fix: improve interceptor handling (#3578)

* fix: improve interceptor handling * fix: improve interceptor handling Co-authored-by: Florian Forster <florian@caos.ch>
2025-08-12 00:27:31 +00:00 · 2022-05-02 17:26:54 +02:00
parent 20f275f178
commit 06a1b52adf
9 changed files with 81 additions and 28 deletions
--- a/internal/api/http/cookie.go
+++ b/internal/api/http/cookie.go
@@ -136,4 +136,11 @@ func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value strin
 		Secure:   c.secureOnly,
 		SameSite: c.sameSite,
 	})
+	varyValues := w.Header().Values("vary")
+	for _, vary := range varyValues {
+		if vary == "Cookie" {
+			return
+		}
+	}
+	w.Header().Add("vary", "Cookie")
 }
--- a/internal/api/http/middleware/instance_interceptor.go
+++ b/internal/api/http/middleware/instance_interceptor.go
@@ -4,25 +4,34 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

 type instanceInterceptor struct {
-	verifier   authz.InstanceVerifier
-	headerName string
+	verifier        authz.InstanceVerifier
+	headerName      string
+	ignoredPrefixes []string
 }

-func InstanceInterceptor(verifier authz.InstanceVerifier, headerName string) *instanceInterceptor {
+func InstanceInterceptor(verifier authz.InstanceVerifier, headerName string, ignoredPrefixes ...string) *instanceInterceptor {
 	return &instanceInterceptor{
-		verifier:   verifier,
-		headerName: headerName,
+		verifier:        verifier,
+		headerName:      headerName,
+		ignoredPrefixes: ignoredPrefixes,
 	}
 }

 func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for _, prefix := range a.ignoredPrefixes {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
 		ctx, err := setInstance(r, a.verifier, a.headerName)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusUnauthorized)
@@ -35,6 +44,12 @@ func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {

 func (a *instanceInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		for _, prefix := range a.ignoredPrefixes {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
 		ctx, err := setInstance(r, a.verifier, a.headerName)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusForbidden)
--- a/internal/api/http/middleware/user_agent_cookie.go
+++ b/internal/api/http/middleware/user_agent_cookie.go
@@ -3,6 +3,7 @@ package middleware
 import (
 	"context"
 	"net/http"
+	"strings"
 	"time"

 	http_utils "github.com/zitadel/zitadel/internal/api/http"
@@ -26,10 +27,11 @@ type UserAgent struct {
 }

 type userAgentHandler struct {
-	cookieHandler *http_utils.CookieHandler
-	cookieName    string
-	idGenerator   id.Generator
-	nextHandler   http.Handler
+	cookieHandler   *http_utils.CookieHandler
+	cookieName      string
+	idGenerator     id.Generator
+	nextHandler     http.Handler
+	ignoredPrefixes []string
 }

 type UserAgentCookieConfig struct {
@@ -37,7 +39,7 @@ type UserAgentCookieConfig struct {
 	MaxAge time.Duration
 }

-func NewUserAgentHandler(config *UserAgentCookieConfig, cookieKey []byte, idGenerator id.Generator, externalSecure bool) (func(http.Handler) http.Handler, error) {
+func NewUserAgentHandler(config *UserAgentCookieConfig, cookieKey []byte, idGenerator id.Generator, externalSecure bool, ignoredPrefixes ...string) (func(http.Handler) http.Handler, error) {
 	opts := []http_utils.CookieHandlerOpt{
 		http_utils.WithEncryption(cookieKey, cookieKey),
 		http_utils.WithMaxAge(int(config.MaxAge.Seconds())),
@@ -47,15 +49,22 @@ func NewUserAgentHandler(config *UserAgentCookieConfig, cookieKey []byte, idGene
 	}
 	return func(handler http.Handler) http.Handler {
 		return &userAgentHandler{
-			nextHandler:   handler,
-			cookieName:    config.Name,
-			cookieHandler: http_utils.NewCookieHandler(opts...),
-			idGenerator:   idGenerator,
+			nextHandler:     handler,
+			cookieName:      config.Name,
+			cookieHandler:   http_utils.NewCookieHandler(opts...),
+			idGenerator:     idGenerator,
+			ignoredPrefixes: ignoredPrefixes,
 		}
 	}, nil
 }

 func (ua *userAgentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	for _, prefix := range ua.ignoredPrefixes {
+		if strings.HasPrefix(r.URL.Path, prefix) {
+			ua.nextHandler.ServeHTTP(w, r)
+			return
+		}
+	}
 	agent, err := ua.getUserAgent(r)
 	if err != nil {
 		agent, err = ua.newUserAgent()