zitadel/internal/api/http/middleware/origin_interceptor.go

package middleware

import (
	"fmt"
	"net/http"
	"net/url"

	"github.com/muhlemmer/httpforwarded"
	"github.com/zitadel/logging"

	http_util "github.com/zitadel/zitadel/internal/api/http"
)

func OriginHandler(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		origin := composeOrigin(r)
		if !http_util.IsOrigin(origin) {
			logging.Debugf("extracted origin is not valid: %s", origin)
			next.ServeHTTP(w, r)
			return
		}
		next.ServeHTTP(w, r.WithContext(http_util.WithComposedOrigin(r.Context(), origin)))
	})
}

func composeOrigin(r *http.Request) string {
	if origin, err := originFromForwardedHeader(r); err != nil {
		logging.OnError(err).Debug("failed to build origin from forwarded header, trying x-forwarded-* headers")
	} else {
		return origin
	}
	if origin, err := originFromXForwardedHeaders(r); err != nil {
		logging.OnError(err).Debug("failed to build origin from x-forwarded-* headers, using host header")
	} else {
		return origin
	}
	scheme := "https"
	if r.TLS == nil {
		scheme = "http"
	}
	return fmt.Sprintf("%s://%s", scheme, r.Host)
}

func originFromForwardedHeader(r *http.Request) (string, error) {
	fwd, err := httpforwarded.ParseFromRequest(r)
	if err != nil {
		return "", err
	}
	var fwdProto, fwdHost, fwdPort string
	if fwdProto = mostRecentValue(fwd, "proto"); fwdProto == "" {
		return "", fmt.Errorf("no proto in forwarded header")
	}
	if fwdHost = mostRecentValue(fwd, "host"); fwdHost == "" {
		return "", fmt.Errorf("no host in forwarded header")
	}
	fwdPort, foundFwdFor := extractPort(mostRecentValue(fwd, "for"))
	if !foundFwdFor {
		return "", fmt.Errorf("no for in forwarded header")
	}
	o := fmt.Sprintf("%s://%s", fwdProto, fwdHost)
	if fwdPort != "" {
		o += ":" + fwdPort
	}
	return o, nil
}

func originFromXForwardedHeaders(r *http.Request) (string, error) {
	scheme := r.Header.Get("X-Forwarded-Proto")
	if scheme == "" {
		return "", fmt.Errorf("no X-Forwarded-Proto header")
	}
	host := r.Header.Get("X-Forwarded-Host")
	if host == "" {
		return "", fmt.Errorf("no X-Forwarded-Host header")
	}
	return fmt.Sprintf("%s://%s", scheme, host), nil
}

func extractPort(raw string) (string, bool) {
	if u, ok := parseURL(raw); ok {
		return u.Port(), ok
	}
	return "", false
}

func parseURL(raw string) (*url.URL, bool) {
	if raw == "" {
		return nil, false
	}
	u, err := url.Parse(raw)
	return u, err == nil
}

func mostRecentValue(forwarded map[string][]string, key string) string {
	if forwarded == nil {
		return ""
	}
	values := forwarded[key]
	if len(values) == 0 {
		return ""
	}
	return values[len(values)-1]
}
fix: use triggering origin for notification links (#6628) * take baseurl if saved on event * refactor: make es mocks reusable * Revert "refactor: make es mocks reusable" This reverts commit 434ce12a6acf639514308bc231e76ebb8676b643. * make messages testable * test asset url * fmt * fmt * simplify notification.Start * test url combinations * support init code added * support password changed * support reset pw * support user domain claimed * support add pwless login * support verify phone * Revert "support verify phone" This reverts commit e40503303e2fdda0c85985b3fe3160ce96d43cca. * save trigger origin from ctx * add ready for review check * camel * test email otp * fix variable naming * fix DefaultOTPEmailURLV2 * Revert "fix DefaultOTPEmailURLV2" This reverts commit fa34d4d2a83fbfd8353759c9148af9165a9dd44c. * fix email otp challenged test * fix email otp challenged test * pass origin in login and gateway requests * take origin from header * take x-forwarded if present * Update internal/notification/handlers/queries.go Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * Update internal/notification/handlers/commands.go Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * move origin header to ctx if available * generate * cleanup * use forwarded header * support X-Forwarded-* headers * standardize context handling * fix linting --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2023-10-10 13:20:53 +00:00			`package middleware`

			`import (`
			`"fmt"`
			`"net/http"`
			`"net/url"`

			`"github.com/muhlemmer/httpforwarded"`
			`"github.com/zitadel/logging"`

			`http_util "github.com/zitadel/zitadel/internal/api/http"`
			`)`

			`func OriginHandler(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`origin := composeOrigin(r)`
			`if !http_util.IsOrigin(origin) {`
			`logging.Debugf("extracted origin is not valid: %s", origin)`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`next.ServeHTTP(w, r.WithContext(http_util.WithComposedOrigin(r.Context(), origin)))`
			`})`
			`}`

			`func composeOrigin(r *http.Request) string {`
			`if origin, err := originFromForwardedHeader(r); err != nil {`
			`logging.OnError(err).Debug("failed to build origin from forwarded header, trying x-forwarded-* headers")`
			`} else {`
			`return origin`
			`}`
			`if origin, err := originFromXForwardedHeaders(r); err != nil {`
			`logging.OnError(err).Debug("failed to build origin from x-forwarded-* headers, using host header")`
			`} else {`
			`return origin`
			`}`
			`scheme := "https"`
			`if r.TLS == nil {`
			`scheme = "http"`
			`}`
			`return fmt.Sprintf("%s://%s", scheme, r.Host)`
			`}`

			`func originFromForwardedHeader(r *http.Request) (string, error) {`
			`fwd, err := httpforwarded.ParseFromRequest(r)`
			`if err != nil {`
			`return "", err`
			`}`
			`var fwdProto, fwdHost, fwdPort string`
			`if fwdProto = mostRecentValue(fwd, "proto"); fwdProto == "" {`
			`return "", fmt.Errorf("no proto in forwarded header")`
			`}`
			`if fwdHost = mostRecentValue(fwd, "host"); fwdHost == "" {`
			`return "", fmt.Errorf("no host in forwarded header")`
			`}`
			`fwdPort, foundFwdFor := extractPort(mostRecentValue(fwd, "for"))`
			`if !foundFwdFor {`
			`return "", fmt.Errorf("no for in forwarded header")`
			`}`
			`o := fmt.Sprintf("%s://%s", fwdProto, fwdHost)`
			`if fwdPort != "" {`
			`o += ":" + fwdPort`
			`}`
			`return o, nil`
			`}`

			`func originFromXForwardedHeaders(r *http.Request) (string, error) {`
			`scheme := r.Header.Get("X-Forwarded-Proto")`
			`if scheme == "" {`
			`return "", fmt.Errorf("no X-Forwarded-Proto header")`
			`}`
			`host := r.Header.Get("X-Forwarded-Host")`
			`if host == "" {`
			`return "", fmt.Errorf("no X-Forwarded-Host header")`
			`}`
			`return fmt.Sprintf("%s://%s", scheme, host), nil`
			`}`

			`func extractPort(raw string) (string, bool) {`
			`if u, ok := parseURL(raw); ok {`
			`return u.Port(), ok`
			`}`
			`return "", false`
			`}`

			`func parseURL(raw string) (*url.URL, bool) {`
			`if raw == "" {`
			`return nil, false`
			`}`
			`u, err := url.Parse(raw)`
			`return u, err == nil`
			`}`

			`func mostRecentValue(forwarded map[string][]string, key string) string {`
			`if forwarded == nil {`
			`return ""`
			`}`
			`values := forwarded[key]`
			`if len(values) == 0 {`
			`return ""`
			`}`
			`return values[len(values)-1]`
			`}`