mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 01:27:32 +00:00
fix: cookie handling (#654)
* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
This commit is contained in:
Livio Amstutz
@@ -9,13 +9,13 @@ import (
|
||||
"github.com/caos/oidc/pkg/op"
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
"github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
grant_model "github.com/caos/zitadel/internal/usergrant/model"
|
||||
)
|
||||
|
||||
func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest, userID string) (op.AuthRequest, error) {
|
||||
userAgentID, ok := UserAgentIDFromCtx(ctx)
|
||||
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
||||
if !ok {
|
||||
return nil, errors.ThrowPreconditionFailed(nil, "OIDC-sd436", "no user agent id")
|
||||
}
|
||||
@@ -28,7 +28,11 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest
|
||||
}
|
||||
|
||||
func (o *OPStorage) AuthRequestByID(ctx context.Context, id string) (op.AuthRequest, error) {
|
||||
resp, err := o.repo.AuthRequestByIDCheckLoggedIn(ctx, id)
|
||||
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
||||
if !ok {
|
||||
return nil, errors.ThrowPreconditionFailed(nil, "OIDC-D3g21", "no user agent id")
|
||||
}
|
||||
resp, err := o.repo.AuthRequestByIDCheckLoggedIn(ctx, id, userAgentID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -44,7 +48,11 @@ func (o *OPStorage) AuthRequestByCode(ctx context.Context, code string) (op.Auth
|
||||
}
|
||||
|
||||
func (o *OPStorage) SaveAuthCode(ctx context.Context, id, code string) error {
|
||||
return o.repo.SaveAuthCode(ctx, id, code)
|
||||
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
||||
if !ok {
|
||||
return errors.ThrowPreconditionFailed(nil, "OIDC-Dgus2", "no user agent id")
|
||||
}
|
||||
return o.repo.SaveAuthCode(ctx, id, code, userAgentID)
|
||||
}
|
||||
|
||||
func (o *OPStorage) DeleteAuthRequest(ctx context.Context, id string) error {
|
||||
@@ -52,16 +60,13 @@ func (o *OPStorage) DeleteAuthRequest(ctx context.Context, id string) error {
|
||||
}
|
||||
|
||||
func (o *OPStorage) CreateToken(ctx context.Context, authReq op.AuthRequest) (string, time.Time, error) {
|
||||
req, err := o.repo.AuthRequestByID(ctx, authReq.GetID())
|
||||
app, err := o.repo.ApplicationByClientID(ctx, authReq.GetClientID())
|
||||
if err != nil {
|
||||
return "", time.Time{}, err
|
||||
}
|
||||
app, err := o.repo.ApplicationByClientID(ctx, req.ApplicationID)
|
||||
if err != nil {
|
||||
return "", time.Time{}, err
|
||||
}
|
||||
grants, err := o.repo.UserGrantsByProjectAndUserID(app.ProjectID, req.UserID)
|
||||
scopes := append(req.Request.(*model.AuthRequestOIDC).Scopes, grantsToScopes(grants)...)
|
||||
grants, err := o.repo.UserGrantsByProjectAndUserID(app.ProjectID, authReq.GetSubject())
|
||||
scopes := append(authReq.GetScopes(), grantsToScopes(grants)...)
|
||||
req, _ := authReq.(*AuthRequest)
|
||||
resp, err := o.repo.CreateToken(ctx, req.AgentID, req.ApplicationID, req.UserID, req.Audience, scopes, o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
|
||||
if err != nil {
|
||||
return "", time.Time{}, err
|
||||
@@ -80,7 +85,7 @@ func grantsToScopes(grants []*grant_model.UserGrantView) []string {
|
||||
}
|
||||
|
||||
func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID string) error {
|
||||
userAgentID, ok := UserAgentIDFromCtx(ctx)
|
||||
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
||||
if !ok {
|
||||
return errors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
|
||||
}
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
package oidc
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
|
||||
http_utils "github.com/caos/zitadel/internal/api/http"
|
||||
)
|
||||
|
||||
type key int
|
||||
|
||||
var (
|
||||
userAgentKey key
|
||||
)
|
||||
|
||||
func UserAgentIDFromCtx(ctx context.Context) (string, bool) {
|
||||
userAgentID, ok := ctx.Value(userAgentKey).(string)
|
||||
return userAgentID, ok
|
||||
}
|
||||
|
||||
func UserAgentCookieHandler(cookieHandler *http_utils.UserAgentHandler, nextHandlerFunc func(http.HandlerFunc) http.HandlerFunc) func(http.HandlerFunc) http.HandlerFunc {
|
||||
return func(handlerFunc http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
ua, err := cookieHandler.GetUserAgent(r)
|
||||
if err != nil {
|
||||
ua, err = cookieHandler.NewUserAgent()
|
||||
}
|
||||
if err == nil {
|
||||
ctx := context.WithValue(r.Context(), userAgentKey, ua.ID)
|
||||
r = r.WithContext(ctx)
|
||||
cookieHandler.SetUserAgent(w, ua)
|
||||
}
|
||||
handlerFunc(w, r)
|
||||
nextHandlerFunc(handlerFunc)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2,7 +2,6 @@ package oidc
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/caos/logging"
|
||||
@@ -18,7 +17,7 @@ import (
|
||||
type OPHandlerConfig struct {
|
||||
OPConfig *op.Config
|
||||
StorageConfig StorageConfig
|
||||
UserAgentCookieConfig *http_utils.UserAgentCookieConfig
|
||||
UserAgentCookieConfig *middleware.UserAgentCookieConfig
|
||||
Cache *middleware.CacheConfig
|
||||
Endpoints *EndpointConfig
|
||||
}
|
||||
@@ -51,24 +50,18 @@ type OPStorage struct {
|
||||
signingKeyAlgorithm string
|
||||
}
|
||||
|
||||
func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Repository) op.OpenIDProvider {
|
||||
cookieHandler, err := http_utils.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator)
|
||||
func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
|
||||
cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
|
||||
logging.Log("OIDC-sd4fd").OnError(err).Panic("cannot user agent handler")
|
||||
nextHandler := func(handlerFunc http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
middleware.NoCacheInterceptor(http_utils.CopyHeadersToContext(handlerFunc))
|
||||
}
|
||||
}
|
||||
config.OPConfig.CodeMethodS256 = true
|
||||
provider, err := op.NewDefaultOP(
|
||||
ctx,
|
||||
config.OPConfig,
|
||||
newStorage(config.StorageConfig, repo),
|
||||
op.WithHttpInterceptor(
|
||||
UserAgentCookieHandler(
|
||||
cookieHandler,
|
||||
nextHandler,
|
||||
),
|
||||
op.WithHttpInterceptors(
|
||||
middleware.NoCacheInterceptor,
|
||||
cookieHandler,
|
||||
http_utils.CopyHeadersToContext,
|
||||
),
|
||||
op.WithCustomAuthEndpoint(op.NewEndpointWithURL(config.Endpoints.Auth.Path, config.Endpoints.Auth.URL)),
|
||||
op.WithCustomTokenEndpoint(op.NewEndpointWithURL(config.Endpoints.Token.Path, config.Endpoints.Token.URL)),
|
||||
|
||||
Reference in New Issue
Block a user