fix: cors (#621)

* fix: dont (re)generate client secret with auth type none * fix(cors): allow Origin from request * feat: add origin allow list and fix some core issues * rename migration * fix UserIDsByDomain * check origin on userinfo * update oidc pkg
2025-08-12 07:47:32 +00:00 · 2020-08-24 10:06:55 +02:00
parent 193cfb45f6
commit 4e1e8a714a
18 changed files with 128 additions and 26 deletions
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -2,9 +2,10 @@ package authz

 import (
 	"context"
-	"github.com/caos/zitadel/internal/errors"

-	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/grpc"
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/errors"
 )

 type key int
@@ -46,8 +47,13 @@ func VerifyTokenAndWriteCtxData(ctx context.Context, token, orgID string, t *Tok
 	if err != nil {
 		return nil, err
 	}
-	projectID, err := t.GetProjectIDByClientID(ctx, clientID)
-	logging.LogWithFields("AUTH-GfAoV", "clientID", clientID).OnError(err).Warn("could not read projectid by clientid")
+	projectID, origins, err := t.ProjectIDAndOriginsByClientID(ctx, clientID)
+	if err != nil {
+		return nil, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")
+	}
+	if err := checkOrigin(ctx, origins); err != nil {
+		return nil, err
+	}
 	return context.WithValue(ctx, dataKey, CtxData{UserID: userID, OrgID: orgID, ProjectID: projectID, AgentID: agentID}), nil
 }

@@ -69,3 +75,14 @@ func GetAllPermissionsFromCtx(ctx context.Context) []string {
 	ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
 	return ctxPermission
 }
+
+func checkOrigin(ctx context.Context, origins []string) error {
+	origin := grpc.GetGatewayHeader(ctx, http_util.Origin)
+	if origin == "" {
+		return nil
+	}
+	if http_util.IsOriginAllowed(origins, origin) {
+		return nil
+	}
+	return errors.ThrowPermissionDenied(nil, "AUTH-DZG21", "Errors.OriginNotAllowed")
+}