fix: improvements for login and oidc (#227)

* add csrf * caching * caching * caching * caching * security headers * csp and security headers * error handler csp * select user with display name * csp * user selection styling * username to loginname * regenerate grpc * regenerate * change to login name
2025-08-12 00:47:33 +00:00 · 2020-06-17 08:06:40 +02:00
parent dfe6d0deb4
commit 1c59d18fee
108 changed files with 19226 additions and 19220 deletions
--- a/internal/api/http/middleware/csp.go
+++ b/internal/api/http/middleware/csp.go
@@ -0,0 +1,125 @@
+package middleware
+
+import (
+	"fmt"
+	"strings"
+)
+
+type CSP struct {
+	DefaultSrc CSPSourceOptions
+	ScriptSrc  CSPSourceOptions
+	ObjectSrc  CSPSourceOptions
+	StyleSrc   CSPSourceOptions
+	ImgSrc     CSPSourceOptions
+	MediaSrc   CSPSourceOptions
+	FrameSrc   CSPSourceOptions
+	FontSrc    CSPSourceOptions
+	ConnectSrc CSPSourceOptions
+	FormAction CSPSourceOptions
+}
+
+var (
+	DefaultSCP = CSP{
+		DefaultSrc: CSPSourceOptsNone(),
+		ScriptSrc:  CSPSourceOptsSelf(),
+		ObjectSrc:  CSPSourceOptsNone(),
+		StyleSrc:   CSPSourceOptsSelf(),
+		ImgSrc:     CSPSourceOptsSelf(),
+		MediaSrc:   CSPSourceOptsNone(),
+		FrameSrc:   CSPSourceOptsNone(),
+		FontSrc:    CSPSourceOptsSelf(),
+		ConnectSrc: CSPSourceOptsSelf(),
+	}
+)
+
+func (csp *CSP) Value(nonce string) string {
+	valuesMap := csp.asMap()
+
+	values := make([]string, 0, len(valuesMap))
+	for k, v := range valuesMap {
+		if v == nil {
+			continue
+		}
+
+		values = append(values, fmt.Sprintf("%v %v", k, v.String(nonce)))
+	}
+
+	return strings.Join(values, ";")
+}
+
+func (csp *CSP) asMap() map[string]CSPSourceOptions {
+	return map[string]CSPSourceOptions{
+		"default-src": csp.DefaultSrc,
+		"script-src":  csp.ScriptSrc,
+		"object-src":  csp.ObjectSrc,
+		"style-src":   csp.StyleSrc,
+		"img-src":     csp.ImgSrc,
+		"media-src":   csp.MediaSrc,
+		"frame-src":   csp.FrameSrc,
+		"font-src":    csp.FontSrc,
+		"connect-src": csp.ConnectSrc,
+		"form-action": csp.FormAction,
+	}
+}
+
+type CSPSourceOptions []string
+
+func CSPSourceOpts() CSPSourceOptions {
+	return CSPSourceOptions{}
+}
+
+func CSPSourceOptsNone() CSPSourceOptions {
+	return []string{"'none'"}
+}
+
+func CSPSourceOptsSelf() CSPSourceOptions {
+	return []string{"'self'"}
+}
+
+func (srcOpts CSPSourceOptions) AddSelf() CSPSourceOptions {
+	return append(srcOpts, "'self'")
+}
+
+func (srcOpts CSPSourceOptions) AddInline() CSPSourceOptions {
+	return append(srcOpts, "'unsafe-inline'")
+}
+
+func (srcOpts CSPSourceOptions) AddEval() CSPSourceOptions {
+	return append(srcOpts, "'unsafe-eval'")
+}
+
+func (srcOpts CSPSourceOptions) AddStrictDynamic() CSPSourceOptions {
+	return append(srcOpts, "'strict-dynamic'")
+}
+
+func (srcOpts CSPSourceOptions) AddHost(h ...string) CSPSourceOptions {
+	return append(srcOpts, h...)
+}
+
+func (srcOpts CSPSourceOptions) AddScheme(s ...string) CSPSourceOptions {
+	return srcOpts.add(s, "%v:")
+}
+
+func (srcOpts CSPSourceOptions) AddNonce() CSPSourceOptions {
+	return append(srcOpts, "'nonce-%v'")
+}
+
+func (srcOpts CSPSourceOptions) AddHash(alg, b64v string) CSPSourceOptions {
+	return append(srcOpts, fmt.Sprintf("'%v-%v'", alg, b64v))
+}
+
+func (srcOpts CSPSourceOptions) String(nonce string) string {
+	value := strings.Join(srcOpts, " ")
+	if !strings.Contains(value, "%v") {
+		return value
+	}
+	return fmt.Sprintf(value, nonce)
+}
+
+func (srcOpts CSPSourceOptions) add(values []string, format string) CSPSourceOptions {
+	for i, v := range values {
+		values[i] = fmt.Sprintf(format, v)
+	}
+
+	return append(srcOpts, values...)
+}