From 1cefa7cb409419c48d716d262dabef89dd806598 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Wed, 21 Aug 2024 18:36:16 +0200 Subject: [PATCH] fix: respect x-zitadel-forwarded header again (#8473) # Which Problems Are Solved #8369 added the possibility to handle trusted domains for public hosts as response. Additionally, the OIDC issuer is extracted from the `DomainContext` and not from headers anymore. This accidentally dropped support for the `x-zitadel-forwarded`. # How the Problems Are Solved Added `x-zitadel-forwarded` in the list of additionally handled headers. # Additional Changes None # Additional Context - relates to #8369 - reported in Discord: https://discord.com/channels/927474939156643850/1275484169626980403 (cherry picked from commit b1f5b1979cab5bf5b3368a7dbcbc575d5e5955a3) --- internal/api/http/header.go | 45 ++++++++++--------- .../api/http/middleware/origin_interceptor.go | 5 ++- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/internal/api/http/header.go b/internal/api/http/header.go index 91726c4338..16ae7cf48c 100644 --- a/internal/api/http/header.go +++ b/internal/api/http/header.go @@ -8,28 +8,29 @@ import ( ) const ( - Authorization = "authorization" - Accept = "accept" - AcceptLanguage = "accept-language" - CacheControl = "cache-control" - ContentType = "content-type" - ContentLength = "content-length" - Expires = "expires" - Location = "location" - Origin = "origin" - Pragma = "pragma" - UserAgentHeader = "user-agent" - ForwardedFor = "x-forwarded-for" - ForwardedHost = "x-forwarded-host" - ForwardedProto = "x-forwarded-proto" - Forwarded = "forwarded" - XUserAgent = "x-user-agent" - XGrpcWeb = "x-grpc-web" - XRequestedWith = "x-requested-with" - XRobotsTag = "x-robots-tag" - IfNoneMatch = "If-None-Match" - LastModified = "Last-Modified" - Etag = "Etag" + Authorization = "authorization" + Accept = "accept" + AcceptLanguage = "accept-language" + CacheControl = "cache-control" + ContentType = "content-type" + ContentLength = "content-length" + Expires = "expires" + Location = "location" + Origin = "origin" + Pragma = "pragma" + UserAgentHeader = "user-agent" + ForwardedFor = "x-forwarded-for" + ForwardedHost = "x-forwarded-host" + ForwardedProto = "x-forwarded-proto" + Forwarded = "forwarded" + ZitadelForwarded = "x-zitadel-forwarded" + XUserAgent = "x-user-agent" + XGrpcWeb = "x-grpc-web" + XRequestedWith = "x-requested-with" + XRobotsTag = "x-robots-tag" + IfNoneMatch = "If-None-Match" + LastModified = "Last-Modified" + Etag = "Etag" ContentSecurityPolicy = "content-security-policy" XXSSProtection = "x-xss-protection" diff --git a/internal/api/http/middleware/origin_interceptor.go b/internal/api/http/middleware/origin_interceptor.go index bbec9dc14d..35af8770b7 100644 --- a/internal/api/http/middleware/origin_interceptor.go +++ b/internal/api/http/middleware/origin_interceptor.go @@ -17,7 +17,7 @@ func WithOrigin(fallBackToHttps bool, http1Header, http2Header string, instanceH r, fallBackToHttps, // to make sure we don't break existing configurations we append the existing checked headers as well - slices.Compact(append(instanceHostHeaders, http1Header, http2Header, http_util.Forwarded, http_util.ForwardedFor, http_util.ForwardedHost, http_util.ForwardedProto)), + slices.Compact(append(instanceHostHeaders, http1Header, http2Header, http_util.Forwarded, http_util.ZitadelForwarded, http_util.ForwardedFor, http_util.ForwardedHost, http_util.ForwardedProto)), publicDomainHeaders, ) next.ServeHTTP(w, r.WithContext(http_util.WithDomainContext(r.Context(), origin))) @@ -52,7 +52,8 @@ func hostFromRequest(r *http.Request, headers []string) (host, proto string) { for _, header := range headers { switch http.CanonicalHeaderKey(header) { case http.CanonicalHeaderKey(http_util.Forwarded), - http.CanonicalHeaderKey(http_util.ForwardedFor): + http.CanonicalHeaderKey(http_util.ForwardedFor), + http.CanonicalHeaderKey(http_util.ZitadelForwarded): hostFromHeader, protoFromHeader = hostFromForwarded(r.Header.Values(header)) case http.CanonicalHeaderKey(http_util.ForwardedHost): hostFromHeader = r.Header.Get(header)