mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-11 02:58:31 +00:00
fix(api): allow HTTP/1.1 for grpc-web (#5376)
Handles grpc-web on HTTP/1.1 with H2C for HTTP/2, but does not enforce it.
This commit is contained in:
parent
c8f206c438
commit
8cbde57047
@ -223,7 +223,7 @@ func startAPIs(
|
|||||||
logging.Warn("access logs are currently in beta")
|
logging.Warn("access logs are currently in beta")
|
||||||
}
|
}
|
||||||
accessInterceptor := middleware.NewAccessInterceptor(accessSvc, config.Quotas.Access)
|
accessInterceptor := middleware.NewAccessInterceptor(accessSvc, config.Quotas.Access)
|
||||||
apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, tlsConfig, config.HTTP2HostHeader, config.HTTP1HostHeader, accessSvc)
|
apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, tlsConfig, config.HTTP2HostHeader, config.HTTP1HostHeader, accessSvc)
|
||||||
authRepo, err := auth_es.Start(ctx, config.Auth, config.SystemDefaults, commands, queries, dbClient, eventstore, keys.OIDC, keys.User)
|
authRepo, err := auth_es.Start(ctx, config.Auth, config.SystemDefaults, commands, queries, dbClient, eventstore, keys.OIDC, keys.User)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error starting auth repo: %w", err)
|
return fmt.Errorf("error starting auth repo: %w", err)
|
||||||
|
@ -23,13 +23,12 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type API struct {
|
type API struct {
|
||||||
port uint16
|
port uint16
|
||||||
grpcServer *grpc.Server
|
grpcServer *grpc.Server
|
||||||
verifier *internal_authz.TokenVerifier
|
verifier *internal_authz.TokenVerifier
|
||||||
health health
|
health health
|
||||||
router *mux.Router
|
router *mux.Router
|
||||||
externalSecure bool
|
http1HostName string
|
||||||
http1HostName string
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type health interface {
|
type health interface {
|
||||||
@ -43,19 +42,15 @@ func New(
|
|||||||
queries *query.Queries,
|
queries *query.Queries,
|
||||||
verifier *internal_authz.TokenVerifier,
|
verifier *internal_authz.TokenVerifier,
|
||||||
authZ internal_authz.Config,
|
authZ internal_authz.Config,
|
||||||
externalSecure bool,
|
tlsConfig *tls.Config, http2HostName, http1HostName string,
|
||||||
tlsConfig *tls.Config,
|
|
||||||
http2HostName,
|
|
||||||
http1HostName string,
|
|
||||||
accessSvc *logstore.Service,
|
accessSvc *logstore.Service,
|
||||||
) *API {
|
) *API {
|
||||||
api := &API{
|
api := &API{
|
||||||
port: port,
|
port: port,
|
||||||
verifier: verifier,
|
verifier: verifier,
|
||||||
health: queries,
|
health: queries,
|
||||||
router: router,
|
router: router,
|
||||||
externalSecure: externalSecure,
|
http1HostName: http1HostName,
|
||||||
http1HostName: http1HostName,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
api.grpcServer = server.CreateServer(api.verifier, authZ, queries, http2HostName, tlsConfig, accessSvc)
|
api.grpcServer = server.CreateServer(api.verifier, authZ, queries, http2HostName, tlsConfig, accessSvc)
|
||||||
@ -95,42 +90,34 @@ func (a *API) routeGRPC() {
|
|||||||
Headers("Content-Type", "application/grpc").
|
Headers("Content-Type", "application/grpc").
|
||||||
Handler(a.grpcServer)
|
Handler(a.grpcServer)
|
||||||
|
|
||||||
if !a.externalSecure {
|
a.routeGRPCWeb()
|
||||||
a.routeGRPCWeb(a.router)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
a.routeGRPCWeb(http2Route)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *API) routeGRPCWeb(router *mux.Router) {
|
func (a *API) routeGRPCWeb() {
|
||||||
router.NewRoute().
|
grpcWebServer := grpcweb.WrapServer(a.grpcServer,
|
||||||
|
grpcweb.WithAllowedRequestHeaders(
|
||||||
|
[]string{
|
||||||
|
http_util.Origin,
|
||||||
|
http_util.ContentType,
|
||||||
|
http_util.Accept,
|
||||||
|
http_util.AcceptLanguage,
|
||||||
|
http_util.Authorization,
|
||||||
|
http_util.ZitadelOrgID,
|
||||||
|
http_util.XUserAgent,
|
||||||
|
http_util.XGrpcWeb,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
grpcweb.WithOriginFunc(func(_ string) bool {
|
||||||
|
return true
|
||||||
|
}),
|
||||||
|
)
|
||||||
|
a.router.NewRoute().
|
||||||
Methods(http.MethodPost, http.MethodOptions).
|
Methods(http.MethodPost, http.MethodOptions).
|
||||||
MatcherFunc(
|
MatcherFunc(
|
||||||
func(r *http.Request, _ *mux.RouteMatch) bool {
|
func(r *http.Request, _ *mux.RouteMatch) bool {
|
||||||
if strings.Contains(strings.ToLower(r.Header.Get("content-type")), "application/grpc-web+") {
|
return grpcWebServer.IsGrpcWebRequest(r) || grpcWebServer.IsAcceptableGrpcCorsRequest(r)
|
||||||
return true
|
|
||||||
}
|
|
||||||
return strings.Contains(strings.ToLower(r.Header.Get("access-control-request-headers")), "x-grpc-web")
|
|
||||||
}).
|
}).
|
||||||
Handler(
|
Handler(grpcWebServer)
|
||||||
grpcweb.WrapServer(a.grpcServer,
|
|
||||||
grpcweb.WithAllowedRequestHeaders(
|
|
||||||
[]string{
|
|
||||||
http_util.Origin,
|
|
||||||
http_util.ContentType,
|
|
||||||
http_util.Accept,
|
|
||||||
http_util.AcceptLanguage,
|
|
||||||
http_util.Authorization,
|
|
||||||
http_util.ZitadelOrgID,
|
|
||||||
http_util.XUserAgent,
|
|
||||||
http_util.XGrpcWeb,
|
|
||||||
},
|
|
||||||
),
|
|
||||||
grpcweb.WithOriginFunc(func(_ string) bool {
|
|
||||||
return true
|
|
||||||
}),
|
|
||||||
),
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *API) healthHandler() http.Handler {
|
func (a *API) healthHandler() http.Handler {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user