From 3b0ab8f0480dc48c3e8cca17ddc9c1d3cfa80cd7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Jul 2025 13:27:39 +0300 Subject: [PATCH 1/6] chore(deps): bump github.com/go-chi/chi/v5 in the go_modules group (#759) Bumps the go_modules group with 1 update: [github.com/go-chi/chi/v5](https://github.com/go-chi/chi). Updates `github.com/go-chi/chi/v5` from 5.2.1 to 5.2.2 - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](https://github.com/go-chi/chi/compare/v5.2.1...v5.2.2) --- updated-dependencies: - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.2.2 dependency-type: direct:production dependency-group: go_modules ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 33db99e..5edbeae 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ toolchain go1.24.1 require ( github.com/bmatcuk/doublestar/v4 v4.8.1 - github.com/go-chi/chi/v5 v5.2.1 + github.com/go-chi/chi/v5 v5.2.2 github.com/go-jose/go-jose/v4 v4.0.5 github.com/golang/mock v1.6.0 github.com/google/go-github/v31 v31.0.0 diff --git a/go.sum b/go.sum index 4835505..22d2100 100644 --- a/go.sum +++ b/go.sum @@ -3,8 +3,8 @@ github.com/bmatcuk/doublestar/v4 v4.8.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTS github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8= -github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= +github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618= +github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= From 71b7500c62b356d3ad90adb1eabefa55511e6929 Mon Sep 17 00:00:00 2001 From: Jonathan Yoder Date: Wed, 2 Jul 2025 08:34:13 -0400 Subject: [PATCH 2/6] fix: Omit empty assertion fields in client creds request (#745) --- pkg/oidc/token_request.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go index dadb205..1de1890 100644 --- a/pkg/oidc/token_request.go +++ b/pkg/oidc/token_request.go @@ -240,6 +240,6 @@ type ClientCredentialsRequest struct { Scope SpaceDelimitedArray `schema:"scope"` ClientID string `schema:"client_id"` ClientSecret string `schema:"client_secret"` - ClientAssertion string `schema:"client_assertion"` - ClientAssertionType string `schema:"client_assertion_type"` + ClientAssertion string `schema:"client_assertion,omitempty"` + ClientAssertionType string `schema:"client_assertion_type,omitempty"` } From d09a9524100763782623297546d4a88d93516336 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Jul 2025 08:58:28 +0200 Subject: [PATCH 3/6] chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.1 to 4.9.0 (#769) Bumps [github.com/bmatcuk/doublestar/v4](https://github.com/bmatcuk/doublestar) from 4.8.1 to 4.9.0. - [Release notes](https://github.com/bmatcuk/doublestar/releases) - [Commits](https://github.com/bmatcuk/doublestar/compare/v4.8.1...v4.9.0) --- updated-dependencies: - dependency-name: github.com/bmatcuk/doublestar/v4 dependency-version: 4.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5edbeae..b4edee5 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.23.7 toolchain go1.24.1 require ( - github.com/bmatcuk/doublestar/v4 v4.8.1 + github.com/bmatcuk/doublestar/v4 v4.9.0 github.com/go-chi/chi/v5 v5.2.2 github.com/go-jose/go-jose/v4 v4.0.5 github.com/golang/mock v1.6.0 diff --git a/go.sum b/go.sum index 22d2100..af97299 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -github.com/bmatcuk/doublestar/v4 v4.8.1 h1:54Bopc5c2cAvhLRAzqOGCYHYyhcDHsFF4wWIR5wKP38= -github.com/bmatcuk/doublestar/v4 v4.8.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bmatcuk/doublestar/v4 v4.9.0 h1:DBvuZxjdKkRP/dr4GVV4w2fnmrk5Hxc90T51LZjv0JA= +github.com/bmatcuk/doublestar/v4 v4.9.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= From 21e830e275e7f3f9731057425f493609510601c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Wed, 16 Jul 2025 13:29:59 +0200 Subject: [PATCH 4/6] feat: exclude OTEL instrumentation via build tag (#770) * feat: exclude OTEL instrumentation via build tag * add readme --- README.md | 9 +++++++++ internal/otel/otel.go | 12 ++++++++++++ internal/otel/shim.go | 22 ++++++++++++++++++++++ pkg/client/client.go | 2 +- pkg/op/op.go | 4 ++-- 5 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 internal/otel/otel.go create mode 100644 internal/otel/shim.go diff --git a/README.md b/README.md index bc346f5..b7ac81c 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,15 @@ CLIENT_ID=web CLIENT_SECRET=secret ISSUER=http://oidc.local:9998/ SCOPES="openid > Note: Usernames are suffixed with the hostname (`test-user@localhost` or `test-user@oidc.local`) + +### Build Tags + +The library uses build tags to enable or disable features. The following build tags are available: + +| Build Tag | Description | +|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `no_otel` | Disables the OTel instrumentation, which is enabled by default. This is useful if you do not want to use OTel or if you want to use a different instrumentation library. | + ### Server configuration Example server allows extra configuration using environment variables and could be used for end to diff --git a/internal/otel/otel.go b/internal/otel/otel.go new file mode 100644 index 0000000..21f734a --- /dev/null +++ b/internal/otel/otel.go @@ -0,0 +1,12 @@ +//go:build !no_otel + +package otel + +import ( + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/trace" +) + +func Tracer(name string) trace.Tracer { + return otel.Tracer(name) +} diff --git a/internal/otel/shim.go b/internal/otel/shim.go new file mode 100644 index 0000000..62d3b0c --- /dev/null +++ b/internal/otel/shim.go @@ -0,0 +1,22 @@ +//go:build no_otel + +package otel + +import ( + "context" +) + +type FakeTracer struct{} +type FakeSpan struct{} + +func Tracer(name string) FakeTracer { + return FakeTracer{} +} + +func (t FakeTracer) Start(ctx context.Context, _ string) (context.Context, FakeSpan) { + return ctx, FakeSpan{} +} + +func (s FakeSpan) End() { + +} diff --git a/pkg/client/client.go b/pkg/client/client.go index 56417b5..c9707f3 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -12,7 +12,7 @@ import ( "github.com/go-jose/go-jose/v4" "github.com/zitadel/logging" - "go.opentelemetry.io/otel" + "github.com/zitadel/oidc/v3/internal/otel" "golang.org/x/oauth2" "github.com/zitadel/oidc/v3/pkg/crypto" diff --git a/pkg/op/op.go b/pkg/op/op.go index 58ae838..b761151 100644 --- a/pkg/op/op.go +++ b/pkg/op/op.go @@ -8,10 +8,10 @@ import ( "time" "github.com/go-chi/chi/v5" - jose "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4" "github.com/rs/cors" + "github.com/zitadel/oidc/v3/internal/otel" "github.com/zitadel/schema" - "go.opentelemetry.io/otel" "golang.org/x/text/language" httphelper "github.com/zitadel/oidc/v3/pkg/http" From c0d0ba9b0ff0f3a1efcb579cc19d62fb82e0b824 Mon Sep 17 00:00:00 2001 From: Mark Laing Date: Wed, 16 Jul 2025 13:33:03 +0200 Subject: [PATCH 5/6] feat: Request aware cookie handling (#753) * pkg/http: Add `secureCookieFunc` field to CookieHandler. Signed-off-by: Mark Laing * pkg/http: Add `IsRequestAware` method CookieHandler. Signed-off-by: Mark Laing * pkg/http: Use `secureCookieFunc` when checking a cookie (if set). Signed-off-by: Mark Laing * pkg/http: Error on `SetCookie` if cookie handler is request aware. Signed-off-by: Mark Laing * pkg/http: Add method to set request aware cookies. Signed-off-by: Mark Laing * pkg/http: Add function to create a new request aware cookie handler. Signed-off-by: Mark Laing * pkg/client/rp: Update `trySetStateCookie` function signature. Use `SetRequestAwareCookie` if the cookie handle is request aware. This function signature can be updated because it is not exported. Signed-off-by: Mark Laing * pkg/client/rp: Add `GenerateAndStoreCodeChallengeWithRequest` function. It's not possible to add a `http.Request` argument to `GenerateAndStoreCodeChallenge` as this would be a breaking change. Instead, add a new function that accepts a request argument and call `SetRequestAwareCookie` here. Signed-off-by: Mark Laing * pkg/client/rp: Update PKCE logic to pass request if required by cookie handler. Signed-off-by: Mark Laing * pkg/http: Don't set MaxAge if cookie handler is request aware. The securecookie field can be nil. Expect the caller to set max age on the securecookie returned by the secureCookieFunc. Signed-off-by: Mark Laing * pkg/client: Add integration tests for request aware cookie handling. Adds a new type `cookieSpec` which is accepted as an argument to `RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with `wrapServer` true/false and with two cookie handlers, one static and one request aware. The request aware handler extracts encryption keys from a secret using a salt from a "login_id" cookie. Signed-off-by: Mark Laing --------- Signed-off-by: Mark Laing --- pkg/client/integration_test.go | 90 +++++++++++++++++++++++++++++----- pkg/client/rp/relying_party.go | 31 ++++++++++-- pkg/http/cookie.go | 80 +++++++++++++++++++++++++++--- 3 files changed, 179 insertions(+), 22 deletions(-) diff --git a/pkg/client/integration_test.go b/pkg/client/integration_test.go index 98a9d3a..746f7c1 100644 --- a/pkg/client/integration_test.go +++ b/pkg/client/integration_test.go @@ -3,6 +3,9 @@ package client_test import ( "bytes" "context" + "crypto/hmac" + cryptoRand "crypto/rand" + "crypto/sha512" "fmt" "io" "log/slog" @@ -18,6 +21,8 @@ import ( "testing" "time" + "github.com/google/uuid" + "github.com/gorilla/securecookie" "github.com/jeremija/gosubmit" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -42,6 +47,15 @@ var Logger = slog.New( var CTX context.Context +type cookieSpec struct { + cookieHandler *httphelper.CookieHandler + extraCookies []*http.Cookie +} + +var defaultCookieSpec = cookieSpec{ + cookieHandler: httphelper.NewCookieHandler([]byte("test1234test1234"), []byte("test1234test1234"), httphelper.WithUnsecure()), +} + func TestMain(m *testing.M) { os.Exit(func() int { ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGINT) @@ -53,14 +67,65 @@ func TestMain(m *testing.M) { } func TestRelyingPartySession(t *testing.T) { - for _, wrapServer := range []bool{false, true} { - t.Run(fmt.Sprint("wrapServer ", wrapServer), func(t *testing.T) { - testRelyingPartySession(t, wrapServer) - }) + secret := make([]byte, 64) + _, _ = cryptoRand.Read(secret) + hashFunc := sha512.New + requestAwareCookieHandler := httphelper.NewRequestAwareCookieHandler(func(r *http.Request) (*securecookie.SecureCookie, error) { + // Expect a login ID cookie to be set. + loginIDCookie, err := r.Cookie("login_id") + require.NoError(t, err) + + // Login ID cookie will contain a UUID. + loginID, err := uuid.Parse(loginIDCookie.Value) + require.NoError(t, err) + + // Use a HMAC hash of the secret and login ID (salt). + h := hmac.New(hashFunc, secret) + _, err = h.Write(loginID[:]) + require.NoError(t, err) + + // Write a separator for the hash key. + _, err = h.Write([]byte("INTEGRITY")) + require.NoError(t, err) + hash := h.Sum(nil) // 64 bytes + + // Write a separator for the block key. + _, err = h.Write([]byte("ENCRYPTION")) + require.NoError(t, err) + block := h.Sum(nil)[:32] // Sum is 64 bytes but we only want 32 for AES-256. + + return securecookie.New(hash, block), nil + }, httphelper.WithUnsecure()) + + loginID := uuid.New() + loginIDCookie := &http.Cookie{ + Name: "login_id", + Value: loginID.String(), + Secure: false, + SameSite: http.SameSiteLaxMode, + Path: "/", + } + + cookieCases := []cookieSpec{ + defaultCookieSpec, + { + cookieHandler: requestAwareCookieHandler, + extraCookies: []*http.Cookie{ + loginIDCookie, + }, + }, + } + + for _, cookieCase := range cookieCases { + for _, wrapServer := range []bool{false, true} { + t.Run(fmt.Sprint("wrapServer ", wrapServer, " requestAwareCookieHandler ", cookieCase.cookieHandler.IsRequestAware()), func(t *testing.T) { + testRelyingPartySession(t, wrapServer, cookieCase) + }) + } } } -func testRelyingPartySession(t *testing.T, wrapServer bool) { +func testRelyingPartySession(t *testing.T, wrapServer bool, cookieSpec cookieSpec) { t.Log("------- start example OP ------") targetURL := "http://local-site" exampleStorage := storage.NewStorage(storage.NewUserStore(targetURL)) @@ -74,7 +139,7 @@ func testRelyingPartySession(t *testing.T, wrapServer bool) { clientID := t.Name() + "-" + strconv.FormatInt(seed.Int63(), 25) t.Log("------- run authorization code flow ------") - provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, "secret") + provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, "secret", cookieSpec) t.Log("------- refresh tokens ------") @@ -220,7 +285,7 @@ func testResourceServerTokenExchange(t *testing.T, wrapServer bool) { clientSecret := "secret" t.Log("------- run authorization code flow ------") - provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, clientSecret) + provider, tokens := RunAuthorizationCodeFlow(t, opServer, clientID, clientSecret, defaultCookieSpec) resourceServer, err := rs.NewResourceServerClientCredentials(CTX, opServer.URL, clientID, clientSecret) require.NoError(t, err, "new resource server") @@ -275,7 +340,7 @@ func testResourceServerTokenExchange(t *testing.T, wrapServer bool) { require.Nil(t, tokenExchangeResponse, "token exchange response") } -func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, clientSecret string) (provider rp.RelyingParty, tokens *oidc.Tokens[*oidc.IDTokenClaims]) { +func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, clientSecret string, cookieSpec cookieSpec) (provider rp.RelyingParty, tokens *oidc.Tokens[*oidc.IDTokenClaims]) { targetURL := "http://local-site" localURL, err := url.Parse(targetURL + "/login?requestID=1234") require.NoError(t, err, "local url") @@ -294,8 +359,6 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, } t.Log("------- create RP ------") - key := []byte("test1234test1234") - cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure()) provider, err = rp.NewRelyingPartyOIDC( CTX, opServer.URL, @@ -303,7 +366,7 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, clientSecret, targetURL, []string{"openid", "email", "profile", "offline_access"}, - rp.WithPKCE(cookieHandler), + rp.WithPKCE(cookieSpec.cookieHandler), rp.WithAuthStyle(oauth2.AuthStyleInHeader), rp.WithVerifierOpts( rp.WithIssuedAtOffset(5*time.Second), @@ -317,6 +380,11 @@ func RunAuthorizationCodeFlow(t *testing.T, opServer *httptest.Server, clientID, state := "state-" + strconv.FormatInt(seed.Int63(), 25) capturedW := httptest.NewRecorder() get := httptest.NewRequest("GET", localURL.String(), nil) + for _, cookie := range cookieSpec.extraCookies { + get.AddCookie(cookie) + http.SetCookie(capturedW, cookie) + } + rp.AuthURLHandler(func() string { return state }, provider, rp.WithPromptURLParam("Hello, World!", "Goodbye, World!"), rp.WithURLParam("custom", "param"), diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go index e6fa078..93c5dd0 100644 --- a/pkg/client/rp/relying_party.go +++ b/pkg/client/rp/relying_party.go @@ -410,12 +410,19 @@ func AuthURLHandler(stateFn func() string, rp RelyingParty, urlParam ...URLParam } state := stateFn() - if err := trySetStateCookie(w, state, rp); err != nil { + if err := trySetStateCookie(r, w, state, rp); err != nil { unauthorizedError(w, r, "failed to create state cookie: "+err.Error(), state, rp) return } if rp.IsPKCE() { - codeChallenge, err := GenerateAndStoreCodeChallenge(w, rp) + var codeChallenge string + var err error + if rp.CookieHandler().IsRequestAware() { + codeChallenge, err = GenerateAndStoreCodeChallengeWithRequest(r, w, rp) + } else { + codeChallenge, err = GenerateAndStoreCodeChallenge(w, rp) + } + if err != nil { unauthorizedError(w, r, "failed to create code challenge: "+err.Error(), state, rp) return @@ -436,6 +443,15 @@ func GenerateAndStoreCodeChallenge(w http.ResponseWriter, rp RelyingParty) (stri return oidc.NewSHACodeChallenge(codeVerifier), nil } +// GenerateAndStoreCodeChallenge generates a PKCE code challenge and stores its verifier into a secure cookie +func GenerateAndStoreCodeChallengeWithRequest(r *http.Request, w http.ResponseWriter, rp RelyingParty) (string, error) { + codeVerifier := base64.RawURLEncoding.EncodeToString([]byte(uuid.New().String())) + if err := rp.CookieHandler().SetRequestAwareCookie(r, w, pkceCode, codeVerifier); err != nil { + return "", err + } + return oidc.NewSHACodeChallenge(codeVerifier), nil +} + // ErrMissingIDToken is returned when an id_token was expected, // but not received in the token response. var ErrMissingIDToken = errors.New("id_token missing") @@ -607,9 +623,16 @@ func Userinfo[U SubjectGetter](ctx context.Context, token, tokenType, subject st return userinfo, nil } -func trySetStateCookie(w http.ResponseWriter, state string, rp RelyingParty) error { +func trySetStateCookie(r *http.Request, w http.ResponseWriter, state string, rp RelyingParty) error { if rp.CookieHandler() != nil { - if err := rp.CookieHandler().SetCookie(w, stateParam, state); err != nil { + var err error + if rp.CookieHandler().IsRequestAware() { + err = rp.CookieHandler().SetRequestAwareCookie(r, w, stateParam, state) + } else { + err = rp.CookieHandler().SetCookie(w, stateParam, state) + } + + if err != nil { return err } } diff --git a/pkg/http/cookie.go b/pkg/http/cookie.go index 1ebc9e2..7724aeb 100644 --- a/pkg/http/cookie.go +++ b/pkg/http/cookie.go @@ -8,12 +8,13 @@ import ( ) type CookieHandler struct { - securecookie *securecookie.SecureCookie - secureOnly bool - sameSite http.SameSite - maxAge int - domain string - path string + securecookie *securecookie.SecureCookie + secureCookieFunc func(r *http.Request) (*securecookie.SecureCookie, error) + secureOnly bool + sameSite http.SameSite + maxAge int + domain string + path string } func NewCookieHandler(hashKey, encryptKey []byte, opts ...CookieHandlerOpt) *CookieHandler { @@ -30,6 +31,21 @@ func NewCookieHandler(hashKey, encryptKey []byte, opts ...CookieHandlerOpt) *Coo return c } +func NewRequestAwareCookieHandler(secureCookieFunc func(r *http.Request) (*securecookie.SecureCookie, error), opts ...CookieHandlerOpt) *CookieHandler { + c := &CookieHandler{ + secureCookieFunc: secureCookieFunc, + secureOnly: true, + sameSite: http.SameSiteLaxMode, + path: "/", + } + + for _, opt := range opts { + opt(c) + } + + return c +} + type CookieHandlerOpt func(*CookieHandler) func WithUnsecure() CookieHandlerOpt { @@ -47,6 +63,10 @@ func WithSameSite(sameSite http.SameSite) CookieHandlerOpt { func WithMaxAge(maxAge int) CookieHandlerOpt { return func(c *CookieHandler) { c.maxAge = maxAge + if c.IsRequestAware() { + return + } + c.securecookie.MaxAge(maxAge) } } @@ -68,8 +88,17 @@ func (c *CookieHandler) CheckCookie(r *http.Request, name string) (string, error if err != nil { return "", err } + + secureCookie := c.securecookie + if c.IsRequestAware() { + secureCookie, err = c.secureCookieFunc(r) + if err != nil { + return "", err + } + } + var value string - if err := c.securecookie.Decode(name, cookie.Value, &value); err != nil { + if err := secureCookie.Decode(name, cookie.Value, &value); err != nil { return "", err } return value, nil @@ -87,6 +116,10 @@ func (c *CookieHandler) CheckQueryCookie(r *http.Request, name string) (string, } func (c *CookieHandler) SetCookie(w http.ResponseWriter, name, value string) error { + if c.IsRequestAware() { + return errors.New("Cookie handler is request aware") + } + encoded, err := c.securecookie.Encode(name, value) if err != nil { return err @@ -104,6 +137,35 @@ func (c *CookieHandler) SetCookie(w http.ResponseWriter, name, value string) err return nil } +func (c *CookieHandler) SetRequestAwareCookie(r *http.Request, w http.ResponseWriter, name string, value string) error { + if !c.IsRequestAware() { + return errors.New("Cookie handler is not request aware") + } + + secureCookie, err := c.secureCookieFunc(r) + if err != nil { + return err + } + + encoded, err := secureCookie.Encode(name, value) + if err != nil { + return err + } + + http.SetCookie(w, &http.Cookie{ + Name: name, + Value: encoded, + Domain: c.domain, + Path: c.path, + MaxAge: c.maxAge, + HttpOnly: true, + Secure: c.secureOnly, + SameSite: c.sameSite, + }) + + return nil +} + func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) { http.SetCookie(w, &http.Cookie{ Name: name, @@ -116,3 +178,7 @@ func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) { SameSite: c.sameSite, }) } + +func (c *CookieHandler) IsRequestAware() bool { + return c.secureCookieFunc != nil +} From 11614213cc4d5209f90f0ebdb45b6e0a5a174151 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Jul 2025 11:46:04 +0000 Subject: [PATCH 6/6] chore(deps): bump golang.org/x/text from 0.26.0 to 0.27.0 (#767) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.26.0 to 0.27.0.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/text&package-manager=go_modules&previous-version=0.26.0&new-version=0.27.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index b4edee5..e4536d2 100644 --- a/go.mod +++ b/go.mod @@ -21,8 +21,9 @@ require ( github.com/zitadel/logging v0.6.2 github.com/zitadel/schema v1.3.1 go.opentelemetry.io/otel v1.29.0 + go.opentelemetry.io/otel/trace v1.29.0 golang.org/x/oauth2 v0.30.0 - golang.org/x/text v0.26.0 + golang.org/x/text v0.27.0 ) require ( @@ -32,7 +33,6 @@ require ( github.com/google/go-querystring v1.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect golang.org/x/crypto v0.36.0 // indirect golang.org/x/net v0.38.0 // indirect golang.org/x/sys v0.31.0 // indirect diff --git a/go.sum b/go.sum index af97299..6b132e2 100644 --- a/go.sum +++ b/go.sum @@ -88,8 +88,8 @@ golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=