Merge branch 'main' into feat/692-webhooks

teamhanko · Feb 12, 2024 · 0b6c5be · 0b6c5be
2 parents 0e5b5f7 + 7a8ed1a
commit 0b6c5be
Show file tree

Hide file tree

Showing 177 changed files with 1,267 additions and 468 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -17,3 +17,10 @@ updates:
     # Always increase the version requirement
     # to match the new version.
     versioning-strategy: increase
+
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the default location of `.github/workflows`.
+    # (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/build-frontend.yml b/.github/workflows/build-frontend.yml
@@ -10,10 +10,10 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: v18.14.2
 

diff --git a/.github/workflows/cli-publish.yml b/.github/workflows/cli-publish.yml
@@ -11,10 +11,10 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: stable
       - uses: goreleaser/goreleaser-action@v5

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,4 +69,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -42,19 +42,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -64,7 +64,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ matrix.image }}
           tags: |
@@ -77,7 +77,7 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/amd64,linux/arm64
           context: ${{ matrix.context }}

diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
@@ -8,8 +8,8 @@ jobs:
     name: Deploy to GitHub Pages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: npm

diff --git a/.github/workflows/docs-test-deploy.yml b/.github/workflows/docs-test-deploy.yml
@@ -10,8 +10,8 @@ jobs:
     name: Test deployment
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: npm

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Start containers
         working-directory: ./deploy/docker-compose
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Start containers
         working-directory: ./deploy/docker-compose
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Copy config
         working-directory: ./deploy/docker-compose

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -11,10 +11,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
         go-version: '1.20'
 

diff --git a/.github/workflows/release-frontend-sdk.yml b/.github/workflows/release-frontend-sdk.yml
@@ -13,7 +13,7 @@ jobs:
   check-matching-versions:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: get-npm-version
         id: package-version
         uses: martinbeentjes/npm-get-version-action@main
@@ -26,7 +26,7 @@ jobs:
       - run: echo ${{ steps.tag-version.outputs.git_tag_version }}
       - name: Version correctly set check
         if: steps.package-version.outputs.current-version != steps.tag-version.outputs.git_tag_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             core.setFailed('version in package.json is not equal to git tag version!')
@@ -35,8 +35,8 @@ jobs:
     needs: check-matching-versions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: 16
           registry-url: https://registry.npmjs.org/

diff --git a/.github/workflows/release-hanko-elements.yml b/.github/workflows/release-hanko-elements.yml
@@ -13,7 +13,7 @@ jobs:
   check-matching-versions:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: get-npm-version
         id: package-version
         uses: martinbeentjes/npm-get-version-action@main
@@ -26,7 +26,7 @@ jobs:
       - run: echo ${{ steps.tag-version.outputs.git_tag_version }}
       - name: Version correctly set check
         if: steps.package-version.outputs.current-version != steps.tag-version.outputs.git_tag_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             core.setFailed('version in package.json is not equal to git tag version!')
@@ -35,8 +35,8 @@ jobs:
     needs: check-matching-versions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: 16
           registry-url: https://registry.npmjs.org/

diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -28,6 +28,7 @@ COPY build_info build_info/
 COPY middleware middleware/
 COPY template template/
 COPY utils utils/
+COPY mapper mapper/
 COPY webhooks webhooks/
 
 # Build

diff --git a/backend/Dockerfile.debug b/backend/Dockerfile.debug
@@ -1,9 +1,9 @@
 # Build the hanko binary
-FROM golang:1.20 as builder
+FROM golang:1.20 AS builder
 WORKDIR /workspace
 
 # Get Delve
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go install github.com/go-delve/delve/cmd/dlv@latest
+RUN CGO_ENABLED=0 GOOS=linux GOARCH="$TARGETARCH" go install github.com/go-delve/delve/cmd/dlv@latest
 
 COPY go.mod go.mod
 COPY go.sum go.sum
@@ -29,10 +29,11 @@ COPY build_info build_info/
 COPY middleware middleware/
 COPY template template/
 COPY utils utils/
+COPY mapper mapper/
 
 # Build
 RUN go generate ./...
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -gcflags="all=-N -l" -a -o hanko main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH="$TARGETARCH" go build -gcflags="all=-N -l" -a -o hanko main.go
 
 # Use distroless as minimal base image to package hanko binary
 # See https://github.com/GoogleContainerTools/distroless for details

diff --git a/backend/README.md b/backend/README.md
@@ -434,8 +434,24 @@ Hanko service behind a proxy or gateway (e.g. Kong, Traefik) to provide addition
 ### Social Logins
 
 Hanko supports OAuth-based ([authorization code flow](https://www.rfc-editor.org/rfc/rfc6749#section-1.3.1)) third
-party provider logins. Please view the official [docs](https://docs.hanko.io/guides/social) for a list of supported
-providers and guides.
+party provider logins. See the `third_party` option in the [configuration reference](./docs/Config.md) on how to
+configure them. All provider configurations require provider credentials. See the guides in the official
+documentation for instructions on how to obtain these:
+
+- [Apple](https://docs.hanko.io/guides/authentication-methods/oauth/apple)
+- [GitHub](https://docs.hanko.io/guides/authentication-methods/oauth/github)
+- [Google](https://docs.hanko.io/guides/authentication-methods/oauth/google)
+
+#### Account linking
+
+The `allow_linking` configuration option for providers determines whether automatic account linking for this provider
+is activated. Note that account linking is based on e-mail addresses and OAuth providers may allow account holders to
+use unverified e-mail addresses or may not provide any information at all about the verification status of e-mail
+addresses. This poses a security risk and potentially allows bad actors to hijack existing Hanko
+accounts associated with the same address. It is therefore recommended to make sure you trust the provider and to
+also enable `emails.require_verification` in your configuration to ensure that only verified third party provider
+addresses may be used.
+
 
 ### User import
 You can import an existing user pool into Hanko using json in the following format:

diff --git a/backend/cmd/serve/all.go b/backend/cmd/serve/all.go
@@ -7,6 +7,7 @@ import (
 	"github.com/labstack/echo-contrib/echoprometheus"
 	"github.com/spf13/cobra"
 	"github.com/teamhanko/hanko/backend/config"
+	"github.com/teamhanko/hanko/backend/mapper"
 	"github.com/teamhanko/hanko/backend/persistence"
 	"github.com/teamhanko/hanko/backend/server"
 	"log"
@@ -15,7 +16,8 @@ import (
 
 func NewServeAllCommand() *cobra.Command {
 	var (
-		configFile string
+		configFile                string
+		authenticatorMetadataFile string
 	)
 
 	cmd := &cobra.Command{
@@ -28,6 +30,8 @@ func NewServeAllCommand() *cobra.Command {
 				log.Fatal(err)
 			}
 
+			authenticatorMetadata := mapper.LoadAuthenticatorMetadata(&authenticatorMetadataFile)
+
 			persister, err := persistence.New(cfg.Database)
 			if err != nil {
 				log.Fatal(err)
@@ -37,14 +41,15 @@ func NewServeAllCommand() *cobra.Command {
 
 			prometheus := echoprometheus.NewMiddleware("hanko")
 
-			go server.StartPublic(cfg, &wg, persister, prometheus)
+			go server.StartPublic(cfg, &wg, persister, prometheus, authenticatorMetadata)
 			go server.StartAdmin(cfg, &wg, persister, prometheus)
 
 			wg.Wait()
 		},
 	}
 
 	cmd.Flags().StringVar(&configFile, "config", config.DefaultConfigFilePath, "config file")
+	cmd.Flags().StringVar(&authenticatorMetadataFile, "auth-meta", "", "authenticator metadata file")
 
 	return cmd
 }
diff --git a/backend/cmd/serve/public.go b/backend/cmd/serve/public.go
@@ -6,6 +6,7 @@ package serve
 import (
 	"github.com/spf13/cobra"
 	"github.com/teamhanko/hanko/backend/config"
+	"github.com/teamhanko/hanko/backend/mapper"
 	"github.com/teamhanko/hanko/backend/persistence"
 	"github.com/teamhanko/hanko/backend/server"
 	"log"
@@ -14,7 +15,8 @@ import (
 
 func NewServePublicCommand() *cobra.Command {
 	var (
-		configFile string
+		configFile                string
+		authenticatorMetadataFile string
 	)
 
 	cmd := &cobra.Command{
@@ -27,20 +29,23 @@ func NewServePublicCommand() *cobra.Command {
 				log.Fatal(err)
 			}
 
+			authenticatorMetadata := mapper.LoadAuthenticatorMetadata(&authenticatorMetadataFile)
+
 			persister, err := persistence.New(cfg.Database)
 			if err != nil {
 				log.Fatal(err)
 			}
 			var wg sync.WaitGroup
 			wg.Add(1)
 
-			go server.StartPublic(cfg, &wg, persister, nil)
+			go server.StartPublic(cfg, &wg, persister, nil, authenticatorMetadata)
 
 			wg.Wait()
 		},
 	}
 
 	cmd.Flags().StringVar(&configFile, "config", config.DefaultConfigFilePath, "config file")
+	cmd.Flags().StringVar(&authenticatorMetadataFile, "auth-meta", "", "authenticator metadata file")
 
 	return cmd
 }