fix: use triggering origin for notification links (#6628)

* take baseurl if saved on event * refactor: make es mocks reusable * Revert "refactor: make es mocks reusable" This reverts commit 434ce12a6a. * make messages testable * test asset url * fmt * fmt * simplify notification.Start * test url combinations * support init code added * support password changed * support reset pw * support user domain claimed * support add pwless login * support verify phone * Revert "support verify phone" This reverts commit e40503303e. * save trigger origin from ctx * add ready for review check * camel * test email otp * fix variable naming * fix DefaultOTPEmailURLV2 * Revert "fix DefaultOTPEmailURLV2" This reverts commit fa34d4d2a8. * fix email otp challenged test * fix email otp challenged test * pass origin in login and gateway requests * take origin from header * take x-forwarded if present * Update internal/notification/handlers/queries.go Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * Update internal/notification/handlers/commands.go Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * move origin header to ctx if available * generate * cleanup * use forwarded header * support X-Forwarded-* headers * standardize context handling * fix linting --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-11 20:57:31 +00:00 · 2023-10-10 15:20:53 +02:00
parent 0180779d6d
commit 8f6cb47567
47 changed files with 2405 additions and 508 deletions
--- a/internal/api/http/header.go
+++ b/internal/api/http/header.go
@@ -45,6 +45,7 @@ type key int
 const (
 	httpHeaders key = iota
 	remoteAddr
+	origin
 )

 func CopyHeadersToContext(h http.Handler) http.Handler {
@@ -61,7 +62,7 @@ func HeadersFromCtx(ctx context.Context) (http.Header, bool) {
 	return headers, ok
 }

-func OriginFromCtx(ctx context.Context) string {
+func OriginHeader(ctx context.Context) string {
 	headers, ok := ctx.Value(httpHeaders).(http.Header)
 	if !ok {
 		return ""
@@ -69,6 +70,18 @@ func OriginFromCtx(ctx context.Context) string {
 	return headers.Get(Origin)
 }

+func ComposedOrigin(ctx context.Context) string {
+	o, ok := ctx.Value(origin).(string)
+	if !ok {
+		return ""
+	}
+	return o
+}
+
+func WithComposedOrigin(ctx context.Context, composed string) context.Context {
+	return context.WithValue(ctx, origin, composed)
+}
+
 func RemoteIPFromCtx(ctx context.Context) string {
 	ctxHeaders, ok := HeadersFromCtx(ctx)
 	if !ok {
--- a/internal/api/http/middleware/origin_interceptor.go
+++ b/internal/api/http/middleware/origin_interceptor.go
@@ -0,0 +1,103 @@
+package middleware
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/muhlemmer/httpforwarded"
+	"github.com/zitadel/logging"
+
+	http_util "github.com/zitadel/zitadel/internal/api/http"
+)
+
+func OriginHandler(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := composeOrigin(r)
+		if !http_util.IsOrigin(origin) {
+			logging.Debugf("extracted origin is not valid: %s", origin)
+			next.ServeHTTP(w, r)
+			return
+		}
+		next.ServeHTTP(w, r.WithContext(http_util.WithComposedOrigin(r.Context(), origin)))
+	})
+}
+
+func composeOrigin(r *http.Request) string {
+	if origin, err := originFromForwardedHeader(r); err != nil {
+		logging.OnError(err).Debug("failed to build origin from forwarded header, trying x-forwarded-* headers")
+	} else {
+		return origin
+	}
+	if origin, err := originFromXForwardedHeaders(r); err != nil {
+		logging.OnError(err).Debug("failed to build origin from x-forwarded-* headers, using host header")
+	} else {
+		return origin
+	}
+	scheme := "https"
+	if r.TLS == nil {
+		scheme = "http"
+	}
+	return fmt.Sprintf("%s://%s", scheme, r.Host)
+}
+
+func originFromForwardedHeader(r *http.Request) (string, error) {
+	fwd, err := httpforwarded.ParseFromRequest(r)
+	if err != nil {
+		return "", err
+	}
+	var fwdProto, fwdHost, fwdPort string
+	if fwdProto = mostRecentValue(fwd, "proto"); fwdProto == "" {
+		return "", fmt.Errorf("no proto in forwarded header")
+	}
+	if fwdHost = mostRecentValue(fwd, "host"); fwdHost == "" {
+		return "", fmt.Errorf("no host in forwarded header")
+	}
+	fwdPort, foundFwdFor := extractPort(mostRecentValue(fwd, "for"))
+	if !foundFwdFor {
+		return "", fmt.Errorf("no for in forwarded header")
+	}
+	o := fmt.Sprintf("%s://%s", fwdProto, fwdHost)
+	if fwdPort != "" {
+		o += ":" + fwdPort
+	}
+	return o, nil
+}
+
+func originFromXForwardedHeaders(r *http.Request) (string, error) {
+	scheme := r.Header.Get("X-Forwarded-Proto")
+	if scheme == "" {
+		return "", fmt.Errorf("no X-Forwarded-Proto header")
+	}
+	host := r.Header.Get("X-Forwarded-Host")
+	if host == "" {
+		return "", fmt.Errorf("no X-Forwarded-Host header")
+	}
+	return fmt.Sprintf("%s://%s", scheme, host), nil
+}
+
+func extractPort(raw string) (string, bool) {
+	if u, ok := parseURL(raw); ok {
+		return u.Port(), ok
+	}
+	return "", false
+}
+
+func parseURL(raw string) (*url.URL, bool) {
+	if raw == "" {
+		return nil, false
+	}
+	u, err := url.Parse(raw)
+	return u, err == nil
+}
+
+func mostRecentValue(forwarded map[string][]string, key string) string {
+	if forwarded == nil {
+		return ""
+	}
+	values := forwarded[key]
+	if len(values) == 0 {
+		return ""
+	}
+	return values[len(values)-1]
+}