mirror of
https://github.com/zitadel/zitadel.git
synced 2025-04-08 04:04:33 +00:00
c1c85e632b
* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
143 lines
4.2 KiB
Go
143 lines
4.2 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"net"
|
|
"net/http"
|
|
|
|
"github.com/caos/logging"
|
|
"github.com/gorilla/csrf"
|
|
"github.com/rakyll/statik/fs"
|
|
"golang.org/x/text/language"
|
|
|
|
"github.com/caos/zitadel/internal/api/authz"
|
|
http_utils "github.com/caos/zitadel/internal/api/http"
|
|
"github.com/caos/zitadel/internal/api/http/middleware"
|
|
auth_repository "github.com/caos/zitadel/internal/auth/repository"
|
|
"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
|
|
"github.com/caos/zitadel/internal/crypto"
|
|
"github.com/caos/zitadel/internal/form"
|
|
"github.com/caos/zitadel/internal/id"
|
|
|
|
_ "github.com/caos/zitadel/internal/ui/login/statik"
|
|
)
|
|
|
|
type Login struct {
|
|
endpoint string
|
|
router http.Handler
|
|
renderer *Renderer
|
|
parser *form.Parser
|
|
authRepo auth_repository.Repository
|
|
zitadelURL string
|
|
oidcAuthCallbackURL string
|
|
}
|
|
|
|
type Config struct {
|
|
OidcAuthCallbackURL string
|
|
ZitadelURL string
|
|
LanguageCookieName string
|
|
DefaultLanguage language.Tag
|
|
CSRF CSRF
|
|
UserAgentCookieConfig *middleware.UserAgentCookieConfig
|
|
Cache middleware.CacheConfig
|
|
}
|
|
|
|
type CSRF struct {
|
|
CookieName string
|
|
Key *crypto.KeyConfig
|
|
Development bool
|
|
}
|
|
|
|
const (
|
|
login = "LOGIN"
|
|
handlerPrefix = "/login"
|
|
)
|
|
|
|
func CreateLogin(config Config, authRepo *eventsourcing.EsRepository, localDevMode bool) (*Login, string) {
|
|
login := &Login{
|
|
oidcAuthCallbackURL: config.OidcAuthCallbackURL,
|
|
zitadelURL: config.ZitadelURL,
|
|
authRepo: authRepo,
|
|
}
|
|
prefix := ""
|
|
if localDevMode {
|
|
prefix = handlerPrefix
|
|
}
|
|
statikFS, err := fs.NewWithNamespace("login")
|
|
logging.Log("CONFI-Ga21f").OnError(err).Panic("unable to create filesystem")
|
|
|
|
csrf, err := csrfInterceptor(config.CSRF, login.csrfErrorHandler())
|
|
logging.Log("CONFI-dHR2a").OnError(err).Panic("unable to create csrfInterceptor")
|
|
cache, err := middleware.DefaultCacheInterceptor(EndpointResources, config.Cache.MaxAge.Duration, config.Cache.SharedMaxAge.Duration)
|
|
logging.Log("CONFI-BHq2a").OnError(err).Panic("unable to create cacheInterceptor")
|
|
security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
|
|
userAgentCookie, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
|
|
logging.Log("CONFI-Dvwf2").OnError(err).Panic("unable to create userAgentInterceptor")
|
|
login.router = CreateRouter(login, statikFS, csrf, cache, security, userAgentCookie)
|
|
login.renderer = CreateRenderer(prefix, statikFS, config.LanguageCookieName, config.DefaultLanguage)
|
|
login.parser = form.NewParser()
|
|
return login, prefix
|
|
}
|
|
|
|
func csp() *middleware.CSP {
|
|
csp := middleware.DefaultSCP
|
|
csp.ObjectSrc = middleware.CSPSourceOptsSelf()
|
|
csp.StyleSrc = csp.StyleSrc.AddNonce()
|
|
csp.ScriptSrc = csp.ScriptSrc.AddNonce()
|
|
return &csp
|
|
}
|
|
|
|
func csrfInterceptor(config CSRF, errorHandler http.Handler) (func(http.Handler) http.Handler, error) {
|
|
csrfKey, err := crypto.LoadKey(config.Key, config.Key.EncryptionKeyID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
path := "/"
|
|
return csrf.Protect([]byte(csrfKey),
|
|
csrf.Secure(!config.Development),
|
|
csrf.CookieName(http_utils.SetCookiePrefix(config.CookieName, "", path, !config.Development)),
|
|
csrf.Path(path),
|
|
csrf.ErrorHandler(errorHandler),
|
|
), nil
|
|
}
|
|
|
|
func (l *Login) Handler() http.Handler {
|
|
return l.router
|
|
}
|
|
|
|
func (l *Login) Listen(ctx context.Context) {
|
|
if l.endpoint == "" {
|
|
l.endpoint = ":80"
|
|
} else {
|
|
l.endpoint = ":" + l.endpoint
|
|
}
|
|
|
|
defer logging.LogWithFields("APP-xUZof", "port", l.endpoint).Info("html is listening")
|
|
httpListener, err := net.Listen("tcp", l.endpoint)
|
|
logging.Log("CONFI-W5q2O").OnError(err).Panic("unable to start listener")
|
|
|
|
httpServer := &http.Server{
|
|
Handler: l.router,
|
|
}
|
|
|
|
go func() {
|
|
<-ctx.Done()
|
|
if err = httpServer.Shutdown(ctx); err != nil {
|
|
logging.Log("APP-mJKTv").WithError(err)
|
|
}
|
|
}()
|
|
|
|
go func() {
|
|
err := httpServer.Serve(httpListener)
|
|
logging.Log("APP-oSklt").OnError(err).Panic("unable to start listener")
|
|
}()
|
|
}
|
|
|
|
func setContext(ctx context.Context, resourceOwner string) context.Context {
|
|
data := authz.CtxData{
|
|
UserID: login,
|
|
OrgID: resourceOwner,
|
|
}
|
|
return authz.SetCtxData(ctx, data)
|
|
}
|