO login. // handleSSOLogin renders a landing page with a "Sign in" button that
// initiates the SSO redirect to MCIAS.
func (s *Server) handleSSOLogin(w http.ResponseWriter, r *http.Request) { func (s *Server) handleSSOLogin(w http.ResponseWriter, r *http.Request) {
s.templates.render(w, "login", map[string]any{
"SSO": true,
"Session": false,
})
}
// handleSSORedirect initiates the SSO redirect to MCIAS.
func (s *Server) handleSSORedirect(w http.ResponseWriter, r *http.Request) {
if err := mcdsso.RedirectToLogin(w, r, s.ssoClient, "mcr"); err != nil { if err := mcdsso.RedirectToLogin(w, r, s.ssoClient, "mcr"); err != nil {
log.Printf("sso: redirect to login: %v", err) log.Printf("sso: redirect to login: %v", err)
http.Error(w, "internal error", http.StatusInternalServerError) http.Error(w, "internal error", http.StatusInternalServerError)

1
internal/webserver/server.go
View File

@@ -95,6 +95,7 @@ func (s *Server) buildRouter() chi.Router {
// Public routes (no session required). // Public routes (no session required).
if s.ssoClient != nil { if s.ssoClient != nil {
r.Get("/login", s.handleSSOLogin) r.Get("/login", s.handleSSOLogin)
r.Get("/sso/redirect", s.handleSSORedirect)
r.Get("/sso/callback", s.handleSSOCallback) r.Get("/sso/callback", s.handleSSOCallback)
} else { } else {
r.Get("/login", s.handleLoginPage) r.Get("/login", s.handleLoginPage)

4
internal/webserver/server_test.go
View File

@@ -245,8 +245,8 @@ func TestLoginPageRenders(t *testing.T) {
} }
body := rec.Body.String() body := rec.Body.String()
if !strings.Contains(body, "MCR Login") { if !strings.Contains(body, "Metacircular Container Registry") {
t.Error("login page does not contain 'MCR Login'") t.Error("login page does not contain 'Metacircular Container Registry'")
} }
if !strings.Contains(body, "_csrf") { if !strings.Contains(body, "_csrf") {
t.Error("login page does not contain CSRF token field") t.Error("login page does not contain CSRF token field")

2
vendor/git.wntrmute.dev/mc/mcdsl/sso/sso.go vendored
View File

@@ -229,7 +229,7 @@ func ValidateStateCookie(w http.ResponseWriter, r *http.Request, prefix, querySt
// redirect back to it after SSO login completes. // redirect back to it after SSO login completes.
func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) { func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) {
path := r.URL.Path path := r.URL.Path
if path == "" || path == "/login" || path == "/sso/callback" { if path == "" || path == "/login" || strings.HasPrefix(path, "/sso/") {
path = "/" path = "/"
} }
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{

2
vendor/modules.txt vendored
View File

@@ -1,4 +1,4 @@
# git.wntrmute.dev/mc/mcdsl v1.5.0 # git.wntrmute.dev/mc/mcdsl v1.6.0
## explicit; go 1.25.7 ## explicit; go 1.25.7
git.wntrmute.dev/mc/mcdsl/auth git.wntrmute.dev/mc/mcdsl/auth
git.wntrmute.dev/mc/mcdsl/config git.wntrmute.dev/mc/mcdsl/config

7
web/templates/login.html
View File

@@ -2,10 +2,14 @@
{{define "content"}} {{define "content"}}
<div class="login-container"> <div class="login-container">
<h1>MCR Login</h1> <h1>Metacircular Container Registry</h1>
{{if .Error}} {{if .Error}}
<div class="error">{{.Error}}</div> <div class="error">{{.Error}}</div>
{{end}} {{end}}
{{if .SSO}}
<p>Sign in to manage container images, policies, and audit logs.</p>
<a href="/sso/redirect" class="btn">Sign in with MCIAS</a>
{{else}}
<form method="POST" action="/login"> <form method="POST" action="/login">
<input type="hidden" name="_csrf" value="{{.CSRFToken}}"> <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
<div class="form-group"> <div class="form-group">
@@ -18,5 +22,6 @@
</div> </div>
<button type="submit">Sign In</button> <button type="submit">Sign In</button>
</form> </form>
{{end}}
</div> </div>
{{end}} {{end}}