fix: cors (#621)

* fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg
2025-08-12 04:07:31 +00:00 · 2020-08-24 10:06:55 +02:00
parent 193cfb45f6
commit 4e1e8a714a
18 changed files with 128 additions and 26 deletions
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -2,9 +2,10 @@ package authz

 import (
 	"context"
-	"github.com/caos/zitadel/internal/errors"

-	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/grpc"
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/errors"
 )

 type key int
@@ -46,8 +47,13 @@ func VerifyTokenAndWriteCtxData(ctx context.Context, token, orgID string, t *Tok
 	if err != nil {
 		return nil, err
 	}
-	projectID, err := t.GetProjectIDByClientID(ctx, clientID)
-	logging.LogWithFields("AUTH-GfAoV", "clientID", clientID).OnError(err).Warn("could not read projectid by clientid")
+	projectID, origins, err := t.ProjectIDAndOriginsByClientID(ctx, clientID)
+	if err != nil {
+		return nil, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")
+	}
+	if err := checkOrigin(ctx, origins); err != nil {
+		return nil, err
+	}
 	return context.WithValue(ctx, dataKey, CtxData{UserID: userID, OrgID: orgID, ProjectID: projectID, AgentID: agentID}), nil
 }

@@ -69,3 +75,14 @@ func GetAllPermissionsFromCtx(ctx context.Context) []string {
 	ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
 	return ctxPermission
 }
+
+func checkOrigin(ctx context.Context, origins []string) error {
+	origin := grpc.GetGatewayHeader(ctx, http_util.Origin)
+	if origin == "" {
+		return nil
+	}
+	if http_util.IsOriginAllowed(origins, origin) {
+		return nil
+	}
+	return errors.ThrowPermissionDenied(nil, "AUTH-DZG21", "Errors.OriginNotAllowed")
+}
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -23,8 +23,8 @@ func (v *testVerifier) ResolveGrants(ctx context.Context) (*Grant, error) {
 	return v.grant, nil
 }

-func (v *testVerifier) ProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
-	return "", nil
+func (v *testVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (string, []string, error) {
+	return "", nil, nil
 }

 func (v *testVerifier) ExistsOrg(ctx context.Context, orgID string) error {
--- a/internal/api/authz/token.go
+++ b/internal/api/authz/token.go
@@ -22,7 +22,7 @@ type authZRepo interface {
 	VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID string, err error)
 	VerifierClientID(ctx context.Context, name string) (clientID string, err error)
 	ResolveGrants(ctx context.Context) (grant *Grant, err error)
-	ProjectIDByClientID(ctx context.Context, clientID string) (projectID string, err error)
+	ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
 	ExistsOrg(ctx context.Context, orgID string) error
 }

@@ -88,8 +88,8 @@ func (v *TokenVerifier) ResolveGrant(ctx context.Context) (*Grant, error) {
 	return v.authZRepo.ResolveGrants(ctx)
 }

-func (v *TokenVerifier) GetProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
-	return v.authZRepo.ProjectIDByClientID(ctx, clientID)
+func (v *TokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (string, []string, error) {
+	return v.authZRepo.ProjectIDAndOriginsByClientID(ctx, clientID)
 }

 func (v *TokenVerifier) ExistsOrg(ctx context.Context, orgID string) error {