TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-06-04 09:38:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/login/handler/login.go
Livio Amstutz 1c59d18fee
fix: improvements for login and oidc (#227) 
* add csrf

* caching

* caching

* caching

* caching

* security headers

* csp and security headers

* error handler csp

* select user with display name

* csp

* user selection styling

* username to loginname

* regenerate grpc

* regenerate

* change to login name
2020-06-17 08:06:40 +02:00

128 lines
3.5 KiB
Go
Raw Blame History

package handler
import (
"context"
"net"
"net/http"
"github.com/caos/logging"
"github.com/gorilla/csrf"
"github.com/rakyll/statik/fs"
"golang.org/x/text/language"
"github.com/caos/zitadel/internal/api/auth"
"github.com/caos/zitadel/internal/api/http/middleware"
"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/form"
_ "github.com/caos/zitadel/internal/login/statik"
)
type Login struct {
endpoint string
router http.Handler
renderer *Renderer
parser *form.Parser
authRepo *eventsourcing.EsRepository
zitadelURL string
oidcAuthCallbackURL string
}
type Config struct {
Port string
OidcAuthCallbackURL string
ZitadelURL string
LanguageCookieName string
DefaultLanguage language.Tag
CSRF CSRF
Cache middleware.CacheConfig
}
type CSRF struct {
CookieName string
Key *crypto.KeyConfig
Development bool
}
const (
login = "LOGIN"
)
func StartLogin(ctx context.Context, config Config, authRepo *eventsourcing.EsRepository) {
login := &Login{
endpoint: config.Port,
oidcAuthCallbackURL: config.OidcAuthCallbackURL,
zitadelURL: config.ZitadelURL,
authRepo: authRepo,
}
statikFS, err := fs.NewWithNamespace("login")
logging.Log("CONFI-Ga21f").OnError(err).Panic("unable to create filesystem")
csrf, err := csrfInterceptor(config.CSRF, login.csrfErrorHandler())
logging.Log("CONFI-dHR2a").OnError(err).Panic("unable to create csrfInterceptor")
cache, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge.Duration, config.Cache.SharedMaxAge.Duration)
logging.Log("CONFI-BHq2a").OnError(err).Panic("unable to create cacheInterceptor")
security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
login.router = CreateRouter(login, statikFS, csrf, cache, security)
login.renderer = CreateRenderer(statikFS, config.LanguageCookieName, config.DefaultLanguage)
login.parser = form.NewParser()
login.Listen(ctx)
}
func csp() *middleware.CSP {
csp := middleware.DefaultSCP
csp.ObjectSrc = middleware.CSPSourceOptsSelf()
csp.StyleSrc = csp.StyleSrc.AddNonce()
csp.ScriptSrc = csp.ScriptSrc.AddNonce()
return &csp
}
func csrfInterceptor(config CSRF, errorHandler http.Handler) (func(http.Handler) http.Handler, error) {
csrfKey, err := crypto.LoadKey(config.Key, config.Key.EncryptionKeyID)
if err != nil {
return nil, err
}
return csrf.Protect([]byte(csrfKey),
csrf.Secure(!config.Development),
csrf.CookieName(config.CookieName),
csrf.ErrorHandler(errorHandler),
), nil
}
func (l *Login) Listen(ctx context.Context) {
if l.endpoint == "" {
l.endpoint = ":80"
} else {
l.endpoint = ":" + l.endpoint
}
defer logging.LogWithFields("APP-xUZof", "port", l.endpoint).Info("html is listening")
httpListener, err := net.Listen("tcp", l.endpoint)
logging.Log("CONFI-W5q2O").OnError(err).Panic("unable to start listener")
httpServer := &http.Server{
Handler: l.router,
}
go func() {
<-ctx.Done()
if err = httpServer.Shutdown(ctx); err != nil {
logging.Log("APP-mJKTv").WithError(err)
}
}()
go func() {
err := httpServer.Serve(httpListener)
logging.Log("APP-oSklt").OnError(err).Panic("unable to start listener")
}()
}
func setContext(ctx context.Context, resourceOwner string) context.Context {
data := auth.CtxData{
UserID: login,
OrgID: resourceOwner,
}
return auth.SetCtxData(ctx, data)
}
Reference in New Issue View Git Blame Copy Permalink