diff --git a/cmd/serve/stub/kratos.yml b/cmd/serve/stub/kratos.yml index 9709c99406e2..8aa5d483ec2a 100644 --- a/cmd/serve/stub/kratos.yml +++ b/cmd/serve/stub/kratos.yml @@ -10,7 +10,7 @@ serve: selfservice: default_browser_return_url: http://127.0.0.1:4455/ - whitelisted_return_urls: + allowed_return_urls: - http://127.0.0.1:4455 methods: diff --git a/contrib/quickstart/kratos/cloud/kratos.yml b/contrib/quickstart/kratos/cloud/kratos.yml index 75a1a0e0cc67..4b55eda44ca1 100644 --- a/contrib/quickstart/kratos/cloud/kratos.yml +++ b/contrib/quickstart/kratos/cloud/kratos.yml @@ -12,7 +12,7 @@ serve: selfservice: default_browser_return_url: http://localhost:4455/ui/welcome - whitelisted_return_urls: + allowed_return_urls: - http://localhost:4455 methods: diff --git a/contrib/quickstart/kratos/email-password/kratos.yml b/contrib/quickstart/kratos/email-password/kratos.yml index a12b7025fe5f..5ad3e5a0b4b5 100644 --- a/contrib/quickstart/kratos/email-password/kratos.yml +++ b/contrib/quickstart/kratos/email-password/kratos.yml @@ -12,7 +12,7 @@ serve: selfservice: default_browser_return_url: http://127.0.0.1:4455/ - whitelisted_return_urls: + allowed_return_urls: - http://127.0.0.1:4455 methods: diff --git a/driver/config/config.go b/driver/config/config.go index e90aa8ac9c88..87dcf216e041 100644 --- a/driver/config/config.go +++ b/driver/config/config.go @@ -110,7 +110,7 @@ const ( ViperKeyCookiePath = "cookies.path" ViperKeySelfServiceStrategyConfig = "selfservice.methods" ViperKeySelfServiceBrowserDefaultReturnTo = "selfservice." + DefaultBrowserReturnURL - ViperKeyURLsWhitelistedReturnToDomains = "selfservice.whitelisted_return_urls" + ViperKeyURLsAllowedReturnToDomains = "selfservice.allowed_return_urls" ViperKeySelfServiceRegistrationEnabled = "selfservice.flows.registration.enabled" ViperKeySelfServiceRegistrationUI = "selfservice.flows.registration.ui_url" ViperKeySelfServiceRegistrationRequestLifespan = "selfservice.flows.registration.lifespan" @@ -823,8 +823,8 @@ func (p *Config) SessionPersistentCookie() bool { return p.p.Bool(ViperKeySessionPersistentCookie) } -func (p *Config) SelfServiceBrowserWhitelistedReturnToDomains() (us []url.URL) { - src := p.p.Strings(ViperKeyURLsWhitelistedReturnToDomains) +func (p *Config) SelfServiceBrowserAllowedReturnToDomains() (us []url.URL) { + src := p.p.Strings(ViperKeyURLsAllowedReturnToDomains) for k, u := range src { if len(u) == 0 { continue @@ -832,11 +832,11 @@ func (p *Config) SelfServiceBrowserWhitelistedReturnToDomains() (us []url.URL) { parsed, err := url.ParseRequestURI(u) if err != nil { - p.l.WithError(err).Warnf("Ignoring URL \"%s\" from configuration key \"%s.%d\".", u, ViperKeyURLsWhitelistedReturnToDomains, k) + p.l.WithError(err).Warnf("Ignoring URL \"%s\" from configuration key \"%s.%d\".", u, ViperKeyURLsAllowedReturnToDomains, k) continue } if parsed.Host == "*" { - p.l.Warnf("Ignoring wildcard \"%s\" from configuration key \"%s.%d\".", u, ViperKeyURLsWhitelistedReturnToDomains, k) + p.l.Warnf("Ignoring wildcard \"%s\" from configuration key \"%s.%d\".", u, ViperKeyURLsAllowedReturnToDomains, k) continue } eTLD, icann := publicsuffix.PublicSuffix(parsed.Host) @@ -844,7 +844,7 @@ func (p *Config) SelfServiceBrowserWhitelistedReturnToDomains() (us []url.URL) { parsed.Host[:1] == "*" && icann && parsed.Host == fmt.Sprintf("*.%s", eTLD) { - p.l.Warnf("Ignoring wildcard \"%s\" from configuration key \"%s.%d\".", u, ViperKeyURLsWhitelistedReturnToDomains, k) + p.l.Warnf("Ignoring wildcard \"%s\" from configuration key \"%s.%d\".", u, ViperKeyURLsAllowedReturnToDomains, k) continue } diff --git a/driver/config/config_test.go b/driver/config/config_test.go index f3d6b259a080..99c1da66ce0d 100644 --- a/driver/config/config_test.go +++ b/driver/config/config_test.go @@ -64,7 +64,7 @@ func TestViperProvider(t *testing.T) { assert.Equal(t, "http://public.kratos.ory.sh", p.SelfPublicURL().String()) var ds []string - for _, v := range p.SelfServiceBrowserWhitelistedReturnToDomains() { + for _, v := range p.SelfServiceBrowserAllowedReturnToDomains() { ds = append(ds, v.String()) } diff --git a/driver/config/stub/.kratos.yaml b/driver/config/stub/.kratos.yaml index 8225bbd4668b..836c600503eb 100644 --- a/driver/config/stub/.kratos.yaml +++ b/driver/config/stub/.kratos.yaml @@ -49,7 +49,7 @@ ciphers: selfservice: default_browser_return_url: http://return-to-3-test.ory.sh/ - whitelisted_return_urls: + allowed_return_urls: - http://return-to-1-test.ory.sh/ - http://return-to-2-test.ory.sh/ - http://*.wildcards.ory.sh diff --git a/embedx/config.schema.json b/embedx/config.schema.json index a5c1f92ac928..6ce2327a885b 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -912,8 +912,8 @@ "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, - "whitelisted_return_urls": { - "title": "Whitelisted Return To URLs", + "allowed_return_urls": { + "title": "Allowed Return To URLs", "description": "List of URLs that are allowed to be redirected to. A redirection request is made by appending `?return_to=...` to Login, Registration, and other self-service flows.", "type": "array", "items": { diff --git a/examples/go/pkg/stub/kratos.yaml b/examples/go/pkg/stub/kratos.yaml index 9fe98ca930e9..74d50f42da38 100644 --- a/examples/go/pkg/stub/kratos.yaml +++ b/examples/go/pkg/stub/kratos.yaml @@ -9,7 +9,7 @@ serve: selfservice: default_browser_return_url: http://127.0.0.1:4455/ - whitelisted_return_urls: + allowed_return_urls: - http://127.0.0.1:4455 methods: diff --git a/selfservice/flow/login/flow.go b/selfservice/flow/login/flow.go index 6a912fc044ba..98963f59f1ec 100644 --- a/selfservice/flow/login/flow.go +++ b/selfservice/flow/login/flow.go @@ -112,7 +112,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques _, err := x.SecureRedirectTo(r, conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), - x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(conf.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go index bb8224b19438..722316f93e83 100644 --- a/selfservice/flow/login/handler.go +++ b/selfservice/flow/login/handler.go @@ -327,7 +327,7 @@ func (h *Handler) initBrowserFlow(w http.ResponseWriter, r *http.Request, ps htt if errors.Is(err, ErrAlreadyLoggedIn) { returnTo, redirErr := x.SecureRedirectTo(r, h.d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectAllowSelfServiceURLs(h.d.Config(r.Context()).SelfPublicURL()), - x.SecureRedirectAllowURLs(h.d.Config(r.Context()).SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(h.d.Config(r.Context()).SelfServiceBrowserAllowedReturnToDomains()), ) if redirErr != nil { h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, redirErr) diff --git a/selfservice/flow/login/handler_test.go b/selfservice/flow/login/handler_test.go index 7dbf63086b67..6f1b40a9644f 100644 --- a/selfservice/flow/login/handler_test.go +++ b/selfservice/flow/login/handler_test.go @@ -553,7 +553,7 @@ func TestGetFlow(t *testing.T) { }) t.Run("case=expired with return_to", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) client := testhelpers.NewClientWithCookies(t) setupLoginUI(t, client) diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go index eb8238afa5e5..53bf0c37d141 100644 --- a/selfservice/flow/login/hook.go +++ b/selfservice/flow/login/hook.go @@ -83,7 +83,7 @@ func (e *HookExecutor) PostLoginHook(w http.ResponseWriter, r *http.Request, a * c := e.d.Config(r.Context()) returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(a.RequestURL), - x.SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), x.SecureRedirectOverrideDefaultReturnTo(e.d.Config(r.Context()).SelfServiceFlowLoginReturnTo(a.Active.String())), ) diff --git a/selfservice/flow/login/hook_test.go b/selfservice/flow/login/hook_test.go index 12e9ba108e2f..b8db229e3fcc 100644 --- a/selfservice/flow/login/hook_test.go +++ b/selfservice/flow/login/hook_test.go @@ -99,7 +99,7 @@ func TestLoginExecutor(t *testing.T) { t.Run("case=use return_to value", func(t *testing.T) { t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf)) - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) res, _ := makeRequestPost(t, newServer(t, flow.TypeBrowser, nil), false, url.Values{"return_to": {"https://www.ory.sh/kratos/"}}) assert.EqualValues(t, http.StatusOK, res.StatusCode) diff --git a/selfservice/flow/logout/handler.go b/selfservice/flow/logout/handler.go index c19f267a37ae..6bb64f86b07d 100644 --- a/selfservice/flow/logout/handler.go +++ b/selfservice/flow/logout/handler.go @@ -273,7 +273,7 @@ func (h *Handler) completeLogout(w http.ResponseWriter, r *http.Request) { ret, err := x.SecureRedirectTo(r, h.d.Config(r.Context()).SelfServiceFlowLogoutRedirectURL(), x.SecureRedirectUseSourceURL(r.RequestURI), - x.SecureRedirectAllowURLs(h.d.Config(r.Context()).SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(h.d.Config(r.Context()).SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(h.d.Config(r.Context()).SelfPublicURL()), ) if err != nil { diff --git a/selfservice/flow/recovery/flow.go b/selfservice/flow/recovery/flow.go index 7b622af0c800..ba242732c5ed 100644 --- a/selfservice/flow/recovery/flow.go +++ b/selfservice/flow/recovery/flow.go @@ -99,7 +99,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques _, err := x.SecureRedirectTo(r, conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), - x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(conf.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { diff --git a/selfservice/flow/recovery/handler_test.go b/selfservice/flow/recovery/handler_test.go index 8af92bb9f2da..f859ae11ce46 100644 --- a/selfservice/flow/recovery/handler_test.go +++ b/selfservice/flow/recovery/handler_test.go @@ -246,7 +246,7 @@ func TestGetFlow(t *testing.T) { }) t.Run("case=expired with return_to", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) client := testhelpers.NewClientWithCookies(t) setupRecoveryTS(t, client) body := x.EasyGetBody(t, client, public.URL+recovery.RouteInitBrowserFlow+"?return_to=https://www.ory.sh") diff --git a/selfservice/flow/registration/flow.go b/selfservice/flow/registration/flow.go index ab68a6d349ff..f5027d81f474 100644 --- a/selfservice/flow/registration/flow.go +++ b/selfservice/flow/registration/flow.go @@ -89,7 +89,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques _, err := x.SecureRedirectTo(r, conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), - x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(conf.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { diff --git a/selfservice/flow/registration/handler_test.go b/selfservice/flow/registration/handler_test.go index 14b067f75aea..f00a55b04e0c 100644 --- a/selfservice/flow/registration/handler_test.go +++ b/selfservice/flow/registration/handler_test.go @@ -303,7 +303,7 @@ func TestGetFlow(t *testing.T) { }) t.Run("case=expired with return_to", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) client := testhelpers.NewClientWithCookies(t) setupRegistrationUI(t, client) body := x.EasyGetBody(t, client, public.URL+registration.RouteInitBrowserFlow+"?return_to=https://www.ory.sh") diff --git a/selfservice/flow/registration/hook.go b/selfservice/flow/registration/hook.go index 8c043c8ecbea..2ab457c76232 100644 --- a/selfservice/flow/registration/hook.go +++ b/selfservice/flow/registration/hook.go @@ -129,7 +129,7 @@ func (e *HookExecutor) PostRegistrationHook(w http.ResponseWriter, r *http.Reque c := e.d.Config(r.Context()) returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(a.RequestURL), - x.SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), x.SecureRedirectOverrideDefaultReturnTo(c.SelfServiceFlowRegistrationReturnTo(ct.String())), ) diff --git a/selfservice/flow/registration/hook_test.go b/selfservice/flow/registration/hook_test.go index 8050bf3309de..2aa4398949df 100644 --- a/selfservice/flow/registration/hook_test.go +++ b/selfservice/flow/registration/hook_test.go @@ -100,7 +100,7 @@ func TestRegistrationExecutor(t *testing.T) { t.Run("case=use return_to value", func(t *testing.T) { t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf)) - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) res, _ := makeRequestPost(t, newServer(t, nil, flow.TypeBrowser), false, url.Values{"return_to": {"https://www.ory.sh/kratos/"}}) assert.EqualValues(t, http.StatusOK, res.StatusCode) @@ -118,7 +118,7 @@ func TestRegistrationExecutor(t *testing.T) { t.Run("case=use nested config value", func(t *testing.T) { t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf)) - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/kratos"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/kratos"}) testhelpers.SelfServiceHookRegistrationSetDefaultRedirectTo(t, conf, "https://www.ory.sh/not-kratos") testhelpers.SelfServiceHookRegistrationSetDefaultRedirectToStrategy(t, conf, strategy, "https://www.ory.sh/kratos") diff --git a/selfservice/flow/settings/error_test.go b/selfservice/flow/settings/error_test.go index 6edf17ebe381..9a7f8cefefc4 100644 --- a/selfservice/flow/settings/error_test.go +++ b/selfservice/flow/settings/error_test.go @@ -326,7 +326,7 @@ func TestHandleError(t *testing.T) { }) t.Run("case=session old error", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{urlx.AppendPaths(conf.SelfPublicURL(), "/error").String()}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{urlx.AppendPaths(conf.SelfPublicURL(), "/error").String()}) t.Cleanup(reset) settingsFlow = &settings.Flow{Type: flow.TypeBrowser} diff --git a/selfservice/flow/settings/flow.go b/selfservice/flow/settings/flow.go index aecfe3bda928..d65568019bc2 100644 --- a/selfservice/flow/settings/flow.go +++ b/selfservice/flow/settings/flow.go @@ -125,7 +125,7 @@ func NewFlow(conf *config.Config, exp time.Duration, r *http.Request, i *identit _, err := x.SecureRedirectTo(r, conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), - x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(conf.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go index edac602411a2..0aab2fb9d52c 100644 --- a/selfservice/flow/settings/handler_test.go +++ b/selfservice/flow/settings/handler_test.go @@ -223,7 +223,7 @@ func TestHandler(t *testing.T) { }) t.Run("case=expired with return_to", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) client := testhelpers.NewHTTPClientWithArbitrarySessionToken(t, reg) body := x.EasyGetBody(t, client, publicTS.URL+settings.RouteInitBrowserFlow+"?return_to=https://www.ory.sh") diff --git a/selfservice/flow/settings/hook.go b/selfservice/flow/settings/hook.go index 86bcacc5e70f..f80d6825e281 100644 --- a/selfservice/flow/settings/hook.go +++ b/selfservice/flow/settings/hook.go @@ -106,7 +106,7 @@ func (e *HookExecutor) PostSettingsHook(w http.ResponseWriter, r *http.Request, c := e.d.Config(r.Context()) returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(ctxUpdate.Flow.RequestURL), - x.SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), x.SecureRedirectOverrideDefaultReturnTo( e.d.Config(r.Context()).SelfServiceFlowSettingsReturnTo(settingsType, diff --git a/selfservice/flow/settings/hook_test.go b/selfservice/flow/settings/hook_test.go index f384d9f9456e..27b61a38c10e 100644 --- a/selfservice/flow/settings/hook_test.go +++ b/selfservice/flow/settings/hook_test.go @@ -101,7 +101,7 @@ func TestSettingsExecutor(t *testing.T) { t.Run("case=use return_to value", func(t *testing.T) { t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf)) - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) testhelpers.SelfServiceHookSettingsSetDefaultRedirectTo(t, conf, "https://www.ory.sh") res, _ := makeRequestPost(t, newServer(t, flow.TypeBrowser), false, url.Values{"return_to": {"https://www.ory.sh/kratos/"}}) diff --git a/selfservice/flow/verification/flow.go b/selfservice/flow/verification/flow.go index db9cc671705c..e2697fcfa6a8 100644 --- a/selfservice/flow/verification/flow.go +++ b/selfservice/flow/verification/flow.go @@ -103,7 +103,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques _, err := x.SecureRedirectTo(r, conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), - x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(conf.SelfServiceBrowserAllowedReturnToDomains()), x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { diff --git a/selfservice/flow/verification/handler_test.go b/selfservice/flow/verification/handler_test.go index d4c8e8c194d5..24bf899fd6c9 100644 --- a/selfservice/flow/verification/handler_test.go +++ b/selfservice/flow/verification/handler_test.go @@ -109,7 +109,7 @@ func TestGetFlow(t *testing.T) { }) t.Run("case=expired with return_to", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh/"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh/"}) client := testhelpers.NewClientWithCookies(t) _ = setupVerificationUI(t, client) diff --git a/selfservice/strategy/link/strategy_test.go b/selfservice/strategy/link/strategy_test.go index 592e10a4322b..8bf112d322c1 100644 --- a/selfservice/strategy/link/strategy_test.go +++ b/selfservice/strategy/link/strategy_test.go @@ -13,7 +13,7 @@ import ( func initViper(t *testing.T, c *config.Config) { testhelpers.SetDefaultIdentitySchema(c, "file://./stub/default.schema.json") c.MustSet(config.ViperKeySelfServiceBrowserDefaultReturnTo, "https://www.ory.sh") - c.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh"}) + c.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh"}) c.MustSet(config.ViperKeySelfServiceStrategyConfig+"."+identity.CredentialsTypePassword.String()+".enabled", true) c.MustSet(config.ViperKeySelfServiceStrategyConfig+"."+recovery.StrategyRecoveryLinkName+".enabled", true) c.MustSet(config.ViperKeySelfServiceRecoveryEnabled, true) diff --git a/selfservice/strategy/link/strategy_verification.go b/selfservice/strategy/link/strategy_verification.go index b83c7e69cfa5..dd89e81bd521 100644 --- a/selfservice/strategy/link/strategy_verification.go +++ b/selfservice/strategy/link/strategy_verification.go @@ -257,7 +257,7 @@ func (s *Strategy) verificationUseToken(w http.ResponseWriter, r *http.Request, returnTo, err := x.SecureRedirectTo(&verificationRequest, defaultRedirectURL, x.SecureRedirectAllowSelfServiceURLs(s.d.Config(r.Context()).SelfPublicURL()), - x.SecureRedirectAllowURLs(s.d.Config(r.Context()).SelfServiceBrowserWhitelistedReturnToDomains()), + x.SecureRedirectAllowURLs(s.d.Config(r.Context()).SelfServiceBrowserAllowedReturnToDomains()), ) if err != nil { s.d.Logger().Debugf("error parsing redirectTo from verification: %s\n", err) diff --git a/selfservice/strategy/link/strategy_verification_test.go b/selfservice/strategy/link/strategy_verification_test.go index 8348b38b9089..b0d10a45ee5b 100644 --- a/selfservice/strategy/link/strategy_verification_test.go +++ b/selfservice/strategy/link/strategy_verification_test.go @@ -357,7 +357,7 @@ func TestVerification(t *testing.T) { t.Run("case=respects return_to URI parameter", func(t *testing.T) { returnToURL := public.URL + "/after-verification" - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{returnToURL}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{returnToURL}) client := &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse diff --git a/selfservice/strategy/totp/login_test.go b/selfservice/strategy/totp/login_test.go index aedd9c132053..5ad61e6db051 100644 --- a/selfservice/strategy/totp/login_test.go +++ b/selfservice/strategy/totp/login_test.go @@ -82,7 +82,7 @@ func TestCompleteLogin(t *testing.T) { conf, reg := internal.NewFastRegistryWithMocks(t) conf.MustSet(config.ViperKeySelfServiceStrategyConfig+"."+string(identity.CredentialsTypePassword), map[string]interface{}{"enabled": true}) conf.MustSet(config.ViperKeySelfServiceStrategyConfig+"."+string(identity.CredentialsTypeTOTP), map[string]interface{}{"enabled": true}) - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{"https://www.ory.sh"}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{"https://www.ory.sh"}) router := x.NewRouterPublic() publicTS, _ := testhelpers.NewKratosServerWithRouters(t, reg, router, x.NewRouterAdmin()) diff --git a/test/e2e/cypress/support/commands.ts b/test/e2e/cypress/support/commands.ts index 10baba690773..24138e381795 100644 --- a/test/e2e/cypress/support/commands.ts +++ b/test/e2e/cypress/support/commands.ts @@ -567,7 +567,7 @@ Cypress.Commands.add('longRegisterLifespan', ({} = {}) => { Cypress.Commands.add('browserReturnUrlOry', ({} = {}) => { updateConfigFile((config) => { - config.selfservice.whitelisted_return_urls = ['https://www.ory.sh/'] + config.selfservice.allowed_return_urls = ['https://www.ory.sh/'] return config }) }) @@ -1063,7 +1063,7 @@ Cypress.Commands.add( cy.location('pathname').should('contain', 'error') cy.get('code').should( 'contain.text', - 'Requested return_to URL \\"https://not-allowed\\" is not whitelisted.' + 'Requested return_to URL \\"https://not-allowed\\" is not allowed.' ) } } diff --git a/test/e2e/profiles/kratos.base.yml b/test/e2e/profiles/kratos.base.yml index 981c3e6a3cf9..06a94597defd 100644 --- a/test/e2e/profiles/kratos.base.yml +++ b/test/e2e/profiles/kratos.base.yml @@ -8,7 +8,7 @@ secrets: selfservice: default_browser_return_url: http://localhost:4455/ - whitelisted_return_urls: + allowed_return_urls: - http://localhost:4455 - https://www.ory.sh/ - https://example.org/ diff --git a/test/schema/fixtures/config.schema.test.failure/root.invalidTypes.yaml b/test/schema/fixtures/config.schema.test.failure/root.invalidTypes.yaml index 1f0429caad01..eee757e4f0e3 100644 --- a/test/schema/fixtures/config.schema.test.failure/root.invalidTypes.yaml +++ b/test/schema/fixtures/config.schema.test.failure/root.invalidTypes.yaml @@ -53,7 +53,7 @@ urls: default_return_to: 1 registration_ui: 1 error_ui: 1 - whitelisted_return_to_urls: + allowed_return_urls: - 1 - 1 diff --git a/test/schema/fixtures/config.schema.test.success/root.full.yml b/test/schema/fixtures/config.schema.test.success/root.full.yml index 5d20df190c5d..1d4ca48306a1 100644 --- a/test/schema/fixtures/config.schema.test.success/root.full.yml +++ b/test/schema/fixtures/config.schema.test.success/root.full.yml @@ -1,7 +1,7 @@ selfservice: default_browser_return_url: "#/definitions/defaultReturnTo" - whitelisted_return_urls: + allowed_return_urls: - https://foo.bar - /dashboard diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go index b298b14e18cb..63fa88ddc592 100644 --- a/x/http_secure_redirect.go +++ b/x/http_secure_redirect.go @@ -18,17 +18,17 @@ import ( ) type secureRedirectOptions struct { - whitelist []url.URL + allowlist []url.URL defaultReturnTo *url.URL sourceURL string } type SecureRedirectOption func(*secureRedirectOptions) -// SecureRedirectAllowURLs whitelists the given URLs for redirects. +// SecureRedirectAllowURLs allows the given URLs for redirects. func SecureRedirectAllowURLs(urls []url.URL) SecureRedirectOption { return func(o *secureRedirectOptions) { - o.whitelist = append(o.whitelist, urls...) + o.allowlist = append(o.allowlist, urls...) } } @@ -45,7 +45,7 @@ func SecureRedirectUseSourceURL(source string) SecureRedirectOption { // to the login endpoint, for example. func SecureRedirectAllowSelfServiceURLs(publicURL *url.URL) SecureRedirectOption { return func(o *secureRedirectOptions) { - o.whitelist = append(o.whitelist, *urlx.AppendPaths(publicURL, "/self-service")) + o.allowlist = append(o.allowlist, *urlx.AppendPaths(publicURL, "/self-service")) } } @@ -57,8 +57,8 @@ func SecureRedirectOverrideDefaultReturnTo(defaultReturnTo *url.URL) SecureRedir } } -// SecureRedirectToIsWhitelisted validates if the redirect_to param is allowed for a given wildcard -func SecureRedirectToIsWhiteListedHost(returnTo *url.URL, allowed url.URL) bool { +// SecureRedirectToIsAllowedHost validates if the redirect_to param is allowed for a given wildcard +func SecureRedirectToIsAllowedHost(returnTo *url.URL, allowed url.URL) bool { if allowed.Host != "" && allowed.Host[:1] == "*" { return strings.HasSuffix(strings.ToLower(returnTo.Host), strings.ToLower(allowed.Host)[1:]) } @@ -66,14 +66,14 @@ func SecureRedirectToIsWhiteListedHost(returnTo *url.URL, allowed url.URL) bool } // SecureRedirectTo implements a HTTP redirector who mitigates open redirect vulnerabilities by -// working with whitelisting. +// working with allow lists. func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureRedirectOption) (returnTo *url.URL, err error) { o := &secureRedirectOptions{defaultReturnTo: defaultReturnTo} for _, opt := range opts { opt(o) } - if len(o.whitelist) == 0 { + if len(o.allowlist) == 0 { return o.defaultReturnTo, nil } @@ -95,9 +95,9 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR returnTo.Scheme = stringsx.Coalesce(returnTo.Scheme, o.defaultReturnTo.Scheme) var found bool - for _, allowed := range o.whitelist { + for _, allowed := range o.allowlist { if strings.EqualFold(allowed.Scheme, returnTo.Scheme) && - SecureRedirectToIsWhiteListedHost(returnTo, allowed) && + SecureRedirectToIsAllowedHost(returnTo, allowed) && strings.HasPrefix( stringsx.Coalesce(returnTo.Path, "/"), stringsx.Coalesce(allowed.Path, "/")) { @@ -108,8 +108,8 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR if !found { return nil, errors.WithStack(herodot.ErrBadRequest. WithID(text.ErrIDRedirectURLNotAllowed). - WithReasonf("Requested return_to URL \"%s\" is not whitelisted.", returnTo). - WithDebugf("Whitelisted domains are: %v", o.whitelist)) + WithReasonf("Requested return_to URL \"%s\" is not allowed.", returnTo). + WithDebugf("Allowed domains are: %v", o.allowlist)) } return returnTo, nil @@ -132,7 +132,7 @@ func SecureContentNegotiationRedirection( ret, err := SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), append([]SecureRedirectOption{ SecureRedirectUseSourceURL(requestURL), - SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), + SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains()), SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), }, opts...)..., ) diff --git a/x/http_secure_redirect_test.go b/x/http_secure_redirect_test.go index 8596951f28b9..9f1e0ae39847 100644 --- a/x/http_secure_redirect_test.go +++ b/x/http_secure_redirect_test.go @@ -42,7 +42,7 @@ func TestSecureContentNegotiationRedirection(t *testing.T) { defaultReturnTo := ts.URL + "/default-return-to" conf.MustSet(config.ViperKeySelfServiceBrowserDefaultReturnTo, defaultReturnTo) conf.MustSet(config.ViperKeyPublicBaseURL, ts.URL) - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{ts.URL}) + conf.MustSet(config.ViperKeyURLsAllowedReturnToDomains, []string{ts.URL}) run := func(t *testing.T, href string, contentType string) (*http.Response, string) { req, err := http.NewRequest("GET", href, nil) @@ -73,27 +73,27 @@ func TestSecureContentNegotiationRedirection(t *testing.T) { }) } -func TestSecureRedirectToIsWhiteListedHost(t *testing.T) { +func TestSecureRedirectToIsAllowedHost(t *testing.T) { type testCase struct { - whitelistedURL string - redirectURL string - valid bool + allowedURL string + redirectURL string + valid bool } tests := map[string]testCase{ - "case=Domain is whitelisted": {whitelistedURL: "https://foo.bar", redirectURL: "https://foo.bar/redir", valid: true}, - "case=Domain prefix is whitelisted": {whitelistedURL: "https://*.bar", redirectURL: "https://foo.bar/redir", valid: true}, - "case=Subdomain prefix is whitelisted": {whitelistedURL: "https://*.foo.bar", redirectURL: "https://auth.foo.bar/redir", valid: true}, - "case=Domain is not whitelisted": {whitelistedURL: "https://foo.baz", redirectURL: "https://foo.bar/redir", valid: false}, - "case=Domain wildcard is not whitelisted": {whitelistedURL: "https://*.foo.baz", redirectURL: "https://foo.bar/redir", valid: false}, - "case=Subdomain is not whitelisted": {whitelistedURL: "https://*.foo.baz", redirectURL: "https://auth.foo.bar/redir", valid: false}, + "case=Domain is allowed": {allowedURL: "https://foo.bar", redirectURL: "https://foo.bar/redir", valid: true}, + "case=Domain prefix is allowed": {allowedURL: "https://*.bar", redirectURL: "https://foo.bar/redir", valid: true}, + "case=Subdomain prefix is allowed": {allowedURL: "https://*.foo.bar", redirectURL: "https://auth.foo.bar/redir", valid: true}, + "case=Domain is not allowed": {allowedURL: "https://foo.baz", redirectURL: "https://foo.bar/redir", valid: false}, + "case=Domain wildcard is not allowed": {allowedURL: "https://*.foo.baz", redirectURL: "https://foo.bar/redir", valid: false}, + "case=Subdomain is not allowed": {allowedURL: "https://*.foo.baz", redirectURL: "https://auth.foo.bar/redir", valid: false}, } for name, tc := range tests { t.Run(name, func(t *testing.T) { - whitelistedURL, err := url.Parse(tc.whitelistedURL) + allowedURL, err := url.Parse(tc.allowedURL) require.NoError(t, err) redirectURL, err := url.Parse(tc.redirectURL) require.NoError(t, err) - assert.Equal(t, x.SecureRedirectToIsWhiteListedHost(redirectURL, *whitelistedURL), tc.valid) + assert.Equal(t, x.SecureRedirectToIsAllowedHost(redirectURL, *allowedURL), tc.valid) }) } } @@ -173,7 +173,7 @@ func TestSecureRedirectTo(t *testing.T) { assert.Equal(t, body, "/foo/kratos") }) - t.Run("case=return to a fully qualified domain is forbidden if whitelist is relative", func(t *testing.T) { + t.Run("case=return to a fully qualified domain is forbidden if allowlist is relative", func(t *testing.T) { s := newServer(t, false, true, true, func(ts *httptest.Server) []x.SecureRedirectOption { return []x.SecureRedirectOption{x.SecureRedirectAllowURLs([]url.URL{*urlx.ParseOrPanic("/foo")})} })