fix: add interceptors for console (#255)

* add interceptors for console * add interceptors for console to env.json
2025-03-01 03:47:22 +00:00 · 2020-06-22 13:17:29 +02:00 · 2020-06-22 13:17:29 +02:00 · f68a5e63b5
commit f68a5e63b5
parent 66cca48b62
4 changed files with 81 additions and 32 deletions
--- a/cmd/zitadel/startup.yaml
+++ b/cmd/zitadel/startup.yaml
@ -205,6 +205,10 @@ Admin:
 Console:
  Port: 50050
  EnvOverwriteDir: $ZITADEL_CONSOLE_ENV_DIR
+  Cache:
+    MaxAge: $ZITADEL_CACHE_MAXAGE
+    SharedMaxAge: $ZITADEL_CACHE_SHARED_MAXAGE
+  CSPDomain: $ZITADEL_DEFAULT_DOMAIN


 Notification:
--- a/internal/api/http/middleware/csp.go
+++ b/internal/api/http/middleware/csp.go
@ -14,6 +14,7 @@ type CSP struct {
 	MediaSrc    CSPSourceOptions
 	FrameSrc    CSPSourceOptions
 	FontSrc     CSPSourceOptions
+	ManifestSrc CSPSourceOptions
 	ConnectSrc  CSPSourceOptions
 	FormAction  CSPSourceOptions
 }
@ -28,6 +29,7 @@ var (
 		MediaSrc:    CSPSourceOptsNone(),
 		FrameSrc:    CSPSourceOptsNone(),
 		FontSrc:     CSPSourceOptsSelf(),
+		ManifestSrc: CSPSourceOptsSelf(),
 		ConnectSrc:  CSPSourceOptsSelf(),
 	}
 )
@ -57,6 +59,7 @@ func (csp *CSP) asMap() map[string]CSPSourceOptions {
 		"media-src":    csp.MediaSrc,
 		"frame-src":    csp.FrameSrc,
 		"font-src":     csp.FontSrc,
+		"manifest-src": csp.ManifestSrc,
 		"connect-src":  csp.ConnectSrc,
 		"form-action":  csp.FormAction,
 	}
--- a/internal/api/http/middleware/security_headers.go
+++ b/internal/api/http/middleware/security_headers.go
@ -48,7 +48,16 @@ func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		var err error
 		nonce, err = generateNonce(h.nonceLength)
 		if err != nil {
-			h.errorHandler(err).ServeHTTP(w, r)
+			errorHandler := h.errorHandler
+			if errorHandler == nil {
+				errorHandler = func(err error) http.Handler {
+					return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+						http.Error(w, err.Error(), http.StatusInternalServerError)
+						return
+					})
+				}
+			}
+			errorHandler(err).ServeHTTP(w, r)
 			return
 		}
 		r = saveContext(r, nonceKey, nonce)
--- a/pkg/console/console.go
+++ b/pkg/console/console.go
@ -5,15 +5,20 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"strings"
+	"time"

 	"github.com/rakyll/statik/fs"

+	"github.com/caos/zitadel/internal/api/http/middleware"
 	_ "github.com/caos/zitadel/pkg/console/statik"
 )

 type Config struct {
 	Port            string
 	EnvOverwriteDir string
+	Cache           middleware.CacheConfig
+	CSPDomain       string
 }

 type spaHandler struct {
@ -23,6 +28,8 @@ type spaHandler struct {
 const (
 	envRequestPath = "/assets/environment.json"
 	envDefaultDir  = "/console/"
+
+	manifestFile = "/manifest.webmanifest"
 )

 func (i *spaHandler) Open(name string) (http.File, error) {
@ -43,7 +50,33 @@ func Start(ctx context.Context, config Config) error {
 	if config.EnvOverwriteDir != "" {
 		envDir = config.EnvOverwriteDir
 	}
-	http.Handle("/", http.FileServer(&spaHandler{statikFS}))
-	http.Handle(envRequestPath, http.StripPrefix("/assets", http.FileServer(http.Dir(envDir))))
+	cache := AssetsCacheInterceptorIgnoreManifest(config.Cache.MaxAge.Duration, config.Cache.SharedMaxAge.Duration)
+	security := middleware.SecurityHeaders(csp(config.CSPDomain), nil)
+	http.Handle("/", cache(security(http.FileServer(&spaHandler{statikFS}))))
+	http.Handle(envRequestPath, cache(security(http.StripPrefix("/assets", http.FileServer(http.Dir(envDir))))))
 	return http.ListenAndServe(":"+config.Port, nil)
 }
+
+func csp(zitadelDomain string) *middleware.CSP {
+	if !strings.HasPrefix(zitadelDomain, "*.") {
+		zitadelDomain = "*." + zitadelDomain
+	}
+	csp := middleware.DefaultSCP
+	csp.StyleSrc = csp.StyleSrc.AddInline().AddHost("fonts.googleapis.com").AddHost("maxst.icons8.com") //TODO: host it
+	csp.FontSrc = csp.FontSrc.AddHost("fonts.gstatic.com").AddHost("maxst.icons8.com")                  //TODO: host it
+	csp.ScriptSrc = csp.ScriptSrc.AddEval()
+	csp.ConnectSrc = csp.ConnectSrc.AddHost(zitadelDomain)
+	return &csp
+}
+
+func AssetsCacheInterceptorIgnoreManifest(maxAge, sharedMaxAge time.Duration) func(http.Handler) http.Handler {
+	return func(handler http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == manifestFile {
+				middleware.NoCacheInterceptor(handler).ServeHTTP(w, r)
+				return
+			}
+			middleware.AssetsCacheInterceptor(maxAge, sharedMaxAge, handler).ServeHTTP(w, r)
+		})
+	}
+}