zitadel/internal/api/authz/session_token.go

package authz

import (
	"context"
	"encoding/base64"
	"fmt"

	"github.com/zitadel/zitadel/internal/crypto"
	zitadel_errors "github.com/zitadel/zitadel/internal/errors"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
)

const (
	SessionTokenPrefix = "sess_"
	SessionTokenFormat = SessionTokenPrefix + "%s:%s"
)

func SessionTokenVerifier(algorithm crypto.EncryptionAlgorithm) func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
	return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
		decodedToken, err := base64.RawURLEncoding.DecodeString(sessionToken)
		if err != nil {
			return err
		}
		_, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")
		token, err := algorithm.DecryptString(decodedToken, algorithm.EncryptionKeyID())
		spanPasswordComparison.EndWithError(err)
		if err != nil || token != fmt.Sprintf(SessionTokenFormat, sessionID, tokenID) {
			return zitadel_errors.ThrowPermissionDenied(err, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
		}
		return nil
	}
}
feat: add SYSTEM_OWNER role (#6765) * define roles and permissions * support system user memberships * don't limit system users * cleanup permissions * restrict memberships to aggregates * default to SYSTEM_OWNER * update unit tests * test: system user token test (#6778) * update unit tests * refactor: make authz testable * move session constants * cleanup * comment * comment * decode member type string to enum (#6780) * decode member type string to enum * handle all membership types * decode enums where necessary * decode member type in steps config * update system api docs * add technical advisory * tweak docs a bit * comment in comment * lint * extract token from Bearer header prefix * review changes * fix tests * fix: add fix for activityhandler * add isSystemUser * remove IsSystemUser from activity info * fix: add fix for activityhandler --------- Co-authored-by: Stefan Benz <stefan@caos.ch> 2023-10-25 15:10:45 +00:00			`package authz`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"fmt"`

			`"github.com/zitadel/zitadel/internal/crypto"`
			`zitadel_errors "github.com/zitadel/zitadel/internal/errors"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
			`)`

			`const (`
			`SessionTokenPrefix = "sess_"`
			`SessionTokenFormat = SessionTokenPrefix + "%s:%s"`
			`)`

			`func SessionTokenVerifier(algorithm crypto.EncryptionAlgorithm) func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {`
			`return func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {`
			`decodedToken, err := base64.RawURLEncoding.DecodeString(sessionToken)`
			`if err != nil {`
			`return err`
			`}`
			`_, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")`
			`token, err := algorithm.DecryptString(decodedToken, algorithm.EncryptionKeyID())`
			`spanPasswordComparison.EndWithError(err)`
			`if err != nil \|\| token != fmt.Sprintf(SessionTokenFormat, sessionID, tokenID) {`
			`return zitadel_errors.ThrowPermissionDenied(err, "COMMAND-sGr42", "Errors.Session.Token.Invalid")`
			`}`
			`return nil`
			`}`
			`}`