2020-03-23 07:01:59 +01:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
2022-04-25 10:01:17 +02:00
|
|
|
"strings"
|
2020-03-23 07:01:59 +01:00
|
|
|
|
|
|
|
"github.com/gorilla/securecookie"
|
|
|
|
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2020-03-23 07:01:59 +01:00
|
|
|
)
|
|
|
|
|
2020-08-31 08:49:35 +02:00
|
|
|
const (
|
|
|
|
prefixSecure = "__Secure-"
|
|
|
|
prefixHost = "__Host-"
|
|
|
|
)
|
|
|
|
|
2020-03-23 07:01:59 +01:00
|
|
|
type CookieHandler struct {
|
|
|
|
securecookie *securecookie.SecureCookie
|
|
|
|
secureOnly bool
|
2020-08-31 08:49:35 +02:00
|
|
|
httpOnly bool
|
2020-03-23 07:01:59 +01:00
|
|
|
sameSite http.SameSite
|
|
|
|
path string
|
|
|
|
maxAge int
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewCookieHandler(opts ...CookieHandlerOpt) *CookieHandler {
|
|
|
|
c := &CookieHandler{
|
|
|
|
secureOnly: true,
|
2020-08-31 08:49:35 +02:00
|
|
|
httpOnly: true,
|
2020-03-23 07:01:59 +01:00
|
|
|
sameSite: http.SameSiteLaxMode,
|
|
|
|
path: "/",
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, opt := range opts {
|
|
|
|
opt(c)
|
|
|
|
}
|
|
|
|
return c
|
|
|
|
}
|
|
|
|
|
|
|
|
type CookieHandlerOpt func(*CookieHandler)
|
|
|
|
|
|
|
|
func WithEncryption(hashKey, encryptKey []byte) CookieHandlerOpt {
|
|
|
|
return func(c *CookieHandler) {
|
|
|
|
c.securecookie = securecookie.New(hashKey, encryptKey)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func WithUnsecure() CookieHandlerOpt {
|
|
|
|
return func(c *CookieHandler) {
|
|
|
|
c.secureOnly = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-31 08:49:35 +02:00
|
|
|
func WithNonHttpOnly() CookieHandlerOpt {
|
|
|
|
return func(c *CookieHandler) {
|
|
|
|
c.httpOnly = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-23 07:01:59 +01:00
|
|
|
func WithSameSite(sameSite http.SameSite) CookieHandlerOpt {
|
|
|
|
return func(c *CookieHandler) {
|
|
|
|
c.sameSite = sameSite
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func WithPath(path string) CookieHandlerOpt {
|
|
|
|
return func(c *CookieHandler) {
|
|
|
|
c.path = path
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func WithMaxAge(maxAge int) CookieHandlerOpt {
|
|
|
|
return func(c *CookieHandler) {
|
|
|
|
c.maxAge = maxAge
|
2023-02-15 02:52:11 +01:00
|
|
|
if c.securecookie != nil {
|
|
|
|
c.securecookie.MaxAge(maxAge)
|
|
|
|
}
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-31 08:49:35 +02:00
|
|
|
func SetCookiePrefix(name, domain, path string, secureOnly bool) string {
|
|
|
|
if !secureOnly {
|
|
|
|
return name
|
|
|
|
}
|
|
|
|
if domain != "" || path != "/" {
|
|
|
|
return prefixSecure + name
|
|
|
|
}
|
|
|
|
return prefixHost + name
|
|
|
|
}
|
|
|
|
|
2020-03-23 07:01:59 +01:00
|
|
|
func (c *CookieHandler) GetCookieValue(r *http.Request, name string) (string, error) {
|
|
|
|
cookie, err := r.Cookie(name)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return cookie.Value, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *CookieHandler) GetEncryptedCookieValue(r *http.Request, name string, value interface{}) error {
|
2022-04-25 10:01:17 +02:00
|
|
|
cookie, err := r.Cookie(SetCookiePrefix(name, r.Host, c.path, c.secureOnly))
|
2020-03-23 07:01:59 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if c.securecookie == nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInternal(nil, "HTTP-X6XpnL", "securecookie not configured")
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
2020-03-30 07:04:21 +02:00
|
|
|
return c.securecookie.Decode(name, cookie.Value, value)
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
|
2022-04-25 10:01:17 +02:00
|
|
|
func (c *CookieHandler) SetCookie(w http.ResponseWriter, name, domain, value string) {
|
|
|
|
c.httpSet(w, name, domain, value, c.maxAge)
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
|
2023-07-10 07:51:56 +02:00
|
|
|
func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}, sameSiteNone bool) error {
|
2020-03-23 07:01:59 +01:00
|
|
|
if c.securecookie == nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInternal(nil, "HTTP-s2HUtx", "securecookie not configured")
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
encoded, err := c.securecookie.Encode(name, value)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-07-10 07:51:56 +02:00
|
|
|
sameSite := c.sameSite
|
|
|
|
if sameSiteNone {
|
|
|
|
sameSite = http.SameSiteNoneMode
|
|
|
|
}
|
|
|
|
c.httpSetWithSameSite(w, name, domain, encoded, c.maxAge, sameSite)
|
2020-03-23 07:01:59 +01:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-05-19 07:12:31 +02:00
|
|
|
func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) {
|
|
|
|
c.httpSet(w, name, "", "", -1)
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
|
2022-04-25 10:01:17 +02:00
|
|
|
func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value string, maxage int) {
|
2023-07-10 07:51:56 +02:00
|
|
|
c.httpSetWithSameSite(w, name, domain, value, maxage, c.sameSite)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *CookieHandler) httpSetWithSameSite(w http.ResponseWriter, name, domain, value string, maxage int, sameSite http.SameSite) {
|
2020-03-23 07:01:59 +01:00
|
|
|
http.SetCookie(w, &http.Cookie{
|
2022-04-25 10:01:17 +02:00
|
|
|
Name: SetCookiePrefix(name, domain, c.path, c.secureOnly),
|
2020-03-23 07:01:59 +01:00
|
|
|
Value: value,
|
2022-04-25 10:01:17 +02:00
|
|
|
Domain: strings.Split(domain, ":")[0],
|
2020-03-23 07:01:59 +01:00
|
|
|
Path: c.path,
|
|
|
|
MaxAge: maxage,
|
2020-08-31 08:49:35 +02:00
|
|
|
HttpOnly: c.httpOnly,
|
2020-03-23 07:01:59 +01:00
|
|
|
Secure: c.secureOnly,
|
2023-07-10 07:51:56 +02:00
|
|
|
SameSite: sameSite,
|
2020-03-23 07:01:59 +01:00
|
|
|
})
|
2022-05-02 17:26:54 +02:00
|
|
|
varyValues := w.Header().Values("vary")
|
|
|
|
for _, vary := range varyValues {
|
|
|
|
if vary == "Cookie" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
w.Header().Add("vary", "Cookie")
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|