mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 07:47:32 +00:00
fix: caching of assets (correct headers and versioned avatar and variables.css url) (#4118)
* fix: caching of assets (correct headers and versioned avatar url) * serve variables.css versioned and extend shared max age of assets * fix TestCommandSide_AddHumanAvatar * refactor: const types * refactor: return values Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
This commit is contained in:
Livio Spring
@@ -76,7 +76,7 @@ func DefaultErrorHandler(w http.ResponseWriter, r *http.Request, err error, code
|
||||
http.Error(w, err.Error(), code)
|
||||
}
|
||||
|
||||
func NewHandler(commands *command.Commands, verifier *authz.TokenVerifier, authConfig authz.Config, idGenerator id.Generator, storage static.Storage, queries *query.Queries, instanceInterceptor func(handler http.Handler) http.Handler) http.Handler {
|
||||
func NewHandler(commands *command.Commands, verifier *authz.TokenVerifier, authConfig authz.Config, idGenerator id.Generator, storage static.Storage, queries *query.Queries, instanceInterceptor, assetCacheInterceptor func(handler http.Handler) http.Handler) http.Handler {
|
||||
h := &Handler{
|
||||
commands: commands,
|
||||
errorHandler: DefaultErrorHandler,
|
||||
@@ -88,7 +88,7 @@ func NewHandler(commands *command.Commands, verifier *authz.TokenVerifier, authC
|
||||
|
||||
verifier.RegisterServer("Assets-API", "assets", AssetsService_AuthMethods)
|
||||
router := mux.NewRouter()
|
||||
router.Use(instanceInterceptor)
|
||||
router.Use(instanceInterceptor, assetCacheInterceptor)
|
||||
RegisterRoutes(router, h)
|
||||
router.PathPrefix("/{owner}").Methods("GET").HandlerFunc(DownloadHandleFunc(h, h.GetFile()))
|
||||
return http_util.CopyHeadersToContext(http_mw.CORSInterceptor(router))
|
||||
@@ -190,6 +190,10 @@ func DownloadHandleFunc(s AssetsService, downloader Downloader) func(http.Respon
|
||||
}
|
||||
|
||||
func GetAsset(w http.ResponseWriter, r *http.Request, resourceOwner, objectName string, storage static.Storage) error {
|
||||
split := strings.Split(objectName, "?v=")
|
||||
if len(split) == 2 {
|
||||
objectName = split[0]
|
||||
}
|
||||
data, getInfo, err := storage.GetObject(r.Context(), authz.GetInstance(r.Context()).InstanceID(), resourceOwner, objectName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("download failed: %v", err)
|
||||
@@ -198,14 +202,16 @@ func GetAsset(w http.ResponseWriter, r *http.Request, resourceOwner, objectName
|
||||
if err != nil {
|
||||
return fmt.Errorf("download failed: %v", err)
|
||||
}
|
||||
if info.Hash == r.Header.Get(http_util.IfNoneMatch) {
|
||||
if info.Hash == strings.Trim(r.Header.Get(http_util.IfNoneMatch), "\"") {
|
||||
w.Header().Set(http_util.LastModified, info.LastModified.Format(time.RFC1123))
|
||||
w.Header().Set(http_util.Etag, "\""+info.Hash+"\"")
|
||||
w.WriteHeader(304)
|
||||
return nil
|
||||
}
|
||||
w.Header().Set(http_util.ContentLength, strconv.FormatInt(info.Size, 10))
|
||||
w.Header().Set(http_util.ContentType, info.ContentType)
|
||||
w.Header().Set(http_util.LastModified, info.LastModified.Format(time.RFC1123))
|
||||
w.Header().Set(http_util.Etag, info.Hash)
|
||||
w.Header().Set(http_util.Etag, "\""+info.Hash+"\"")
|
||||
_, err = w.Write(data)
|
||||
logging.New().OnError(err).Error("error writing response for asset")
|
||||
return nil
|
||||
|
||||
@@ -3,7 +3,6 @@ package middleware
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -24,16 +23,16 @@ type Cacheability string
|
||||
|
||||
const (
|
||||
CacheabilityNotSet Cacheability = ""
|
||||
CacheabilityPublic = "public"
|
||||
CacheabilityPrivate = "private"
|
||||
CacheabilityPublic Cacheability = "public"
|
||||
CacheabilityPrivate Cacheability = "private"
|
||||
)
|
||||
|
||||
type Revalidation string
|
||||
|
||||
const (
|
||||
RevalidationNotSet Revalidation = ""
|
||||
RevalidationMust = "must-revalidate"
|
||||
RevalidationProxy = "proxy-revalidate"
|
||||
RevalidationMust Revalidation = "must-revalidate"
|
||||
RevalidationProxy Revalidation = "proxy-revalidate"
|
||||
)
|
||||
|
||||
type CacheConfig struct {
|
||||
@@ -54,40 +53,42 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
func DefaultCacheInterceptor(pattern string, maxAge, sharedMaxAge time.Duration) (func(http.Handler) http.Handler, error) {
|
||||
regex, err := regexp.Compile(pattern)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
func NoCacheInterceptor() *cacheInterceptor {
|
||||
return CacheInterceptorOpts(NeverCacheOptions)
|
||||
}
|
||||
|
||||
func AssetsCacheInterceptor(maxAge, sharedMaxAge time.Duration) *cacheInterceptor {
|
||||
return CacheInterceptorOpts(AssetOptions(maxAge, sharedMaxAge))
|
||||
}
|
||||
|
||||
func CacheInterceptorOpts(cache *Cache) *cacheInterceptor {
|
||||
return &cacheInterceptor{
|
||||
cache: cache,
|
||||
}
|
||||
return func(handler http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if regex.MatchString(r.URL.Path) {
|
||||
AssetsCacheInterceptor(maxAge, sharedMaxAge, handler).ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
NoCacheInterceptor(handler).ServeHTTP(w, r)
|
||||
})
|
||||
}, nil
|
||||
}
|
||||
|
||||
func NoCacheInterceptor(h http.Handler) http.Handler {
|
||||
return CacheInterceptorOpts(h, NeverCacheOptions)
|
||||
type cacheInterceptor struct {
|
||||
cache *Cache
|
||||
}
|
||||
|
||||
func AssetsCacheInterceptor(maxAge, sharedMaxAge time.Duration, h http.Handler) http.Handler {
|
||||
return CacheInterceptorOpts(h, AssetOptions(maxAge, sharedMaxAge))
|
||||
}
|
||||
|
||||
func CacheInterceptorOpts(h http.Handler, cache *Cache) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
||||
cachingResponseWriter := &cachingResponseWriter{
|
||||
func (c *cacheInterceptor) Handler(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
next.ServeHTTP(&cachingResponseWriter{
|
||||
ResponseWriter: w,
|
||||
Cache: cache,
|
||||
}
|
||||
h.ServeHTTP(cachingResponseWriter, req)
|
||||
Cache: c.cache,
|
||||
}, r)
|
||||
})
|
||||
}
|
||||
|
||||
func (c *cacheInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
next.ServeHTTP(&cachingResponseWriter{
|
||||
ResponseWriter: w,
|
||||
Cache: c.cache,
|
||||
}, r)
|
||||
}
|
||||
}
|
||||
|
||||
type cachingResponseWriter struct {
|
||||
http.ResponseWriter
|
||||
*Cache
|
||||
@@ -121,16 +122,16 @@ func (c *Cache) serializeHeaders(w http.ResponseWriter) {
|
||||
expires := time.Now().UTC().Add(maxAge).Format(http.TimeFormat)
|
||||
|
||||
if c.NoCache {
|
||||
control = append(control, fmt.Sprintf("no-cache"))
|
||||
control = append(control, "no-cache")
|
||||
pragma = true
|
||||
}
|
||||
|
||||
if c.NoStore {
|
||||
control = append(control, fmt.Sprintf("no-store"))
|
||||
control = append(control, "no-store")
|
||||
pragma = true
|
||||
}
|
||||
if c.NoTransform {
|
||||
control = append(control, fmt.Sprintf("no-transform"))
|
||||
control = append(control, "no-transform")
|
||||
}
|
||||
|
||||
if c.Revalidation != RevalidationNotSet {
|
||||
|
||||
@@ -123,7 +123,7 @@ func createOptions(config Config, externalSecure bool, userAgentCookie, instance
|
||||
op.WithHttpInterceptors(
|
||||
middleware.MetricsHandler(metricTypes),
|
||||
middleware.TelemetryHandler(),
|
||||
middleware.NoCacheInterceptor,
|
||||
middleware.NoCacheInterceptor().Handler,
|
||||
instanceHandler,
|
||||
userAgentCookie,
|
||||
http_utils.CopyHeadersToContext,
|
||||
|
||||
@@ -147,12 +147,11 @@ func assetsCacheInterceptorIgnoreManifest(shortMaxAge, shortSharedMaxAge, longMa
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
for _, file := range shortCacheFiles {
|
||||
if r.URL.Path == file || isIndexOrSubPath(r.URL.Path) {
|
||||
middleware.AssetsCacheInterceptor(shortMaxAge, shortSharedMaxAge, handler).ServeHTTP(w, r)
|
||||
middleware.AssetsCacheInterceptor(shortMaxAge, shortSharedMaxAge).Handler(handler).ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
middleware.AssetsCacheInterceptor(longMaxAge, longSharedMaxAge, handler).ServeHTTP(w, r)
|
||||
return
|
||||
middleware.AssetsCacheInterceptor(longMaxAge, longSharedMaxAge).Handler(handler).ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/mux"
|
||||
@@ -44,6 +45,7 @@ type Config struct {
|
||||
LanguageCookieName string
|
||||
CSRFCookieName string
|
||||
Cache middleware.CacheConfig
|
||||
AssetCache middleware.CacheConfig
|
||||
}
|
||||
|
||||
const (
|
||||
@@ -62,7 +64,8 @@ func CreateLogin(config Config,
|
||||
externalSecure bool,
|
||||
userAgentCookie,
|
||||
issuerInterceptor,
|
||||
instanceHandler mux.MiddlewareFunc,
|
||||
instanceHandler,
|
||||
assetCache mux.MiddlewareFunc,
|
||||
userCodeAlg crypto.EncryptionAlgorithm,
|
||||
idpConfigAlg crypto.EncryptionAlgorithm,
|
||||
csrfCookieKey []byte,
|
||||
@@ -84,14 +87,8 @@ func CreateLogin(config Config,
|
||||
return nil, fmt.Errorf("unable to create filesystem: %w", err)
|
||||
}
|
||||
|
||||
csrfInterceptor, err := createCSRFInterceptor(config.CSRFCookieName, csrfCookieKey, externalSecure, login.csrfErrorHandler())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create csrfInterceptor: %w", err)
|
||||
}
|
||||
cacheInterceptor, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge, config.Cache.SharedMaxAge)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create cacheInterceptor: %w", err)
|
||||
}
|
||||
csrfInterceptor := createCSRFInterceptor(config.CSRFCookieName, csrfCookieKey, externalSecure, login.csrfErrorHandler())
|
||||
cacheInterceptor := createCacheInterceptor(config.Cache.MaxAge, config.Cache.SharedMaxAge, assetCache)
|
||||
security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
|
||||
|
||||
login.router = CreateRouter(login, statikFS, middleware.TelemetryHandler(IgnoreInstanceEndpoints...), instanceHandler, csrfInterceptor, cacheInterceptor, security, userAgentCookie, issuerInterceptor)
|
||||
@@ -108,7 +105,7 @@ func csp() *middleware.CSP {
|
||||
return &csp
|
||||
}
|
||||
|
||||
func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecure bool, errorHandler http.Handler) (func(http.Handler) http.Handler, error) {
|
||||
func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecure bool, errorHandler http.Handler) func(http.Handler) http.Handler {
|
||||
path := "/"
|
||||
return func(handler http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -123,7 +120,23 @@ func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecu
|
||||
csrf.ErrorHandler(errorHandler),
|
||||
)(handler).ServeHTTP(w, r)
|
||||
})
|
||||
}, nil
|
||||
}
|
||||
}
|
||||
|
||||
func createCacheInterceptor(maxAge, sharedMaxAge time.Duration, assetCache mux.MiddlewareFunc) func(http.Handler) http.Handler {
|
||||
return func(handler http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if strings.HasPrefix(r.URL.Path, EndpointDynamicResources) {
|
||||
assetCache.Middleware(handler).ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
if strings.HasPrefix(r.URL.Path, EndpointResources) {
|
||||
middleware.AssetsCacheInterceptor(maxAge, sharedMaxAge).Handler(handler).ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
middleware.NoCacheInterceptor().Handler(handler).ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func (l *Login) Handler() http.Handler {
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
"net/http"
|
||||
"path"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/zitadel/logging"
|
||||
@@ -84,19 +85,13 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, staticStorage
|
||||
return path.Join(r.pathPrefix, EndpointResources, "themes", theme, file)
|
||||
},
|
||||
"hasCustomPolicy": func(policy *domain.LabelPolicy) bool {
|
||||
if policy != nil {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
return policy != nil
|
||||
},
|
||||
"hasWatermark": func(policy *domain.LabelPolicy) bool {
|
||||
if policy != nil && policy.DisableWatermark {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
return policy == nil || !policy.DisableWatermark
|
||||
},
|
||||
"variablesCssFileUrl": func(orgID string, policy *domain.LabelPolicy) string {
|
||||
cssFile := domain.CssPath + "/" + domain.CssVariablesFileName
|
||||
cssFile := domain.CssPath + "/" + domain.CssVariablesFileName + "?v=" + policy.ChangeDate.Format(time.RFC3339)
|
||||
return path.Join(r.pathPrefix, fmt.Sprintf("%s?%s=%s&%s=%v&%s=%s", EndpointDynamicResources, "orgId", orgID, "default-policy", policy.Default, "filename", cssFile))
|
||||
},
|
||||
"customLogoResource": func(orgID string, policy *domain.LabelPolicy, darkMode bool) string {
|
||||
|
||||
Reference in New Issue
Block a user