zitadel

TheArchive/zitadel

Fork 0

mirror of https://github.com/zitadel/zitadel.git synced 2025-07-02 07:08:32 +00:00

Commit Graph

Author	SHA1	Message	Date
Livio Spring	fdb9bba6c7	chore: update dependencies (#9784 ) # Which Problems Are Solved Some dependencies are out of date and published new version including (unaffected) vulnerability fixes. # How the Problems Are Solved - Updated at least all direct dependencies apart from i18n, webauthn (existing issues), - crewjam (https://github.com/zitadel/zitadel/issues/9783) and - github.com/gorilla/csrf (https://github.com/gorilla/csrf/issues/190, https://github.com/gorilla/csrf/issues/189, https://github.com/gorilla/csrf/issues/188, https://github.com/gorilla/csrf/issues/187, https://github.com/gorilla/csrf/issues/186) - noteworthy: https://github.com/golang/go/issues/73626 - Some dependencies require Go 1.24, which triggered an update for zitadel to go 1.24 as well. # Additional Changes None # Additional Context None (cherry picked from commit 968d91a3e0a745fda5b6dfbffdbf1dee8f1306a6)	2025-05-21 13:52:42 +02:00
Tim Möhlmann	7a34697267	fix(oidc): return bad request for base64 errors (#7730 ) * fix(oidc): return bad request for base64 errors We've recently noticed an increased amount of 500: internal server error status returns on zitadel cloud. The source of these errors appear to be erroneous input in fields that are supposed to be bas64 formatted. ``` time=2024-04-08T14:05:47.600Z level=ERROR msg="request error" oidc_error.parent="ID=OIDC-AhX2u Message=Errors.Internal Parent=(illegal base64 data at input byte 8)" oidc_error.description=Errors.Internal oidc_error.type=server_error status_code=500 ``` Within the possible code paths of the token endpoint there are a couple of uses of base64.Encoding.DecodeString of which a returned error was not properly wrapped, but returned as-is. This causes the oidc error handler to return a 500 with the `OIDC-AhX2u` ID. We were not able to pinpoint the exact errors that are happening to any one call of `DecodeString`. This fix wraps all errors from `DecodeString` so that proper 400: bad request is returned with information about the error. Each wrapper now has an unique error ID, so that logs will contain the source of the error as well. This bug was reported internally by the ops team. * catch op.ErrInvalidRefreshToken (cherry picked from commit c8e0b30e172bb9aace14dd5b77ec7f0379fb8502)	2024-04-09 14:02:28 +02:00
Tim Möhlmann	af4e0484d0	fix: uniform oidc errors (#7237 ) * fix: uniform oidc errors sanitize oidc error reporting when passing package boundary towards oidc. * add should TriggerBulk in get audiences for auth request * upgrade to oidc 3.10.1 * provisional oidc upgrade to error branch * pin oidc 3.10.2	2024-01-18 07:10:49 +01:00

Author

SHA1

Message

Date

Livio Spring

fdb9bba6c7

chore: update dependencies (#9784 )

# Which Problems Are Solved

Some dependencies are out of date and published new version including
(unaffected) vulnerability fixes.

# How the Problems Are Solved

- Updated at least all direct dependencies apart from i18n, webauthn
(existing issues),
  -  crewjam (https://github.com/zitadel/zitadel/issues/9783) and
- github.com/gorilla/csrf (https://github.com/gorilla/csrf/issues/190,
https://github.com/gorilla/csrf/issues/189,
https://github.com/gorilla/csrf/issues/188,
https://github.com/gorilla/csrf/issues/187,
https://github.com/gorilla/csrf/issues/186)
      -  noteworthy: https://github.com/golang/go/issues/73626
- Some dependencies require Go 1.24, which triggered an update for
zitadel to go 1.24 as well.

# Additional Changes

None

# Additional Context

None

(cherry picked from commit 968d91a3e0a745fda5b6dfbffdbf1dee8f1306a6)

2025-05-21 13:52:42 +02:00

Tim Möhlmann

7a34697267

fix(oidc): return bad request for base64 errors (#7730 )

* fix(oidc): return bad request for base64 errors

We've recently noticed an increased amount of 500: internal server error status returns on zitadel cloud.
The source of these errors appear to be erroneous input in fields that are supposed to be bas64 formatted.

```
time=2024-04-08T14:05:47.600Z level=ERROR msg="request error" oidc_error.parent="ID=OIDC-AhX2u Message=Errors.Internal Parent=(illegal base64 data at input byte 8)" oidc_error.description=Errors.Internal oidc_error.type=server_error status_code=500
```

Within the possible code paths of the token endpoint there are a couple of uses of base64.Encoding.DecodeString of which a returned error was not properly wrapped, but returned as-is.
This causes the oidc error handler to return a 500 with the `OIDC-AhX2u` ID.
We were not able to pinpoint the exact errors that are happening to any one call of `DecodeString`.

This fix wraps all errors from `DecodeString` so that proper 400: bad request is returned with information about the error. Each wrapper now has an unique error ID, so that logs will contain the source of the error as well.

This bug was reported internally by the ops team.

* catch op.ErrInvalidRefreshToken

(cherry picked from commit c8e0b30e172bb9aace14dd5b77ec7f0379fb8502)

2024-04-09 14:02:28 +02:00

Tim Möhlmann

af4e0484d0

fix: uniform oidc errors (#7237 )

* fix: uniform oidc errors

sanitize oidc error reporting when passing package boundary towards oidc.

* add should TriggerBulk in get audiences for auth request

* upgrade to oidc 3.10.1

* provisional oidc upgrade to error branch

* pin oidc 3.10.2

2024-01-18 07:10:49 +01:00

3 Commits