fix: cookie handling (#654)

* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
2025-08-15 03:47:37 +00:00 · 2020-08-31 08:49:35 +02:00
parent 1089193faf
commit c1c85e632b
26 changed files with 262 additions and 205 deletions
--- a/internal/ui/console/console.go
+++ b/internal/ui/console/console.go
@@ -28,6 +28,7 @@ type spaHandler struct {
 const (
 	envRequestPath = "/assets/environment.json"
 	envDefaultDir  = "/console/"
+	handlerPrefix  = "/console"
 )

 var (
@@ -50,10 +51,10 @@ func (i *spaHandler) Open(name string) (http.File, error) {
 	return i.fileSystem.Open("/index.html")
 }

-func Start(config Config) (http.Handler, error) {
+func Start(config Config) (http.Handler, string, error) {
 	statikFS, err := fs.NewWithNamespace("console")
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 	envDir := envDefaultDir
 	if config.EnvOverwriteDir != "" {
@@ -69,7 +70,7 @@ func Start(config Config) (http.Handler, error) {
 	handler := &http.ServeMux{}
 	handler.Handle("/", cache(security(http.FileServer(&spaHandler{statikFS}))))
 	handler.Handle(envRequestPath, cache(security(http.StripPrefix("/assets", http.FileServer(http.Dir(envDir))))))
-	return handler, nil
+	return handler, handlerPrefix, nil
 }

 func csp(zitadelDomain string) *middleware.CSP {
--- a/internal/ui/login/handler/auth_request.go
+++ b/internal/ui/login/handler/auth_request.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 )

@@ -15,7 +16,8 @@ func (l *Login) getAuthRequest(r *http.Request) (*model.AuthRequest, error) {
 	if authRequestID == "" {
 		return nil, nil
 	}
-	return l.authRepo.AuthRequestByID(r.Context(), authRequestID)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	return l.authRepo.AuthRequestByID(r.Context(), authRequestID, userAgentID)
 }

 func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*model.AuthRequest, error) {
--- a/internal/ui/login/handler/login.go
+++ b/internal/ui/login/handler/login.go
@@ -11,11 +11,14 @@ import (
 	"golang.org/x/text/language"

 	"github.com/caos/zitadel/internal/api/authz"
+	http_utils "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/api/http/middleware"
 	auth_repository "github.com/caos/zitadel/internal/auth/repository"
 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/form"
+	"github.com/caos/zitadel/internal/id"
+
 	_ "github.com/caos/zitadel/internal/ui/login/statik"
 )

@@ -30,12 +33,13 @@ type Login struct {
 }

 type Config struct {
-	OidcAuthCallbackURL string
-	ZitadelURL          string
-	LanguageCookieName  string
-	DefaultLanguage     language.Tag
-	CSRF                CSRF
-	Cache               middleware.CacheConfig
+	OidcAuthCallbackURL   string
+	ZitadelURL            string
+	LanguageCookieName    string
+	DefaultLanguage       language.Tag
+	CSRF                  CSRF
+	UserAgentCookieConfig *middleware.UserAgentCookieConfig
+	Cache                 middleware.CacheConfig
 }

 type CSRF struct {
@@ -45,15 +49,20 @@ type CSRF struct {
 }

 const (
-	login = "LOGIN"
+	login         = "LOGIN"
+	handlerPrefix = "/login"
 )

-func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, prefix string) *Login {
+func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, localDevMode bool) (*Login, string) {
 	login := &Login{
 		oidcAuthCallbackURL: config.OidcAuthCallbackURL,
 		zitadelURL:          config.ZitadelURL,
 		authRepo:            authRepo,
 	}
+	prefix := ""
+	if localDevMode {
+		prefix = handlerPrefix
+	}
 	statikFS, err := fs.NewWithNamespace("login")
 	logging.Log("CONFI-Ga21f").OnError(err).Panic("unable to create filesystem")

@@ -62,10 +71,12 @@ func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, prefix str
 	cache, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge.Duration, config.Cache.SharedMaxAge.Duration)
 	logging.Log("CONFI-BHq2a").OnError(err).Panic("unable to create cacheInterceptor")
 	security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
-	login.router = CreateRouter(login, statikFS, csrf, cache, security)
+	userAgentCookie, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
+	logging.Log("CONFI-Dvwf2").OnError(err).Panic("unable to create userAgentInterceptor")
+	login.router = CreateRouter(login, statikFS, csrf, cache, security, userAgentCookie)
 	login.renderer = CreateRenderer(prefix, statikFS, config.LanguageCookieName, config.DefaultLanguage)
 	login.parser = form.NewParser()
-	return login
+	return login, prefix
 }

 func csp() *middleware.CSP {
@@ -81,10 +92,11 @@ func csrfInterceptor(config CSRF, errorHandler http.Handler) (func(http.Handler)
 	if err != nil {
 		return nil, err
 	}
+	path := "/"
 	return csrf.Protect([]byte(csrfKey),
 		csrf.Secure(!config.Development),
-		csrf.CookieName(config.CookieName),
-		csrf.Path("/"),
+		csrf.CookieName(http_utils.SetCookiePrefix(config.CookieName, "", path, !config.Development)),
+		csrf.Path(path),
 		csrf.ErrorHandler(errorHandler),
 	), nil
 }
--- a/internal/ui/login/handler/login_handler.go
+++ b/internal/ui/login/handler/login_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 )

@@ -48,7 +49,8 @@ func (l *Login) handleLoginNameCheck(w http.ResponseWriter, r *http.Request) {
 		l.handleRegister(w, r)
 		return
 	}
-	err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, data.LoginName)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, data.LoginName, userAgentID)
 	if err != nil {
 		l.renderLogin(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/mfa_verify_handler.go
+++ b/internal/ui/login/handler/mfa_verify_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 )

@@ -23,7 +24,8 @@ func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if data.MfaType == model.MfaTypeOTP {
-		err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, model.BrowserInfoFromRequest(r))
+		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+		err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, userAgentID, model.BrowserInfoFromRequest(r))
 	}
 	if err != nil {
 		l.renderError(w, r, authReq, err)
--- a/internal/ui/login/handler/password_handler.go
+++ b/internal/ui/login/handler/password_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 )

@@ -30,7 +31,8 @@ func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Password, model.BrowserInfoFromRequest(r))
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Password, userAgentID, model.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderPassword(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@@ -7,16 +7,15 @@ import (
 	"net/http"
 	"path"

+	"github.com/caos/logging"
 	"github.com/gorilla/csrf"
+	"golang.org/x/text/language"

-	"github.com/caos/zitadel/internal/api/http/middleware"
+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/i18n"
 	"github.com/caos/zitadel/internal/renderer"
-
-	"github.com/caos/logging"
-	"golang.org/x/text/language"
 )

 const (
@@ -135,7 +134,8 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 }

 func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
-	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 	if err != nil {
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
 	}
@@ -219,7 +219,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *model.AuthRequest, title s
 		ThemeMode: l.getThemeMode(r),
 		AuthReqID: getRequestID(authReq, r),
 		CSRF:      csrf.TemplateField(r),
-		Nonce:     middleware.GetNonce(r),
+		Nonce:     http_mw.GetNonce(r),
 	}
 }

--- a/internal/ui/login/handler/select_user_handler.go
+++ b/internal/ui/login/handler/select_user_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 )

@@ -33,7 +34,8 @@ func (l *Login) handleSelectUser(w http.ResponseWriter, r *http.Request) {
 		l.renderLogin(w, r, authSession, nil)
 		return
 	}
-	err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID, userAgentID)
 	if err != nil {
 		l.renderError(w, r, authSession, err)
 		return
--- a/internal/ui/login/login.go
+++ b/internal/ui/login/login.go
@@ -9,6 +9,6 @@ type Config struct {
 	Handler handler.Config
 }

-func Start(config Config, authRepo *eventsourcing.EsRepository, pathPrefix string) *handler.Login {
-	return handler.CreateLogin(config.Handler, authRepo, pathPrefix)
+func Start(config Config, authRepo *eventsourcing.EsRepository, localDevMode bool) (*handler.Login, string) {
+	return handler.CreateLogin(config.Handler, authRepo, localDevMode)
 }
--- a/internal/ui/login/static/i18n/de.yaml
+++ b/internal/ui/login/static/i18n/de.yaml
@@ -157,6 +157,7 @@ Errors:
  Internal: Es ist ein interner Fehler aufgetreten
  AuthRequest:
    NotFound: AuthRequest konnte nicht gefunden werden
+    UserAgentNotCorresponding: User Agent stimmt nicht überein
  User:
    NotFound: Benutzer konnte nicht gefunden werden
    NotMatchingUserID: User stimm nicht mit User in Auth Request überein
--- a/internal/ui/login/static/i18n/en.yaml
+++ b/internal/ui/login/static/i18n/en.yaml
@@ -159,6 +159,7 @@ Errors:
  Internal: An internal error occured
  AuthRequest:
    NotFound: Could not find authrequest
+    UserAgentNotCorresponding: User Agent does not correspond
  User:
    NotFound: User could not be found
    NotMatchingUserID: User and user in authrequest don't match
--- a/internal/ui/ui.go
+++ b/internal/ui/ui.go
@@ -10,9 +10,7 @@ import (
 )

 const (
-	LoginHandler   = "/login"
-	ConsoleHandler = "/console"
-	uiname         = "ui"
+	uiname = "ui"
 )

 type Config struct {