zitadel/internal/api/authz/session_token.go

package authz

import (
	"context"
	"encoding/base64"
	"fmt"

	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

const (
	SessionTokenPrefix = "sess_"
	SessionTokenFormat = SessionTokenPrefix + "%s:%s"
)

func SessionTokenVerifier(algorithm crypto.EncryptionAlgorithm) func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
	return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
		decodedToken, err := base64.RawURLEncoding.DecodeString(sessionToken)
		if err != nil {
			return err
		}
		_, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")
		token, err := algorithm.DecryptString(decodedToken, algorithm.EncryptionKeyID())
		spanPasswordComparison.EndWithError(err)
		if err != nil || token != fmt.Sprintf(SessionTokenFormat, sessionID, tokenID) {
			return zerrors.ThrowPermissionDenied(err, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
		}
		return nil
	}
}
feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`package authz`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"fmt"`

			`"github.com/zitadel/zitadel/internal/crypto"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`"github.com/zitadel/zitadel/internal/zerrors"`
feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`)`

			`const (`
			`SessionTokenPrefix = "sess_"`
			`SessionTokenFormat = SessionTokenPrefix + "%s:%s"`
			`)`

			`func SessionTokenVerifier(algorithm crypto.EncryptionAlgorithm) func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {`
			`return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {`
			`decodedToken, err := base64.RawURLEncoding.DecodeString(sessionToken)`
			`if err != nil {`
			`return err`
			`}`
			`_, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")`
			`token, err := algorithm.DecryptString(decodedToken, algorithm.EncryptionKeyID())`
			`spanPasswordComparison.EndWithError(err)`
			`if err != nil \|\| token != fmt.Sprintf(SessionTokenFormat, sessionID, tokenID) {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`return zerrors.ThrowPermissionDenied(err, "COMMAND-sGr42", "Errors.Session.Token.Invalid")`
feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`}`
			`return nil`
			`}`
			`}`