mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 19:44:21 +00:00
3549a8b64e
* move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto
100 lines
2.4 KiB
Go
100 lines
2.4 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"net/http"
|
|
|
|
http_utils "github.com/caos/zitadel/internal/api/http"
|
|
)
|
|
|
|
type key int
|
|
|
|
const (
|
|
nonceKey key = 0
|
|
|
|
DefaultNonceLength = uint(32)
|
|
)
|
|
|
|
func SecurityHeaders(csp *CSP, errorHandler func(error) http.Handler, nonceLength ...uint) func(http.Handler) http.Handler {
|
|
return func(handler http.Handler) http.Handler {
|
|
if csp == nil {
|
|
csp = &DefaultSCP
|
|
}
|
|
length := DefaultNonceLength
|
|
if len(nonceLength) > 0 {
|
|
length = nonceLength[0]
|
|
}
|
|
return &headers{
|
|
csp: csp,
|
|
handler: handler,
|
|
errorHandler: errorHandler,
|
|
nonceLength: length,
|
|
}
|
|
}
|
|
}
|
|
|
|
type headers struct {
|
|
csp *CSP
|
|
handler http.Handler
|
|
errorHandler func(err error) http.Handler
|
|
nonceLength uint
|
|
}
|
|
|
|
func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
nonce := GetNonce(r)
|
|
if nonce == "" {
|
|
var err error
|
|
nonce, err = generateNonce(h.nonceLength)
|
|
if err != nil {
|
|
errorHandler := h.errorHandler
|
|
if errorHandler == nil {
|
|
errorHandler = func(err error) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
})
|
|
}
|
|
}
|
|
errorHandler(err).ServeHTTP(w, r)
|
|
return
|
|
}
|
|
r = saveContext(r, nonceKey, nonce)
|
|
}
|
|
headers := w.Header()
|
|
headers.Set(http_utils.ContentSecurityPolicy, h.csp.Value(nonce))
|
|
headers.Set(http_utils.XXSSProtection, "1; mode=block")
|
|
headers.Set(http_utils.StrictTransportSecurity, "max-age=31536000; includeSubDomains")
|
|
headers.Set(http_utils.XFrameOptions, "DENY")
|
|
headers.Set(http_utils.XContentTypeOptions, "nosniff")
|
|
headers.Set(http_utils.ReferrerPolicy, "same-origin")
|
|
headers.Set(http_utils.FeaturePolicy, "payment 'none'")
|
|
//PLANNED: add expect-ct
|
|
|
|
h.handler.ServeHTTP(w, r)
|
|
}
|
|
|
|
func GetNonce(r *http.Request) string {
|
|
nonce, _ := getContext(r, nonceKey).(string)
|
|
return nonce
|
|
}
|
|
|
|
func generateNonce(length uint) (string, error) {
|
|
b := make([]byte, length)
|
|
_, err := rand.Read(b)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return base64.StdEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
func saveContext(r *http.Request, key, value interface{}) *http.Request {
|
|
ctx := context.WithValue(r.Context(), key, value)
|
|
return r.WithContext(ctx)
|
|
}
|
|
|
|
func getContext(r *http.Request, key interface{}) interface{} {
|
|
return r.Context().Value(key)
|
|
}
|