mirror of
				https://github.com/zitadel/zitadel.git
				synced 2025-10-25 07:19:06 +00:00 
			
		
		
		
	fix: check allowed origins from calling and not called application (#2106)
* fix: check allowed origins from calling and not called application * fix test
This commit is contained in:
		| @@ -65,40 +65,40 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st | ||||
| 	return model.TokenViewToModel(token), nil | ||||
| } | ||||
|  | ||||
| func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang, resourceOwner string, err error) { | ||||
| func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) { | ||||
| 	ctx, span := tracing.NewSpan(ctx) | ||||
| 	defer func() { span.EndWithError(err) }() | ||||
| 	tokenData, err := base64.RawURLEncoding.DecodeString(tokenString) | ||||
| 	if err != nil { | ||||
| 		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token") | ||||
| 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token") | ||||
| 	} | ||||
| 	tokenIDSubject, err := repo.TokenVerificationKey.DecryptString(tokenData, repo.TokenVerificationKey.EncryptionKeyID()) | ||||
| 	if err != nil { | ||||
| 		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token") | ||||
| 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token") | ||||
| 	} | ||||
|  | ||||
| 	splittedToken := strings.Split(tokenIDSubject, ":") | ||||
| 	if len(splittedToken) != 2 { | ||||
| 		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token") | ||||
| 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token") | ||||
| 	} | ||||
| 	token, err := repo.TokenByID(ctx, splittedToken[0], splittedToken[1]) | ||||
| 	if err != nil { | ||||
| 		return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token") | ||||
| 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token") | ||||
| 	} | ||||
| 	if !token.Expiration.After(time.Now().UTC()) { | ||||
| 		return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token") | ||||
| 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token") | ||||
| 	} | ||||
|  | ||||
| 	projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, clientID) | ||||
| 	projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, verifierClientID) | ||||
| 	if err != nil { | ||||
| 		return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token") | ||||
| 		return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token") | ||||
| 	} | ||||
| 	for _, aud := range token.Audience { | ||||
| 		if clientID == aud || projectID == aud { | ||||
| 			return token.UserID, token.UserAgentID, token.PreferredLanguage, token.ResourceOwner, nil | ||||
| 		if verifierClientID == aud || projectID == aud { | ||||
| 			return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil | ||||
| 		} | ||||
| 	} | ||||
| 	return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience") | ||||
| 	return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience") | ||||
| } | ||||
|  | ||||
| func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error) { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Livio Amstutz
					Livio Amstutz