mirror of
https://github.com/zitadel/zitadel.git
synced 2025-10-21 14:00:02 +00:00
fix: cookie handling (#654)
* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
This commit is contained in:
Livio Amstutz
@@ -3,6 +3,7 @@ package handler
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
)
|
||||
|
||||
@@ -15,7 +16,8 @@ func (l *Login) getAuthRequest(r *http.Request) (*model.AuthRequest, error) {
|
||||
if authRequestID == "" {
|
||||
return nil, nil
|
||||
}
|
||||
return l.authRepo.AuthRequestByID(r.Context(), authRequestID)
|
||||
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
||||
return l.authRepo.AuthRequestByID(r.Context(), authRequestID, userAgentID)
|
||||
}
|
||||
|
||||
func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*model.AuthRequest, error) {
|
||||
|
||||
@@ -11,11 +11,14 @@ import (
|
||||
"golang.org/x/text/language"
|
||||
|
||||
"github.com/caos/zitadel/internal/api/authz"
|
||||
http_utils "github.com/caos/zitadel/internal/api/http"
|
||||
"github.com/caos/zitadel/internal/api/http/middleware"
|
||||
auth_repository "github.com/caos/zitadel/internal/auth/repository"
|
||||
"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
|
||||
"github.com/caos/zitadel/internal/crypto"
|
||||
"github.com/caos/zitadel/internal/form"
|
||||
"github.com/caos/zitadel/internal/id"
|
||||
|
||||
_ "github.com/caos/zitadel/internal/ui/login/statik"
|
||||
)
|
||||
|
||||
@@ -30,12 +33,13 @@ type Login struct {
|
||||
}
|
||||
|
||||
type Config struct {
|
||||
OidcAuthCallbackURL string
|
||||
ZitadelURL string
|
||||
LanguageCookieName string
|
||||
DefaultLanguage language.Tag
|
||||
CSRF CSRF
|
||||
Cache middleware.CacheConfig
|
||||
OidcAuthCallbackURL string
|
||||
ZitadelURL string
|
||||
LanguageCookieName string
|
||||
DefaultLanguage language.Tag
|
||||
CSRF CSRF
|
||||
UserAgentCookieConfig *middleware.UserAgentCookieConfig
|
||||
Cache middleware.CacheConfig
|
||||
}
|
||||
|
||||
type CSRF struct {
|
||||
@@ -45,15 +49,20 @@ type CSRF struct {
|
||||
}
|
||||
|
||||
const (
|
||||
login = "LOGIN"
|
||||
login = "LOGIN"
|
||||
handlerPrefix = "/login"
|
||||
)
|
||||
|
||||
func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, prefix string) *Login {
|
||||
func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, localDevMode bool) (*Login, string) {
|
||||
login := &Login{
|
||||
oidcAuthCallbackURL: config.OidcAuthCallbackURL,
|
||||
zitadelURL: config.ZitadelURL,
|
||||
authRepo: authRepo,
|
||||
}
|
||||
prefix := ""
|
||||
if localDevMode {
|
||||
prefix = handlerPrefix
|
||||
}
|
||||
statikFS, err := fs.NewWithNamespace("login")
|
||||
logging.Log("CONFI-Ga21f").OnError(err).Panic("unable to create filesystem")
|
||||
|
||||
@@ -62,10 +71,12 @@ func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, prefix str
|
||||
cache, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge.Duration, config.Cache.SharedMaxAge.Duration)
|
||||
logging.Log("CONFI-BHq2a").OnError(err).Panic("unable to create cacheInterceptor")
|
||||
security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
|
||||
login.router = CreateRouter(login, statikFS, csrf, cache, security)
|
||||
userAgentCookie, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
|
||||
logging.Log("CONFI-Dvwf2").OnError(err).Panic("unable to create userAgentInterceptor")
|
||||
login.router = CreateRouter(login, statikFS, csrf, cache, security, userAgentCookie)
|
||||
login.renderer = CreateRenderer(prefix, statikFS, config.LanguageCookieName, config.DefaultLanguage)
|
||||
login.parser = form.NewParser()
|
||||
return login
|
||||
return login, prefix
|
||||
}
|
||||
|
||||
func csp() *middleware.CSP {
|
||||
@@ -81,10 +92,11 @@ func csrfInterceptor(config CSRF, errorHandler http.Handler) (func(http.Handler)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
path := "/"
|
||||
return csrf.Protect([]byte(csrfKey),
|
||||
csrf.Secure(!config.Development),
|
||||
csrf.CookieName(config.CookieName),
|
||||
csrf.Path("/"),
|
||||
csrf.CookieName(http_utils.SetCookiePrefix(config.CookieName, "", path, !config.Development)),
|
||||
csrf.Path(path),
|
||||
csrf.ErrorHandler(errorHandler),
|
||||
), nil
|
||||
}
|
||||
|
||||
@@ -3,6 +3,7 @@ package handler
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
)
|
||||
|
||||
@@ -48,7 +49,8 @@ func (l *Login) handleLoginNameCheck(w http.ResponseWriter, r *http.Request) {
|
||||
l.handleRegister(w, r)
|
||||
return
|
||||
}
|
||||
err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, data.LoginName)
|
||||
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
||||
err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, data.LoginName, userAgentID)
|
||||
if err != nil {
|
||||
l.renderLogin(w, r, authReq, err)
|
||||
return
|
||||
|
||||
@@ -3,6 +3,7 @@ package handler
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
)
|
||||
|
||||
@@ -23,7 +24,8 @@ func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if data.MfaType == model.MfaTypeOTP {
|
||||
err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, model.BrowserInfoFromRequest(r))
|
||||
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
||||
err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, userAgentID, model.BrowserInfoFromRequest(r))
|
||||
}
|
||||
if err != nil {
|
||||
l.renderError(w, r, authReq, err)
|
||||
|
||||
@@ -3,6 +3,7 @@ package handler
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
)
|
||||
|
||||
@@ -30,7 +31,8 @@ func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) {
|
||||
l.renderError(w, r, authReq, err)
|
||||
return
|
||||
}
|
||||
err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Password, model.BrowserInfoFromRequest(r))
|
||||
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
||||
err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Password, userAgentID, model.BrowserInfoFromRequest(r))
|
||||
if err != nil {
|
||||
l.renderPassword(w, r, authReq, err)
|
||||
return
|
||||
|
||||
@@ -7,16 +7,15 @@ import (
|
||||
"net/http"
|
||||
"path"
|
||||
|
||||
"github.com/caos/logging"
|
||||
"github.com/gorilla/csrf"
|
||||
"golang.org/x/text/language"
|
||||
|
||||
"github.com/caos/zitadel/internal/api/http/middleware"
|
||||
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
caos_errs "github.com/caos/zitadel/internal/errors"
|
||||
"github.com/caos/zitadel/internal/i18n"
|
||||
"github.com/caos/zitadel/internal/renderer"
|
||||
|
||||
"github.com/caos/logging"
|
||||
"golang.org/x/text/language"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -135,7 +134,8 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
|
||||
}
|
||||
|
||||
func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
|
||||
authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID)
|
||||
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
||||
authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
|
||||
if err != nil {
|
||||
l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
|
||||
}
|
||||
@@ -219,7 +219,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *model.AuthRequest, title s
|
||||
ThemeMode: l.getThemeMode(r),
|
||||
AuthReqID: getRequestID(authReq, r),
|
||||
CSRF: csrf.TemplateField(r),
|
||||
Nonce: middleware.GetNonce(r),
|
||||
Nonce: http_mw.GetNonce(r),
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@ package handler
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
)
|
||||
|
||||
@@ -33,7 +34,8 @@ func (l *Login) handleSelectUser(w http.ResponseWriter, r *http.Request) {
|
||||
l.renderLogin(w, r, authSession, nil)
|
||||
return
|
||||
}
|
||||
err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID)
|
||||
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
||||
err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID, userAgentID)
|
||||
if err != nil {
|
||||
l.renderError(w, r, authSession, err)
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user