fix: cookie handling (#654)

* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
2025-08-11 21:47:32 +00:00 · 2020-08-31 08:49:35 +02:00
parent 1089193faf
commit c1c85e632b
26 changed files with 262 additions and 205 deletions
--- a/cmd/zitadel/main.go
+++ b/cmd/zitadel/main.go
@@ -114,16 +114,13 @@ func startZitadel(configPaths []string) {
 func startUI(ctx context.Context, conf *Config, authRepo *auth_es.EsRepository) {
 	uis := ui.Create(conf.UI)
 	if *loginEnabled {
-		prefix := ""
-		if *localDevMode {
-			prefix = ui.LoginHandler
-		}
-		uis.RegisterHandler(ui.LoginHandler, login.Start(conf.UI.Login, authRepo, prefix).Handler())
+		login, prefix := login.Start(conf.UI.Login, authRepo, *localDevMode)
+		uis.RegisterHandler(prefix, login.Handler())
 	}
 	if *consoleEnabled {
-		consoleHandler, err := console.Start(conf.UI.Console)
+		consoleHandler, prefix, err := console.Start(conf.UI.Console)
 		logging.Log("API-AGD1f").OnError(err).Fatal("error starting console")
-		uis.RegisterHandler(ui.ConsoleHandler, consoleHandler)
+		uis.RegisterHandler(prefix, consoleHandler)
 	}
 	uis.Start(ctx)
 }
@@ -148,7 +145,7 @@ func startAPI(ctx context.Context, conf *Config, authZRepo *authz_repo.EsReposit
 		apis.RegisterServer(ctx, auth.CreateServer(authRepo))
 	}
 	if *oidcEnabled {
-		op := oidc.NewProvider(ctx, conf.API.OIDC, authRepo)
+		op := oidc.NewProvider(ctx, conf.API.OIDC, authRepo, *localDevMode)
 		apis.RegisterHandler("/oauth/v2", op.HttpHandler())
 	}
 	apis.Start(ctx)
--- a/cmd/zitadel/startup.yaml
+++ b/cmd/zitadel/startup.yaml
@@ -195,6 +195,7 @@ API:
    UserAgentCookieConfig:
      Name: caos.zitadel.useragent
      Domain: $ZITADEL_COOKIE_DOMAIN
+      MaxAge: 8760h #365*24h (1 year)
      Key:
        EncryptionKeyID: $ZITADEL_COOKIE_KEY
    Cache:
@@ -230,6 +231,12 @@ UI:
        Key:
          EncryptionKeyID: $ZITADEL_CSRF_KEY
        Development: $ZITADEL_CSRF_DEV
+      UserAgentCookieConfig:
+        Name: caos.zitadel.useragent
+        Domain: $ZITADEL_COOKIE_DOMAIN
+        MaxAge: 8760h #365*24h (1 year)
+        Key:
+          EncryptionKeyID: $ZITADEL_COOKIE_KEY
      Cache:
        MaxAge: $ZITADEL_CACHE_MAXAGE
        SharedMaxAge: $ZITADEL_CACHE_SHARED_MAXAGE