TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: check allowed origins from calling and not called application (#2106)

Browse Source 
* fix: check allowed origins from calling and not called application

* fix test
This commit is contained in:
Livio Amstutz
2021-07-30 11:30:51 +02:00
committed by GitHub
parent de9f88bf5b
commit e1a3cc732d
5 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/authz/repository/eventsourcing/eventstore/token_verifier.go
View File

@@ -65,40 +65,40 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st
return model.TokenViewToModel(token), nil
}
func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang, resourceOwner string, err error) {
func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
tokenData, err := base64.RawURLEncoding.DecodeString(tokenString)
if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token")
}
tokenIDSubject, err := repo.TokenVerificationKey.DecryptString(tokenData, repo.TokenVerificationKey.EncryptionKeyID())
if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
}
splittedToken := strings.Split(tokenIDSubject, ":")
if len(splittedToken) != 2 {
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token")
}
token, err := repo.TokenByID(ctx, splittedToken[0], splittedToken[1])
if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token")
}
if !token.Expiration.After(time.Now().UTC()) {
return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
}
projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, clientID)
projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, verifierClientID)
if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token")
}
for _, aud := range token.Audience {
if clientID == aud || projectID == aud {
return token.UserID, token.UserAgentID, token.PreferredLanguage, token.ResourceOwner, nil
if verifierClientID == aud || projectID == aud {
return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil
}
}
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience")
return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience")
}
func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error) {