mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-19 06:17:32 +00:00
c1c85e632b
* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
104 lines
2.6 KiB
Go
104 lines
2.6 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
http_utils "github.com/caos/zitadel/internal/api/http"
|
|
"github.com/caos/zitadel/internal/config/types"
|
|
"github.com/caos/zitadel/internal/crypto"
|
|
"github.com/caos/zitadel/internal/errors"
|
|
"github.com/caos/zitadel/internal/id"
|
|
)
|
|
|
|
type cookieKey int
|
|
|
|
var (
|
|
userAgentKey cookieKey = 0
|
|
)
|
|
|
|
func UserAgentIDFromCtx(ctx context.Context) (string, bool) {
|
|
userAgentID, ok := ctx.Value(userAgentKey).(string)
|
|
return userAgentID, ok
|
|
}
|
|
|
|
type UserAgent struct {
|
|
ID string
|
|
}
|
|
|
|
type userAgentHandler struct {
|
|
cookieHandler *http_utils.CookieHandler
|
|
cookieName string
|
|
idGenerator id.Generator
|
|
nextHandler http.Handler
|
|
}
|
|
|
|
type UserAgentCookieConfig struct {
|
|
Name string
|
|
Domain string
|
|
Key *crypto.KeyConfig
|
|
MaxAge types.Duration
|
|
}
|
|
|
|
func NewUserAgentHandler(config *UserAgentCookieConfig, idGenerator id.Generator, localDevMode bool) (func(http.Handler) http.Handler, error) {
|
|
key, err := crypto.LoadKey(config.Key, config.Key.EncryptionKeyID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cookieKey := []byte(key)
|
|
opts := []http_utils.CookieHandlerOpt{
|
|
http_utils.WithEncryption(cookieKey, cookieKey),
|
|
http_utils.WithDomain(config.Domain),
|
|
http_utils.WithMaxAge(int(config.MaxAge.Seconds())),
|
|
}
|
|
if localDevMode {
|
|
opts = append(opts, http_utils.WithUnsecure())
|
|
}
|
|
return func(handler http.Handler) http.Handler {
|
|
return &userAgentHandler{
|
|
nextHandler: handler,
|
|
cookieName: config.Name,
|
|
cookieHandler: http_utils.NewCookieHandler(opts...),
|
|
idGenerator: idGenerator,
|
|
}
|
|
}, nil
|
|
}
|
|
|
|
func (ua *userAgentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
agent, err := ua.getUserAgent(r)
|
|
if err != nil {
|
|
agent, err = ua.newUserAgent()
|
|
}
|
|
if err == nil {
|
|
ctx := context.WithValue(r.Context(), userAgentKey, agent.ID)
|
|
r = r.WithContext(ctx)
|
|
ua.setUserAgent(w, agent)
|
|
}
|
|
ua.nextHandler.ServeHTTP(w, r)
|
|
}
|
|
|
|
func (ua *userAgentHandler) newUserAgent() (*UserAgent, error) {
|
|
agentID, err := ua.idGenerator.Next()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &UserAgent{ID: agentID}, nil
|
|
}
|
|
|
|
func (ua *userAgentHandler) getUserAgent(r *http.Request) (*UserAgent, error) {
|
|
userAgent := new(UserAgent)
|
|
err := ua.cookieHandler.GetEncryptedCookieValue(r, ua.cookieName, userAgent)
|
|
if err != nil {
|
|
return nil, errors.ThrowPermissionDenied(err, "HTTP-YULqH4", "cannot read user agent cookie")
|
|
}
|
|
return userAgent, nil
|
|
}
|
|
|
|
func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, agent *UserAgent) error {
|
|
err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, agent)
|
|
if err != nil {
|
|
return errors.ThrowPermissionDenied(err, "HTTP-AqgqdA", "cannot set user agent cookie")
|
|
}
|
|
return nil
|
|
}
|