fix: improvements for login and oidc (#227)

* add csrf * caching * caching * caching * caching * security headers * csp and security headers * error handler csp * select user with display name * csp * user selection styling * username to loginname * regenerate grpc * regenerate * change to login name
2025-08-12 00:47:33 +00:00 · 2020-06-17 08:06:40 +02:00
parent dfe6d0deb4
commit 1c59d18fee
108 changed files with 19226 additions and 19220 deletions
--- a/internal/api/http/middleware/security_headers.go
+++ b/internal/api/http/middleware/security_headers.go
@@ -0,0 +1,90 @@
+package middleware
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"net/http"
+
+	"github.com/caos/zitadel/internal/api"
+)
+
+type key int
+
+const (
+	nonceKey key = 0
+
+	DefaultNonceLength = uint(32)
+)
+
+func SecurityHeaders(csp *CSP, errorHandler func(error) http.Handler, nonceLength ...uint) func(http.Handler) http.Handler {
+	return func(handler http.Handler) http.Handler {
+		if csp == nil {
+			csp = &DefaultSCP
+		}
+		length := DefaultNonceLength
+		if len(nonceLength) > 0 {
+			length = nonceLength[0]
+		}
+		return &headers{
+			csp:          csp,
+			handler:      handler,
+			errorHandler: errorHandler,
+			nonceLength:  length,
+		}
+	}
+}
+
+type headers struct {
+	csp          *CSP
+	handler      http.Handler
+	errorHandler func(err error) http.Handler
+	nonceLength  uint
+}
+
+func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	nonce := GetNonce(r)
+	if nonce == "" {
+		var err error
+		nonce, err = generateNonce(h.nonceLength)
+		if err != nil {
+			h.errorHandler(err).ServeHTTP(w, r)
+			return
+		}
+		r = saveContext(r, nonceKey, nonce)
+	}
+	headers := w.Header()
+	headers.Set(api.ContentSecurityPolicy, h.csp.Value(nonce))
+	headers.Set(api.XXSSProtection, "1; mode=block")
+	headers.Set(api.StrictTransportSecurity, "max-age=31536000; includeSubDomains")
+	headers.Set(api.XFrameOptions, "DENY")
+	headers.Set(api.XContentTypeOptions, "nosniff")
+	headers.Set(api.ReferrerPolicy, "same-origin")
+	headers.Set(api.FeaturePolicy, "payment 'none'")
+	//PLANNED: add expect-ct
+
+	h.handler.ServeHTTP(w, r)
+}
+
+func GetNonce(r *http.Request) string {
+	nonce, _ := getContext(r, nonceKey).(string)
+	return nonce
+}
+
+func generateNonce(length uint) (string, error) {
+	b := make([]byte, length)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(b), nil
+}
+
+func saveContext(r *http.Request, key, value interface{}) *http.Request {
+	ctx := context.WithValue(r.Context(), key, value)
+	return r.WithContext(ctx)
+}
+
+func getContext(r *http.Request, key interface{}) interface{} {
+	return r.Context().Value(key)
+}