From 894a2cc39671fbc9d2c13b1fc1b45b217da5145d Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Wed, 5 Jan 2022 15:30:06 +0100 Subject: [PATCH] refactor: deprecate domain aliases BREAKING CHANGES: This patch removes the ability to use domain aliases, an obscure feature rarely used that had several issues and inconsistencies. --- cmd/courier/watch.go | 2 +- cmd/daemon/serve.go | 4 +- docs/docs/guides/multi-domain-cookies.mdx | 55 +-------------- driver/config/config.go | 56 +-------------- driver/config/config_test.go | 60 ++-------------- embedx/config.schema.json | 69 ++++--------------- persistence/sql/persister_identity.go | 2 +- schema/handler.go | 2 +- selfservice/flow/login/flow.go | 4 +- selfservice/flow/login/flow_test.go | 2 +- selfservice/flow/login/handler.go | 6 +- selfservice/flow/login/hook.go | 2 +- selfservice/flow/logout/handler.go | 4 +- selfservice/flow/recovery/error.go | 2 +- selfservice/flow/recovery/flow.go | 4 +- selfservice/flow/recovery/flow_test.go | 2 +- selfservice/flow/recovery/handler.go | 4 +- selfservice/flow/registration/flow.go | 4 +- selfservice/flow/registration/flow_test.go | 2 +- selfservice/flow/registration/handler.go | 4 +- selfservice/flow/registration/hook.go | 2 +- selfservice/flow/settings/error.go | 8 +-- selfservice/flow/settings/error_test.go | 2 +- selfservice/flow/settings/flow.go | 4 +- selfservice/flow/settings/flow_test.go | 2 +- selfservice/flow/settings/handler.go | 4 +- selfservice/flow/settings/hook.go | 2 +- selfservice/flow/verification/error.go | 2 +- selfservice/flow/verification/flow.go | 4 +- selfservice/flow/verification/flow_test.go | 2 +- selfservice/flow/verification/handler.go | 4 +- selfservice/strategy/link/sender.go | 4 +- selfservice/strategy/link/sender_test.go | 8 +-- .../strategy/link/strategy_recovery.go | 6 +- .../strategy/link/strategy_verification.go | 6 +- selfservice/strategy/oidc/strategy.go | 4 +- .../strategy/oidc/strategy_settings.go | 4 +- .../strategy/password/registration_test.go | 9 ++- selfservice/strategy/totp/generator_test.go | 2 +- selfservice/strategy/webauthn/login.go | 2 +- selfservice/strategy/webauthn/settings.go | 2 +- session/handler.go | 2 +- session/manager_http.go | 4 +- session/manager_http_test.go | 10 --- .../root.aliases_invalid_path.yaml | 15 ---- .../root.aliases_invalid_scheme.yaml | 15 ---- .../root.aliases_invalid_secrets.yaml | 22 ------ .../root.aliases_missing_scheme.yaml | 14 ---- .../root.aliases_missing_secrets.yaml | 13 ---- .../root.aliases.yaml | 15 ---- .../root.aliases_http.yaml | 19 ----- .../root.aliases_oasis.yaml | 54 --------------- x/http_secure_redirect.go | 2 +- x/nosurf.go | 4 +- x/nosurf_test.go | 9 --- x/redir.go | 2 +- 56 files changed, 96 insertions(+), 477 deletions(-) delete mode 100644 test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_path.yaml delete mode 100644 test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_scheme.yaml delete mode 100644 test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_secrets.yaml delete mode 100644 test/schema/fixtures/config.schema.test.failure/root.aliases_missing_scheme.yaml delete mode 100644 test/schema/fixtures/config.schema.test.failure/root.aliases_missing_secrets.yaml delete mode 100644 test/schema/fixtures/config.schema.test.success/root.aliases.yaml delete mode 100644 test/schema/fixtures/config.schema.test.success/root.aliases_http.yaml delete mode 100644 test/schema/fixtures/config.schema.test.success/root.aliases_oasis.yaml diff --git a/cmd/courier/watch.go b/cmd/courier/watch.go index 45c515a28068..2776e44b7b34 100644 --- a/cmd/courier/watch.go +++ b/cmd/courier/watch.go @@ -44,7 +44,7 @@ func ServeMetrics(ctx cx.Context, r driver.Registry) { router := x.NewRouterAdmin() r.MetricsHandler().SetRoutes(router.Router) - n.Use(reqlog.NewMiddlewareFromLogger(l, "admin#"+c.SelfPublicURL(nil).String())) + n.Use(reqlog.NewMiddlewareFromLogger(l, "admin#"+c.SelfPublicURL().String())) n.Use(r.PrometheusManager()) if tracer := r.Tracer(ctx); tracer.IsLoaded() { diff --git a/cmd/daemon/serve.go b/cmd/daemon/serve.go index f3124c8c95cd..a66b02941787 100644 --- a/cmd/daemon/serve.go +++ b/cmd/daemon/serve.go @@ -84,7 +84,7 @@ func ServePublic(r driver.Registry, wg *sync.WaitGroup, cmd *cobra.Command, args } publicLogger := reqlog.NewMiddlewareFromLogger( l, - "public#"+c.SelfPublicURL(nil).String(), + "public#"+c.SelfPublicURL().String(), ) if r.Config(ctx).DisablePublicHealthRequestLog() { publicLogger.ExcludePaths(healthx.AliveCheckPath, healthx.ReadyCheckPath) @@ -156,7 +156,7 @@ func ServeAdmin(r driver.Registry, wg *sync.WaitGroup, cmd *cobra.Command, args } adminLogger := reqlog.NewMiddlewareFromLogger( l, - "admin#"+c.SelfPublicURL(nil).String(), + "admin#"+c.SelfPublicURL().String(), ) if r.Config(ctx).DisableAdminHealthRequestLog() { adminLogger.ExcludePaths(healthx.AliveCheckPath, healthx.ReadyCheckPath) diff --git a/docs/docs/guides/multi-domain-cookies.mdx b/docs/docs/guides/multi-domain-cookies.mdx index 8ab715806245..89f227a0e06a 100644 --- a/docs/docs/guides/multi-domain-cookies.mdx +++ b/docs/docs/guides/multi-domain-cookies.mdx @@ -9,40 +9,7 @@ other scenarios. ## Base URL The public base URL (`serve.public.base_url`) is used to compute redirect URLs, -form action URLs, and more. If you host Ory Kratos on more than one domain you -might want to enable the domain aliasing feature. This allows to register -additional base URLs. On incoming HTTP Requests, Ory Kratos checks the HTTP -`Host` Header and compares that to the list of domain aliases. - -```yaml title="path/to/kratos/config.yml -serve: - public: - base_url: https://this-is-the-default/base-url - domain_aliases: - - match_domain: www.another-domain.com - base_path: /kratos - scheme: https - - match_domain: that-domain.com - base_path: / - scheme: http -``` - -If a match is found, the value `serve.public.base_url` will be ignored and -instead the base URL is computed: - -``` -:// -``` - -Values ``, `` are set by the incoming HTTP request -and ``, ``, by the config: - -- Incoming request is to `https://www.another-domain.com:123/kratos/identities/` - so the result is `https://www.another-domain.com:123/kratos` -- Incoming request is to `http://www.another-domain.com/kratos/sessions/` so the - result is `http://www.another-domain.com/kratos` -- Incoming request is to `https://that-domain.com/identities/` so the result is - `https://that-domain.com/identities` +form action URLs, and more. ## Cookies @@ -77,26 +44,6 @@ session: # Overrides cookies.samesite for session cookies same_site: Strict - -serve: - public: - domain_aliases: - # When a request is coming from www.another-domain.com or that-domain.com, these these override: - # - # - session.cookie.domain and session.cookie.path for sessions - # - cookies.domain and cookies.path for anti-CSRF cookies - - - match_domain: www.another-domain.com - base_path: /kratos - - # The scheme has NO effect on the cookie `secure` flag! - # scheme: https - - - match_domain: that-domain.com - base_path: / - - # The scheme has NO effect on the cookie `secure` flag! - # scheme: http ``` What **is not** currently possible is to set up Ory Kratos in a way where you diff --git a/driver/config/config.go b/driver/config/config.go index 9cfd66c031d2..c8e59a48d978 100644 --- a/driver/config/config.go +++ b/driver/config/config.go @@ -7,7 +7,6 @@ import ( "encoding/json" "fmt" "io" - "net" "net/http" "net/url" "os" @@ -68,7 +67,6 @@ const ( ViperKeySecretsCipher = "secrets.cipher" ViperKeyDisablePublicHealthRequestLog = "serve.public.request_log.disable_for_health" ViperKeyPublicBaseURL = "serve.public.base_url" - ViperKeyPublicDomainAliases = "serve.public.domain_aliases" ViperKeyPublicPort = "serve.public.port" ViperKeyPublicHost = "serve.public.host" ViperKeyPublicSocketOwner = "serve.public.socket.owner" @@ -435,7 +433,7 @@ func (p *Config) DefaultIdentityTraitsSchemaURL() *url.URL { } func (p *Config) TOTPIssuer() string { - return p.Source().StringF(ViperKeyTOTPIssuer, p.SelfPublicURL(nil).Hostname()) + return p.Source().StringF(ViperKeyTOTPIssuer, p.SelfPublicURL().Hostname()) } func (p *Config) IdentityTraitsSchemas() Schemas { @@ -710,56 +708,8 @@ func (p *Config) DisablePublicHealthRequestLog() bool { return p.p.Bool(ViperKeyDisablePublicHealthRequestLog) } -type DomainAlias struct { - BasePath string `json:"base_path"` - Scheme string `json:"scheme"` - MatchDomain string `json:"match_domain"` -} - -func (p *Config) SelfPublicURL(r *http.Request) *url.URL { - primary := p.baseURL(ViperKeyPublicBaseURL, ViperKeyPublicHost, ViperKeyPublicPort, 4433) - if r == nil { - return primary - } - - out, err := p.p.Marshal(kjson.Parser()) - if err != nil { - p.l.WithError(err).Errorf("Unable to marshal configuration.") - return primary - } - - raw := gjson.GetBytes(out, ViperKeyPublicDomainAliases).String() - if len(raw) == 0 { - return primary - } - - var aliases []DomainAlias - if err := json.NewDecoder(bytes.NewBufferString(raw)).Decode(&aliases); err != nil { - p.l.WithError(err).WithField("config", raw).Warnf("Unable to unmarshal domain alias configuration, falling back to primary domain.") - return primary - } - - host := r.URL.Query().Get("alias") - if len(host) == 0 { - host = r.Host - } - - hostname, _, _ := net.SplitHostPort(host) - if hostname == "" { - hostname = host - } - for _, a := range aliases { - if strings.EqualFold(a.MatchDomain, hostname) || strings.EqualFold(a.MatchDomain, host) { - parsed := &url.URL{ - Scheme: a.Scheme, - Host: host, - Path: a.BasePath, - } - return parsed - } - } - - return primary +func (p *Config) SelfPublicURL() *url.URL { + return p.baseURL(ViperKeyPublicBaseURL, ViperKeyPublicHost, ViperKeyPublicPort, 4433) } func (p *Config) DisableAdminHealthRequestLog() bool { diff --git a/driver/config/config_test.go b/driver/config/config_test.go index ed24aa2dd905..789e00eba32c 100644 --- a/driver/config/config_test.go +++ b/driver/config/config_test.go @@ -53,7 +53,7 @@ func TestViperProvider(t *testing.T) { assert.Equal(t, "http://test.kratos.ory.sh/error", p.SelfServiceFlowErrorURL().String()) assert.Equal(t, "http://admin.kratos.ory.sh", p.SelfAdminURL().String()) - assert.Equal(t, "http://public.kratos.ory.sh", p.SelfPublicURL(nil).String()) + assert.Equal(t, "http://public.kratos.ory.sh", p.SelfPublicURL().String()) var ds []string for _, v := range p.SelfServiceBrowserWhitelistedReturnToDomains() { @@ -404,73 +404,23 @@ func TestProviderBaseURLs(t *testing.T) { } p := config.MustNew(t, logrusx.New("", ""), os.Stderr, configx.SkipValidation()) - assert.Equal(t, "https://"+machineHostname+":4433/", p.SelfPublicURL(nil).String()) + assert.Equal(t, "https://"+machineHostname+":4433/", p.SelfPublicURL().String()) assert.Equal(t, "https://"+machineHostname+":4434/", p.SelfAdminURL().String()) p.MustSet(config.ViperKeyPublicPort, 4444) p.MustSet(config.ViperKeyAdminPort, 4445) - assert.Equal(t, "https://"+machineHostname+":4444/", p.SelfPublicURL(nil).String()) + assert.Equal(t, "https://"+machineHostname+":4444/", p.SelfPublicURL().String()) assert.Equal(t, "https://"+machineHostname+":4445/", p.SelfAdminURL().String()) p.MustSet(config.ViperKeyPublicHost, "public.ory.sh") p.MustSet(config.ViperKeyAdminHost, "admin.ory.sh") - assert.Equal(t, "https://public.ory.sh:4444/", p.SelfPublicURL(nil).String()) + assert.Equal(t, "https://public.ory.sh:4444/", p.SelfPublicURL().String()) assert.Equal(t, "https://admin.ory.sh:4445/", p.SelfAdminURL().String()) // Set to dev mode p.MustSet("dev", true) - assert.Equal(t, "http://public.ory.sh:4444/", p.SelfPublicURL(nil).String()) + assert.Equal(t, "http://public.ory.sh:4444/", p.SelfPublicURL().String()) assert.Equal(t, "http://admin.ory.sh:4445/", p.SelfAdminURL().String()) - - // Check domain aliases - p.MustSet(config.ViperKeyPublicDomainAliases, []config.DomainAlias{ - { - MatchDomain: "www.google.com", - BasePath: "/.ory/", - Scheme: "https", - }, - { - MatchDomain: "www.amazon.com", - BasePath: "/", - Scheme: "http", - }, - { - MatchDomain: "ory.sh:1234", - BasePath: "/", - Scheme: "https", - }, - }) - assert.Equal(t, "http://public.ory.sh:4444/", p.SelfPublicURL(nil).String()) - assert.Equal(t, "http://public.ory.sh:4444/", p.SelfPublicURL(&http.Request{ - URL: new(url.URL), - Host: "www.not-google.com", - }).String()) - assert.Equal(t, "https://www.GooGle.com:312/.ory/", p.SelfPublicURL(&http.Request{ - URL: new(url.URL), - Host: "www.GooGle.com:312", - }).String()) - assert.Equal(t, "http://www.amazon.com/", p.SelfPublicURL(&http.Request{ - URL: new(url.URL), - Host: "www.amazon.com", - }).String()) - - // Check domain aliases with alias query param - assert.Equal(t, "http://www.amazon.com/", p.SelfPublicURL(&http.Request{ - URL: &url.URL{RawQuery: url.Values{"alias": {"www.amazon.com"}}.Encode()}, - Host: "www.GooGle.com:312", - }).String()) - assert.Equal(t, "https://ory.sh:1234/", p.SelfPublicURL(&http.Request{ - URL: &url.URL{RawQuery: url.Values{"alias": {"ory.sh:1234"}}.Encode()}, - Host: "www.amazon.com", - }).String()) - assert.Equal(t, "http://www.amazon.com:8181/", p.SelfPublicURL(&http.Request{ - URL: new(url.URL), - Host: "www.amazon.com:8181", - }).String()) - assert.Equal(t, "http://www.amazon.com:8181/", p.SelfPublicURL(&http.Request{ - URL: &url.URL{RawQuery: url.Values{"alias": {"www.amazon.com:8181"}}.Encode()}, - Host: "www.GooGle.com:312", - }).String()) } func TestViperProvider_Secrets(t *testing.T) { diff --git a/embedx/config.schema.json b/embedx/config.schema.json index 71699e151e28..41cd168683fc 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -1534,55 +1534,6 @@ "base_url": { "$ref": "#/definitions/baseUrl" }, - "domain_aliases": { - "title": "Domain Aliases", - "description": "Adds an alias domain. If a request with the hostname (FQDN) matching the hostname in the alias is found, that URL is used as the base URL.", - "type": "array", - "items": [ - { - "additionalProperties": false, - "type": "object", - "required": [ - "match_domain", - "base_path", - "scheme" - ], - "properties": { - "match_domain": { - "minLength": 1, - "title": "Matching Domain", - "description": "Sets the matching domain. If the domain matches with this entry, the accompanying base_url will be used.", - "type": "string", - "examples": [ - "localhost", - "my-domain.com" - ] - }, - "scheme": { - "title": "Scheme", - "description": "Sets the scheme, for example https or http.", - "type": "string", - "enum": [ - "http", - "https" - ] - }, - "base_path": { - "minLength": 1, - "title": "Base Path", - "description": "Sets the base path for the matched domain.", - "type": "string", - "default": "/", - "pattern": "^/.*$", - "examples": [ - "/", - "/.ory/kratos" - ] - } - } - } - ] - }, "host": { "title": "Public Host", "description": "The host (interface) kratos' public endpoint listens on.", @@ -1999,7 +1950,7 @@ }, "additionalProperties": false }, - "ciphers" : { + "ciphers": { "title": "Cipher Algorithm Configuration", "type": "object", "properties": { @@ -2220,7 +2171,7 @@ { "if": { "properties": { - "ciphers" : { + "ciphers": { "properties": { "algorithm": { "oneOf": [ @@ -2233,16 +2184,24 @@ ] } }, - "required": ["algorithm"] + "required": [ + "algorithm" + ] } }, - "required": ["ciphers"] + "required": [ + "ciphers" + ] }, "then": { - "required": ["secrets"], + "required": [ + "secrets" + ], "properties": { "secrets": { - "required": ["cipher"] + "required": [ + "cipher" + ] } } } diff --git a/persistence/sql/persister_identity.go b/persistence/sql/persister_identity.go index 65bf18de1572..e3b04c9bdb66 100644 --- a/persistence/sql/persister_identity.go +++ b/persistence/sql/persister_identity.go @@ -471,6 +471,6 @@ func (p *Persister) injectTraitsSchemaURL(ctx context.Context, i *identity.Ident return errors.WithStack(herodot.ErrInternalServerError.WithReasonf( `The JSON Schema "%s" for this identity's traits could not be found.`, i.SchemaID)) } - i.SchemaURL = s.SchemaURL(p.r.Config(ctx).SelfPublicURL(nil)).String() + i.SchemaURL = s.SchemaURL(p.r.Config(ctx).SelfPublicURL()).String() return nil } diff --git a/schema/handler.go b/schema/handler.go index 75277b5ffffb..6159408d8c8b 100644 --- a/schema/handler.go +++ b/schema/handler.go @@ -168,7 +168,7 @@ func (h *Handler) getAll(w http.ResponseWriter, r *http.Request, ps httprouter.P }) } - x.PaginationHeader(w, urlx.AppendPaths(h.r.Config(r.Context()).SelfPublicURL(r), fmt.Sprintf("/%s", SchemasPath)), int64(total), page, itemsPerPage) + x.PaginationHeader(w, urlx.AppendPaths(h.r.Config(r.Context()).SelfPublicURL(), fmt.Sprintf("/%s", SchemasPath)), int64(total), page, itemsPerPage) h.r.Writer().Write(w, r, ss) } diff --git a/selfservice/flow/login/flow.go b/selfservice/flow/login/flow.go index cf67bb2e208d..6a912fc044ba 100644 --- a/selfservice/flow/login/flow.go +++ b/selfservice/flow/login/flow.go @@ -113,7 +113,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { return nil, err @@ -125,7 +125,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques IssuedAt: now, UI: &container.Container{ Method: "POST", - Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(r), RouteSubmitFlow), id).String(), + Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(), RouteSubmitFlow), id).String(), }, RequestURL: requestURL, CSRFToken: csrf, diff --git a/selfservice/flow/login/flow_test.go b/selfservice/flow/login/flow_test.go index 7d97d4913c54..cd99c1592878 100644 --- a/selfservice/flow/login/flow_test.go +++ b/selfservice/flow/login/flow_test.go @@ -58,7 +58,7 @@ func TestNewFlow(t *testing.T) { _, err := login.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=https://not-allowed/foobar"}, Host: "ory.sh"}, flow.TypeBrowser) require.Error(t, err) - _, err = login.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(nil), "/self-service/login/browser").String()}, Host: "ory.sh"}, flow.TypeBrowser) + _, err = login.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(), "/self-service/login/browser").String()}, Host: "ory.sh"}, flow.TypeBrowser) require.NoError(t, err) }) diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go index 1adbd1e9aa44..83537da08f97 100644 --- a/selfservice/flow/login/handler.go +++ b/selfservice/flow/login/handler.go @@ -326,7 +326,7 @@ func (h *Handler) initBrowserFlow(w http.ResponseWriter, r *http.Request, ps htt a, err := h.NewLoginFlow(w, r, flow.TypeBrowser) if errors.Is(err, ErrAlreadyLoggedIn) { returnTo, redirErr := x.SecureRedirectTo(r, h.d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo(), - x.SecureRedirectAllowSelfServiceURLs(h.d.Config(r.Context()).SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(h.d.Config(r.Context()).SelfPublicURL()), x.SecureRedirectAllowURLs(h.d.Config(r.Context()).SelfServiceBrowserWhitelistedReturnToDomains()), ) if redirErr != nil { @@ -424,12 +424,12 @@ func (h *Handler) fetchFlow(w http.ResponseWriter, r *http.Request, _ httprouter if ar.Type == flow.TypeBrowser { h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone.WithID(text.ErrIDSelfServiceFlowExpired). WithReason("The login flow has expired. Redirect the user to the login flow init endpoint to initialize a new login flow."). - WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitBrowserFlow).String()))) + WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitBrowserFlow).String()))) return } h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone.WithID(text.ErrIDSelfServiceFlowExpired). WithReason("The login flow has expired. Call the login flow init API endpoint to initialize a new login flow."). - WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitAPIFlow).String()))) + WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitAPIFlow).String()))) return } diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go index 42627c3e95de..eee4eb298ce2 100644 --- a/selfservice/flow/login/hook.go +++ b/selfservice/flow/login/hook.go @@ -76,7 +76,7 @@ func (e *HookExecutor) PostLoginHook(w http.ResponseWriter, r *http.Request, a * returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(a.RequestURL), x.SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), x.SecureRedirectOverrideDefaultReturnTo(e.d.Config(r.Context()).SelfServiceFlowLoginReturnTo(a.Active.String())), ) if err != nil { diff --git a/selfservice/flow/logout/handler.go b/selfservice/flow/logout/handler.go index fb2f31e471b4..9b05e3931da9 100644 --- a/selfservice/flow/logout/handler.go +++ b/selfservice/flow/logout/handler.go @@ -124,7 +124,7 @@ func (h *Handler) createSelfServiceLogoutUrlForBrowsers(w http.ResponseWriter, r h.d.Writer().Write(w, r, &selfServiceLogoutUrl{ LogoutToken: sess.LogoutToken, - LogoutURL: urlx.CopyWithQuery(urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteSubmitFlow), + LogoutURL: urlx.CopyWithQuery(urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteSubmitFlow), url.Values{"token": {sess.LogoutToken}}).String(), }) } @@ -274,7 +274,7 @@ func (h *Handler) completeLogout(w http.ResponseWriter, r *http.Request) { ret, err := x.SecureRedirectTo(r, h.d.Config(r.Context()).SelfServiceFlowLogoutRedirectURL(), x.SecureRedirectUseSourceURL(r.RequestURI), x.SecureRedirectAllowURLs(h.d.Config(r.Context()).SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(h.d.Config(r.Context()).SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(h.d.Config(r.Context()).SelfPublicURL()), ) if err != nil { h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, err) diff --git a/selfservice/flow/recovery/error.go b/selfservice/flow/recovery/error.go index 982968359787..975d8e3e0079 100644 --- a/selfservice/flow/recovery/error.go +++ b/selfservice/flow/recovery/error.go @@ -84,7 +84,7 @@ func (s *ErrorHandler) WriteFlowError( } if f.Type == flow.TypeAPI || x.IsJSONRequest(r) { - http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), + http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), RouteGetFlow), url.Values{"id": {a.ID.String()}}).String(), http.StatusSeeOther) } else { http.Redirect(w, r, a.AppendTo(s.d.Config(r.Context()).SelfServiceFlowRecoveryUI()).String(), http.StatusSeeOther) diff --git a/selfservice/flow/recovery/flow.go b/selfservice/flow/recovery/flow.go index 94f0c7e99de8..7cc30915c9d6 100644 --- a/selfservice/flow/recovery/flow.go +++ b/selfservice/flow/recovery/flow.go @@ -100,7 +100,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { return nil, err @@ -113,7 +113,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques RequestURL: requestURL, UI: &container.Container{ Method: "POST", - Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(r), RouteSubmitFlow), id).String(), + Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(), RouteSubmitFlow), id).String(), }, State: StateChooseMethod, CSRFToken: csrf, diff --git a/selfservice/flow/recovery/flow_test.go b/selfservice/flow/recovery/flow_test.go index 40c472a0c017..90d51037c3c8 100644 --- a/selfservice/flow/recovery/flow_test.go +++ b/selfservice/flow/recovery/flow_test.go @@ -56,7 +56,7 @@ func TestFlow(t *testing.T) { _, err := recovery.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=https://not-allowed/foobar"}, Host: "ory.sh"}, nil, flow.TypeBrowser) require.Error(t, err) - _, err = recovery.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(nil), "/self-service/login/browser").String()}, Host: "ory.sh"}, nil, flow.TypeBrowser) + _, err = recovery.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(), "/self-service/login/browser").String()}, Host: "ory.sh"}, nil, flow.TypeBrowser) require.NoError(t, err) }) } diff --git a/selfservice/flow/recovery/handler.go b/selfservice/flow/recovery/handler.go index 6cbbe53c80c8..92f4efd3f53a 100644 --- a/selfservice/flow/recovery/handler.go +++ b/selfservice/flow/recovery/handler.go @@ -268,12 +268,12 @@ func (h *Handler) fetch(w http.ResponseWriter, r *http.Request, _ httprouter.Par if f.Type == flow.TypeBrowser { h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone. WithReason("The recovery flow has expired. Redirect the user to the recovery flow init endpoint to initialize a new recovery flow."). - WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitBrowserFlow).String()))) + WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitBrowserFlow).String()))) return } h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone. WithReason("The recovery flow has expired. Call the recovery flow init API endpoint to initialize a new recovery flow."). - WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitAPIFlow).String()))) + WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitAPIFlow).String()))) return } diff --git a/selfservice/flow/registration/flow.go b/selfservice/flow/registration/flow.go index 560335177194..ab68a6d349ff 100644 --- a/selfservice/flow/registration/flow.go +++ b/selfservice/flow/registration/flow.go @@ -90,7 +90,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { return nil, err @@ -103,7 +103,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques RequestURL: requestURL, UI: &container.Container{ Method: "POST", - Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(r), RouteSubmitFlow), id).String(), + Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(), RouteSubmitFlow), id).String(), }, CSRFToken: csrf, Type: ft, diff --git a/selfservice/flow/registration/flow_test.go b/selfservice/flow/registration/flow_test.go index 65d4a1bee4bd..8f3dc75041d0 100644 --- a/selfservice/flow/registration/flow_test.go +++ b/selfservice/flow/registration/flow_test.go @@ -53,7 +53,7 @@ func TestNewFlow(t *testing.T) { _, err := registration.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=https://not-allowed/foobar"}, Host: "ory.sh"}, flow.TypeBrowser) require.Error(t, err) - _, err = registration.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(nil), "/self-service/login/browser").String()}, Host: "ory.sh"}, flow.TypeBrowser) + _, err = registration.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(), "/self-service/login/browser").String()}, Host: "ory.sh"}, flow.TypeBrowser) require.NoError(t, err) }) diff --git a/selfservice/flow/registration/handler.go b/selfservice/flow/registration/handler.go index 83ef1246e675..bb794f136de2 100644 --- a/selfservice/flow/registration/handler.go +++ b/selfservice/flow/registration/handler.go @@ -328,12 +328,12 @@ func (h *Handler) fetchFlow(w http.ResponseWriter, r *http.Request, ps httproute if ar.Type == flow.TypeBrowser { h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone.WithID(text.ErrIDSelfServiceFlowExpired). WithReason("The registration flow has expired. Redirect the user to the registration flow init endpoint to initialize a new registration flow."). - WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitBrowserFlow).String()))) + WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitBrowserFlow).String()))) return } h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone.WithID(text.ErrIDSelfServiceFlowExpired). WithReason("The registration flow has expired. Call the registration flow init API endpoint to initialize a new registration flow."). - WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitAPIFlow).String()))) + WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitAPIFlow).String()))) return } diff --git a/selfservice/flow/registration/hook.go b/selfservice/flow/registration/hook.go index 986e98aa12a4..12b278a4152a 100644 --- a/selfservice/flow/registration/hook.go +++ b/selfservice/flow/registration/hook.go @@ -130,7 +130,7 @@ func (e *HookExecutor) PostRegistrationHook(w http.ResponseWriter, r *http.Reque returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(a.RequestURL), x.SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), x.SecureRedirectOverrideDefaultReturnTo(c.SelfServiceFlowRegistrationReturnTo(ct.String())), ) if err != nil { diff --git a/selfservice/flow/settings/error.go b/selfservice/flow/settings/error.go index 918c15e18bff..09d295818bf8 100644 --- a/selfservice/flow/settings/error.go +++ b/selfservice/flow/settings/error.go @@ -79,8 +79,8 @@ func (s *ErrorHandler) reauthenticate( f *Flow, err *FlowNeedsReAuth, ) { - returnTo := urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), r.URL.Path), r.URL.Query()) - redirectTo := urlx.AppendPaths(urlx.CopyWithQuery(s.d.Config(r.Context()).SelfPublicURL(r), + returnTo := urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), r.URL.Path), r.URL.Query()) + redirectTo := urlx.AppendPaths(urlx.CopyWithQuery(s.d.Config(r.Context()).SelfPublicURL(), url.Values{"refresh": {"true"}, "return_to": {returnTo.String()}}), login.RouteInitBrowserFlow).String() err.RedirectBrowserTo = redirectTo @@ -135,7 +135,7 @@ func (s *ErrorHandler) WriteFlowError( if shouldRespondWithJSON { s.d.Writer().WriteError(w, r, err) } else { - http.Redirect(w, r, urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), login.RouteInitBrowserFlow).String(), http.StatusSeeOther) + http.Redirect(w, r, urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), login.RouteInitBrowserFlow).String(), http.StatusSeeOther) } return } @@ -145,7 +145,7 @@ func (s *ErrorHandler) WriteFlowError( s.d.Writer().WriteError(w, r, aalErr) } else { http.Redirect(w, r, urlx.CopyWithQuery( - urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), login.RouteInitBrowserFlow), + urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), login.RouteInitBrowserFlow), url.Values{"aal": {string(identity.AuthenticatorAssuranceLevel2)}}).String(), http.StatusSeeOther) } return diff --git a/selfservice/flow/settings/error_test.go b/selfservice/flow/settings/error_test.go index dcb4e8156994..63a724e96783 100644 --- a/selfservice/flow/settings/error_test.go +++ b/selfservice/flow/settings/error_test.go @@ -326,7 +326,7 @@ func TestHandleError(t *testing.T) { }) t.Run("case=session old error", func(t *testing.T) { - conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{urlx.AppendPaths(conf.SelfPublicURL(nil), "/error").String()}) + conf.MustSet(config.ViperKeyURLsWhitelistedReturnToDomains, []string{urlx.AppendPaths(conf.SelfPublicURL(), "/error").String()}) t.Cleanup(reset) settingsFlow = &settings.Flow{Type: flow.TypeBrowser} diff --git a/selfservice/flow/settings/flow.go b/selfservice/flow/settings/flow.go index cc3164a5fa7c..aecfe3bda928 100644 --- a/selfservice/flow/settings/flow.go +++ b/selfservice/flow/settings/flow.go @@ -126,7 +126,7 @@ func NewFlow(conf *config.Config, exp time.Duration, r *http.Request, i *identit conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { return nil, err @@ -143,7 +143,7 @@ func NewFlow(conf *config.Config, exp time.Duration, r *http.Request, i *identit State: StateShowForm, UI: &container.Container{ Method: "POST", - Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(r), RouteSubmitFlow), id).String(), + Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(), RouteSubmitFlow), id).String(), }, InternalContext: []byte("{}"), }, nil diff --git a/selfservice/flow/settings/flow_test.go b/selfservice/flow/settings/flow_test.go index 0304b28403dd..14b002a8c0df 100644 --- a/selfservice/flow/settings/flow_test.go +++ b/selfservice/flow/settings/flow_test.go @@ -57,7 +57,7 @@ func TestNewFlow(t *testing.T) { _, err := registration.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=https://not-allowed/foobar"}, Host: "ory.sh"}, flow.TypeBrowser) require.Error(t, err) - _, err = registration.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(nil), "/self-service/login/browser").String()}, Host: "ory.sh"}, flow.TypeBrowser) + _, err = registration.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(), "/self-service/login/browser").String()}, Host: "ory.sh"}, flow.TypeBrowser) require.NoError(t, err) }) diff --git a/selfservice/flow/settings/handler.go b/selfservice/flow/settings/handler.go index dabfd3965018..1a2f78f0ba9c 100644 --- a/selfservice/flow/settings/handler.go +++ b/selfservice/flow/settings/handler.go @@ -375,12 +375,12 @@ func (h *Handler) fetchFlow(w http.ResponseWriter, r *http.Request) error { if pr.Type == flow.TypeBrowser { h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone. WithReason("The settings flow has expired. Redirect the user to the settings flow init endpoint to initialize a new settings flow."). - WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitBrowserFlow).String()))) + WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitBrowserFlow).String()))) return nil } h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone. WithReason("The settings flow has expired. Call the settings flow init API endpoint to initialize a new settings flow."). - WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitAPIFlow).String()))) + WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitAPIFlow).String()))) return nil } diff --git a/selfservice/flow/settings/hook.go b/selfservice/flow/settings/hook.go index 5cc3fe4e3583..d23cfdf60819 100644 --- a/selfservice/flow/settings/hook.go +++ b/selfservice/flow/settings/hook.go @@ -106,7 +106,7 @@ func (e *HookExecutor) PostSettingsHook(w http.ResponseWriter, r *http.Request, returnTo, err := x.SecureRedirectTo(r, c.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(ctxUpdate.Flow.RequestURL), x.SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), x.SecureRedirectOverrideDefaultReturnTo( e.d.Config(r.Context()).SelfServiceFlowSettingsReturnTo(settingsType, ctxUpdate.Flow.AppendTo(e.d.Config(r.Context()).SelfServiceFlowSettingsUI()))), diff --git a/selfservice/flow/verification/error.go b/selfservice/flow/verification/error.go index f1e251c17434..c726e59b594b 100644 --- a/selfservice/flow/verification/error.go +++ b/selfservice/flow/verification/error.go @@ -82,7 +82,7 @@ func (s *ErrorHandler) WriteFlowError( } if f.Type == flow.TypeAPI || x.IsJSONRequest(r) { - http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), + http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), RouteGetFlow), url.Values{"id": {a.ID.String()}}).String(), http.StatusSeeOther) } else { http.Redirect(w, r, a.AppendTo(s.d.Config(r.Context()).SelfServiceFlowVerificationUI()).String(), http.StatusSeeOther) diff --git a/selfservice/flow/verification/flow.go b/selfservice/flow/verification/flow.go index 456dd7fbf9ee..78309a0d67a3 100644 --- a/selfservice/flow/verification/flow.go +++ b/selfservice/flow/verification/flow.go @@ -104,7 +104,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques conf.SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectUseSourceURL(requestURL), x.SecureRedirectAllowURLs(conf.SelfServiceBrowserWhitelistedReturnToDomains()), - x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(conf.SelfPublicURL()), ) if err != nil { return nil, err @@ -116,7 +116,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques RequestURL: requestURL, UI: &container.Container{ Method: "POST", - Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(r), RouteSubmitFlow), id).String(), + Action: flow.AppendFlowTo(urlx.AppendPaths(conf.SelfPublicURL(), RouteSubmitFlow), id).String(), }, CSRFToken: csrf, State: StateChooseMethod, diff --git a/selfservice/flow/verification/flow_test.go b/selfservice/flow/verification/flow_test.go index 80225337fb58..1ad4b7db02e0 100644 --- a/selfservice/flow/verification/flow_test.go +++ b/selfservice/flow/verification/flow_test.go @@ -54,7 +54,7 @@ func TestFlow(t *testing.T) { _, err := verification.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=https://not-allowed/foobar"}, Host: "ory.sh"}, nil, flow.TypeBrowser) require.Error(t, err) - _, err = verification.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(nil), "/self-service/login/browser").String()}, Host: "ory.sh"}, nil, flow.TypeBrowser) + _, err = verification.NewFlow(conf, 0, "csrf", &http.Request{URL: &url.URL{Path: "/", RawQuery: "return_to=" + urlx.AppendPaths(conf.SelfPublicURL(), "/self-service/login/browser").String()}, Host: "ory.sh"}, nil, flow.TypeBrowser) require.NoError(t, err) }) diff --git a/selfservice/flow/verification/handler.go b/selfservice/flow/verification/handler.go index 8465f0589a09..de2c3243209e 100644 --- a/selfservice/flow/verification/handler.go +++ b/selfservice/flow/verification/handler.go @@ -250,12 +250,12 @@ func (h *Handler) fetch(w http.ResponseWriter, r *http.Request, _ httprouter.Par if req.Type == flow.TypeBrowser { h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone. WithReason("The verification flow has expired. Redirect the user to the verification flow init endpoint to initialize a new verification flow."). - WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitBrowserFlow).String()))) + WithDetail("redirect_to", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitBrowserFlow).String()))) return } h.d.Writer().WriteError(w, r, errors.WithStack(x.ErrGone. WithReason("The verification flow has expired. Call the verification flow init API endpoint to initialize a new verification flow."). - WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(r), RouteInitAPIFlow).String()))) + WithDetail("api", urlx.AppendPaths(h.d.Config(r.Context()).SelfPublicURL(), RouteInitAPIFlow).String()))) return } diff --git a/selfservice/strategy/link/sender.go b/selfservice/strategy/link/sender.go index 025a38855120..59e62a41c46a 100644 --- a/selfservice/strategy/link/sender.go +++ b/selfservice/strategy/link/sender.go @@ -140,7 +140,7 @@ func (s *Sender) SendRecoveryTokenTo(ctx context.Context, f *recovery.Flow, i *i return s.send(ctx, string(address.Via), templates.NewRecoveryValid(s.r.Config(ctx), &templates.RecoveryValidModel{To: address.Value, RecoveryURL: urlx.CopyWithQuery( - urlx.AppendPaths(s.r.Config(ctx).SelfPublicURL(nil), recovery.RouteSubmitFlow), + urlx.AppendPaths(s.r.Config(ctx).SelfPublicURL(), recovery.RouteSubmitFlow), url.Values{ "token": {token.Token}, "flow": {f.ID.String()}, @@ -163,7 +163,7 @@ func (s *Sender) SendVerificationTokenTo(ctx context.Context, f *verification.Fl if err := s.send(ctx, string(address.Via), templates.NewVerificationValid(s.r.Config(ctx), &templates.VerificationValidModel{To: address.Value, VerificationURL: urlx.CopyWithQuery( - urlx.AppendPaths(s.r.Config(ctx).SelfPublicURL(nil), verification.RouteSubmitFlow), + urlx.AppendPaths(s.r.Config(ctx).SelfPublicURL(), verification.RouteSubmitFlow), url.Values{ "flow": {f.ID.String()}, "token": {token.Token}, diff --git a/selfservice/strategy/link/sender_test.go b/selfservice/strategy/link/sender_test.go index 5f9209aba40f..f0e2d66f7071 100644 --- a/selfservice/strategy/link/sender_test.go +++ b/selfservice/strategy/link/sender_test.go @@ -49,13 +49,13 @@ func TestManager(t *testing.T) { assert.EqualValues(t, "tracked@ory.sh", messages[0].Recipient) assert.Contains(t, messages[0].Subject, "Recover access to your account") - assert.Contains(t, messages[0].Body, urlx.AppendPaths(conf.SelfPublicURL(nil), recovery.RouteSubmitFlow).String()+"?") + assert.Contains(t, messages[0].Body, urlx.AppendPaths(conf.SelfPublicURL(), recovery.RouteSubmitFlow).String()+"?") assert.Contains(t, messages[0].Body, "token=") assert.Contains(t, messages[0].Body, "flow=") assert.EqualValues(t, "not-tracked@ory.sh", messages[1].Recipient) assert.Contains(t, messages[1].Subject, "Account access attempted") - assert.NotContains(t, messages[1].Body, urlx.AppendPaths(conf.SelfPublicURL(nil), recovery.RouteSubmitFlow).String()+"?") + assert.NotContains(t, messages[1].Body, urlx.AppendPaths(conf.SelfPublicURL(), recovery.RouteSubmitFlow).String()+"?") assert.NotContains(t, messages[1].Body, "token=") assert.NotContains(t, messages[1].Body, "flow=") }) @@ -74,13 +74,13 @@ func TestManager(t *testing.T) { assert.EqualValues(t, "tracked@ory.sh", messages[0].Recipient) assert.Contains(t, messages[0].Subject, "Please verify") - assert.Contains(t, messages[0].Body, urlx.AppendPaths(conf.SelfPublicURL(nil), verification.RouteSubmitFlow).String()+"?") + assert.Contains(t, messages[0].Body, urlx.AppendPaths(conf.SelfPublicURL(), verification.RouteSubmitFlow).String()+"?") assert.Contains(t, messages[0].Body, "token=") assert.Contains(t, messages[0].Body, "flow=") assert.EqualValues(t, "not-tracked@ory.sh", messages[1].Recipient) assert.Contains(t, messages[1].Subject, "tried to verify") - assert.NotContains(t, messages[1].Body, urlx.AppendPaths(conf.SelfPublicURL(nil), verification.RouteSubmitFlow).String()+"?") + assert.NotContains(t, messages[1].Body, urlx.AppendPaths(conf.SelfPublicURL(), verification.RouteSubmitFlow).String()+"?") address, err := reg.IdentityPool().FindVerifiableAddressByValue(context.Background(), identity.VerifiableAddressTypeEmail, "tracked@ory.sh") require.NoError(t, err) assert.EqualValues(t, identity.VerifiableAddressStatusSent, address.Status) diff --git a/selfservice/strategy/link/strategy_recovery.go b/selfservice/strategy/link/strategy_recovery.go index 9d7fd441353c..6bc97c988709 100644 --- a/selfservice/strategy/link/strategy_recovery.go +++ b/selfservice/strategy/link/strategy_recovery.go @@ -177,7 +177,7 @@ func (s *Strategy) createRecoveryLink(w http.ResponseWriter, r *http.Request, _ s.d.Writer().Write(w, r, &selfServiceRecoveryLink{ ExpiresAt: req.ExpiresAt.UTC(), RecoveryLink: urlx.CopyWithQuery( - urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), recovery.RouteSubmitFlow), + urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), recovery.RouteSubmitFlow), url.Values{ "token": {token.Token}, "flow": {req.ID.String()}, @@ -363,7 +363,7 @@ func (s *Strategy) retryRecoveryFlowWithMessage(w http.ResponseWriter, r *http.R if ft == flow.TypeBrowser { http.Redirect(w, r, req.AppendTo(s.d.Config(r.Context()).SelfServiceFlowRecoveryUI()).String(), http.StatusSeeOther) } else { - http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), + http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), recovery.RouteGetFlow), url.Values{"id": {req.ID.String()}}).String(), http.StatusSeeOther) } @@ -393,7 +393,7 @@ func (s *Strategy) retryRecoveryFlowWithError(w http.ResponseWriter, r *http.Req if ft == flow.TypeBrowser { http.Redirect(w, r, req.AppendTo(s.d.Config(r.Context()).SelfServiceFlowRecoveryUI()).String(), http.StatusSeeOther) } else { - http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), + http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), recovery.RouteGetFlow), url.Values{"id": {req.ID.String()}}).String(), http.StatusSeeOther) } diff --git a/selfservice/strategy/link/strategy_verification.go b/selfservice/strategy/link/strategy_verification.go index 959d1af2d97a..b83c7e69cfa5 100644 --- a/selfservice/strategy/link/strategy_verification.go +++ b/selfservice/strategy/link/strategy_verification.go @@ -256,7 +256,7 @@ func (s *Strategy) verificationUseToken(w http.ResponseWriter, r *http.Request, verificationRequest := http.Request{URL: verificationRequestURL} returnTo, err := x.SecureRedirectTo(&verificationRequest, defaultRedirectURL, - x.SecureRedirectAllowSelfServiceURLs(s.d.Config(r.Context()).SelfPublicURL(r)), + x.SecureRedirectAllowSelfServiceURLs(s.d.Config(r.Context()).SelfPublicURL()), x.SecureRedirectAllowURLs(s.d.Config(r.Context()).SelfServiceBrowserWhitelistedReturnToDomains()), ) if err != nil { @@ -286,7 +286,7 @@ func (s *Strategy) retryVerificationFlowWithMessage(w http.ResponseWriter, r *ht if ft == flow.TypeBrowser { http.Redirect(w, r, f.AppendTo(s.d.Config(r.Context()).SelfServiceFlowVerificationUI()).String(), http.StatusSeeOther) } else { - http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), + http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), verification.RouteGetFlow), url.Values{"id": {f.ID.String()}}).String(), http.StatusSeeOther) } @@ -317,7 +317,7 @@ func (s *Strategy) retryVerificationFlowWithError(w http.ResponseWriter, r *http if ft == flow.TypeBrowser { http.Redirect(w, r, f.AppendTo(s.d.Config(r.Context()).SelfServiceFlowVerificationUI()).String(), http.StatusSeeOther) } else { - http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), + http.Redirect(w, r, urlx.CopyWithQuery(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), verification.RouteGetFlow), url.Values{"id": {f.ID.String()}}).String(), http.StatusSeeOther) } diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index a39b910215b1..a31cb5cc0a55 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -162,7 +162,7 @@ func (s *Strategy) setRoutes(r *x.RouterPublic) { // Redirect POST request to GET rewriting form fields to query params. func (s *Strategy) redirectToGET(w http.ResponseWriter, r *http.Request, _ httprouter.Params) { - publicUrl := s.d.Config(r.Context()).SelfPublicURL(r) + publicUrl := s.d.Config(r.Context()).SelfPublicURL() dest := *r.URL dest.Host = publicUrl.Host dest.Scheme = publicUrl.Scheme @@ -403,7 +403,7 @@ func (s *Strategy) Config(ctx context.Context) (*ConfigurationCollection, error) func (s *Strategy) provider(ctx context.Context, r *http.Request, id string) (Provider, error) { if c, err := s.Config(ctx); err != nil { return nil, err - } else if provider, err := c.Provider(id, s.d.Config(ctx).SelfPublicURL(r)); err != nil { + } else if provider, err := c.Provider(id, s.d.Config(ctx).SelfPublicURL()); err != nil { return nil, err } else { return provider, nil diff --git a/selfservice/strategy/oidc/strategy_settings.go b/selfservice/strategy/oidc/strategy_settings.go index d567a4f8f469..ce7e4387d053 100644 --- a/selfservice/strategy/oidc/strategy_settings.go +++ b/selfservice/strategy/oidc/strategy_settings.go @@ -100,7 +100,7 @@ func (s *Strategy) linkedProviders(ctx context.Context, r *http.Request, conf *C var result []Provider for _, p := range available.Providers { - prov, err := conf.Provider(p.Provider, s.d.Config(ctx).SelfPublicURL(r)) + prov, err := conf.Provider(p.Provider, s.d.Config(ctx).SelfPublicURL()) if err != nil { return nil, err } @@ -130,7 +130,7 @@ func (s *Strategy) linkableProviders(ctx context.Context, r *http.Request, conf } if !found { - prov, err := conf.Provider(p.ID, s.d.Config(ctx).SelfPublicURL(r)) + prov, err := conf.Provider(p.ID, s.d.Config(ctx).SelfPublicURL()) if err != nil { return nil, err } diff --git a/selfservice/strategy/password/registration_test.go b/selfservice/strategy/password/registration_test.go index f6b6392a2cb8..f2844021f39d 100644 --- a/selfservice/strategy/password/registration_test.go +++ b/selfservice/strategy/password/registration_test.go @@ -11,14 +11,13 @@ import ( "testing" "time" - "github.com/ory/kratos/selfservice/flow" - "github.com/ory/kratos/text" - - "github.com/ory/kratos/ui/container" "github.com/ory/kratos/ui/node" + "github.com/ory/kratos/selfservice/flow" + kratos "github.com/ory/kratos-client-go" + "github.com/ory/kratos/ui/container" "github.com/ory/x/ioutilx" "github.com/stretchr/testify/assert" @@ -775,7 +774,7 @@ func TestRegistration(t *testing.T) { f := testhelpers.InitializeRegistrationFlowViaBrowser(t, browserClient, publicTS, false) assertx.EqualAsJSON(t, container.Container{ - Action: conf.SelfPublicURL(nil).String() + registration.RouteSubmitFlow + "?flow=" + f.Id, + Action: conf.SelfPublicURL().String() + registration.RouteSubmitFlow + "?flow=" + f.Id, Method: "POST", Nodes: node.Nodes{ node.NewCSRFNode(x.FakeCSRFToken), diff --git a/selfservice/strategy/totp/generator_test.go b/selfservice/strategy/totp/generator_test.go index 42e6266dc7c5..76591eceb0f2 100644 --- a/selfservice/strategy/totp/generator_test.go +++ b/selfservice/strategy/totp/generator_test.go @@ -18,7 +18,7 @@ func TestGenerator(t *testing.T) { key, err := totp.NewKey(context.Background(), "foo", reg) require.NoError(t, err) - assert.Equal(t, conf.SelfPublicURL(nil).Hostname(), key.Issuer(), "if issuer is not set explicitly it should be the public URL") + assert.Equal(t, conf.SelfPublicURL().Hostname(), key.Issuer(), "if issuer is not set explicitly it should be the public URL") require.NoError(t, conf.Set(config.ViperKeyTOTPIssuer, "foobar.com")) diff --git a/selfservice/strategy/webauthn/login.go b/selfservice/strategy/webauthn/login.go index 73e5384f3cda..b8947813b65f 100644 --- a/selfservice/strategy/webauthn/login.go +++ b/selfservice/strategy/webauthn/login.go @@ -78,7 +78,7 @@ func (s *Strategy) PopulateLoginMethod(r *http.Request, requestedAAL identity.Au } sr.UI.SetCSRF(s.d.GenerateCSRFToken(r)) - sr.UI.Nodes.Upsert(NewWebAuthnScript(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), webAuthnRoute).String(), jsOnLoad)) + sr.UI.Nodes.Upsert(NewWebAuthnScript(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), webAuthnRoute).String(), jsOnLoad)) sr.UI.SetNode(NewWebAuthnLoginTrigger(string(injectWebAuthnOptions))) sr.UI.Nodes.Upsert(NewWebAuthnLoginInput()) diff --git a/selfservice/strategy/webauthn/settings.go b/selfservice/strategy/webauthn/settings.go index 9bd13d88808f..e2294001225c 100644 --- a/selfservice/strategy/webauthn/settings.go +++ b/selfservice/strategy/webauthn/settings.go @@ -328,7 +328,7 @@ func (s *Strategy) PopulateSettingsMethod(r *http.Request, id *identity.Identity return errors.WithStack(err) } - f.UI.Nodes.Upsert(NewWebAuthnScript(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(r), webAuthnRoute).String(), jsOnLoad)) + f.UI.Nodes.Upsert(NewWebAuthnScript(urlx.AppendPaths(s.d.Config(r.Context()).SelfPublicURL(), webAuthnRoute).String(), jsOnLoad)) f.UI.Nodes.Upsert(NewWebAuthnConnectionName()) f.UI.Nodes.Upsert(NewWebAuthnConnectionTrigger(string(injectWebAuthnOptions))) f.UI.Nodes.Upsert(NewWebAuthnConnectionInput()) diff --git a/session/handler.go b/session/handler.go index e678be76cc58..74453e4e12de 100644 --- a/session/handler.go +++ b/session/handler.go @@ -481,7 +481,7 @@ func (h *Handler) IsNotAuthenticated(wrap httprouter.Handle, onAuthenticated htt func RedirectOnAuthenticated(d interface{ config.Provider }) httprouter.Handle { return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { - returnTo, err := x.SecureRedirectTo(r, d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectAllowSelfServiceURLs(d.Config(r.Context()).SelfPublicURL(r))) + returnTo, err := x.SecureRedirectTo(r, d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo(), x.SecureRedirectAllowSelfServiceURLs(d.Config(r.Context()).SelfPublicURL())) if err != nil { http.Redirect(w, r, d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo().String(), http.StatusFound) return diff --git a/session/manager_http.go b/session/manager_http.go index 95751d06a401..f408f24c38a9 100644 --- a/session/manager_http.go +++ b/session/manager_http.go @@ -72,7 +72,7 @@ func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r cookie.Options.Domain = domain } - if alias := s.r.Config(ctx).SelfPublicURL(r); s.r.Config(ctx).SelfPublicURL(nil).String() != alias.String() { + if alias := s.r.Config(ctx).SelfPublicURL(); s.r.Config(ctx).SelfPublicURL().String() != alias.String() { // If a domain alias is detected use that instead. cookie.Options.Domain = alias.Hostname() cookie.Options.Path = alias.Path @@ -197,7 +197,7 @@ func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, request } return NewErrAALNotSatisfied( - urlx.CopyWithQuery(urlx.AppendPaths(s.r.Config(r.Context()).SelfPublicURL(r), "/self-service/login/browser"), url.Values{"aal": {"aal2"}}).String()) + urlx.CopyWithQuery(urlx.AppendPaths(s.r.Config(r.Context()).SelfPublicURL(), "/self-service/login/browser"), url.Values{"aal": {"aal2"}}).String()) } return errors.Errorf("requested unknown aal: %s", requestedAAL) } diff --git a/session/manager_http_test.go b/session/manager_http_test.go index a9bf1f3a3d9a..d7fdb434e697 100644 --- a/session/manager_http_test.go +++ b/session/manager_http_test.go @@ -93,7 +93,6 @@ func TestManagerHTTP(t *testing.T) { s := &session.Session{Identity: new(identity.Identity)} require.NoError(t, conf.Source().Set(config.ViperKeyPublicBaseURL, "https://baseurl.com/base_url")) - require.NoError(t, conf.Source().Set(config.ViperKeyPublicDomainAliases, [...]config.DomainAlias{{MatchDomain: "alias.com", BasePath: "/bar", Scheme: "http"}})) var getCookie = func(t *testing.T, req *http.Request) *http.Cookie { rec := httptest.NewRecorder() @@ -136,15 +135,6 @@ func TestManagerHTTP(t *testing.T) { assert.EqualValues(t, true, actual.HttpOnly) assert.EqualValues(t, true, actual.Secure) }) - - t.Run("case=request from alias domain", func(t *testing.T) { - actual := getCookie(t, httptest.NewRequest("GET", "https://alias.com/bar", nil)) - assert.EqualValues(t, "alias.com", actual.Domain, "Domain is alias.com") - assert.EqualValues(t, "/bar", actual.Path, "Path is the from alias") - assert.EqualValues(t, http.SameSiteNoneMode, actual.SameSite) - assert.EqualValues(t, true, actual.HttpOnly) - assert.EqualValues(t, true, actual.Secure) - }) }) t.Run("suite=SessionAddAuthenticationMethod", func(t *testing.T) { diff --git a/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_path.yaml b/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_path.yaml deleted file mode 100644 index 1617ee9a3f56..000000000000 --- a/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_path.yaml +++ /dev/null @@ -1,15 +0,0 @@ -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - match_domain: foobar - base_path: not-slash - scheme: https - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com diff --git a/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_scheme.yaml b/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_scheme.yaml deleted file mode 100644 index 6d40986226c3..000000000000 --- a/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_scheme.yaml +++ /dev/null @@ -1,15 +0,0 @@ -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - match_domain: foobar - base_path: / - scheme: ftp - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com diff --git a/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_secrets.yaml b/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_secrets.yaml deleted file mode 100644 index 1c7479da3b1a..000000000000 --- a/test/schema/fixtures/config.schema.test.failure/root.aliases_invalid_secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - match_domain: foobar - base_path: / - scheme: https - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com - -secrets: - cipher: - - too-short - -ciphers: - algorithm: aes diff --git a/test/schema/fixtures/config.schema.test.failure/root.aliases_missing_scheme.yaml b/test/schema/fixtures/config.schema.test.failure/root.aliases_missing_scheme.yaml deleted file mode 100644 index 1b6790a6f3f0..000000000000 --- a/test/schema/fixtures/config.schema.test.failure/root.aliases_missing_scheme.yaml +++ /dev/null @@ -1,14 +0,0 @@ -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - match_domain: foobar - base_path: / - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com diff --git a/test/schema/fixtures/config.schema.test.failure/root.aliases_missing_secrets.yaml b/test/schema/fixtures/config.schema.test.failure/root.aliases_missing_secrets.yaml deleted file mode 100644 index 8b484c64f9eb..000000000000 --- a/test/schema/fixtures/config.schema.test.failure/root.aliases_missing_secrets.yaml +++ /dev/null @@ -1,13 +0,0 @@ -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com - -secrets: - default: some-secret - -ciphers: - algorithm: xchacha20-poly1305 diff --git a/test/schema/fixtures/config.schema.test.success/root.aliases.yaml b/test/schema/fixtures/config.schema.test.success/root.aliases.yaml deleted file mode 100644 index f43f61e0bbe5..000000000000 --- a/test/schema/fixtures/config.schema.test.success/root.aliases.yaml +++ /dev/null @@ -1,15 +0,0 @@ -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - match_domain: foobar - base_path: / - scheme: https - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com diff --git a/test/schema/fixtures/config.schema.test.success/root.aliases_http.yaml b/test/schema/fixtures/config.schema.test.success/root.aliases_http.yaml deleted file mode 100644 index 5faf0b23ab2b..000000000000 --- a/test/schema/fixtures/config.schema.test.success/root.aliases_http.yaml +++ /dev/null @@ -1,19 +0,0 @@ -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - match_domain: foobar - base_path: / - scheme: http - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - -dsn: foo - -identity: - default_schema_url: https://example.com - -secrets: - cipher: - - secret-thirty-two-character-long diff --git a/test/schema/fixtures/config.schema.test.success/root.aliases_oasis.yaml b/test/schema/fixtures/config.schema.test.success/root.aliases_oasis.yaml deleted file mode 100644 index 27917fe01a27..000000000000 --- a/test/schema/fixtures/config.schema.test.success/root.aliases_oasis.yaml +++ /dev/null @@ -1,54 +0,0 @@ -identity: - default_schema_url: base64://ewogIiRpZCI6ICJodHRwczovL2V4YW1wbGUuY29tL29yeS5zY2hlbWEuanNvbiIsCiAiJHNjaGVtYSI6ICJodHRwOi8vanNvbi1zY2hlbWEub3JnL2RyYWZ0LTA3L3NjaGVtYSMiLAogImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UsCiAicHJvcGVydGllcyI6IHsKICAidHJhaXRzIjogewogICAiYWRkaXRpb25hbFByb3BlcnRpZXMiOiBmYWxzZSwKICAgInByb3BlcnRpZXMiOiB7CiAgICAiY29uc2VudCI6IHsKICAgICAiYWRkaXRpb25hbFByb3BlcnRpZXMiOiBmYWxzZSwKICAgICAicHJvcGVydGllcyI6IHsKICAgICAgIm5ld3NsZXR0ZXIiOiB7CiAgICAgICAidGl0bGUiOiAiTmV3c2xldHRlciBzdWJzY3JpcHRpb24iLAogICAgICAgInR5cGUiOiAiYm9vbGVhbiIKICAgICAgfSwKICAgICAgInRvcyI6IHsKICAgICAgICJkZXNjcmlwdGlvbiI6ICJ5eXl5bW1kZCBvZiB3aGVuIHRoaXMgd2FzIGFjY2VwdGVkIiwKICAgICAgICJmb3JtYXQiOiAiZGF0ZS10aW1lIiwKICAgICAgICJ0aXRsZSI6ICJUZXJtcyBvZiBTZXJ2aWNlIiwKICAgICAgICJ0eXBlIjogInN0cmluZyIKICAgICAgfQogICAgIH0sCiAgICAgInJlcXVpcmVkIjogWwogICAgICAidG9zIgogICAgIF0sCiAgICAgInRpdGxlIjogIkNvbnNlbnQiLAogICAgICJ0eXBlIjogIm9iamVjdCIKICAgIH0sCiAgICAiZW1haWwiOiB7CiAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICJjcmVkZW50aWFscyI6IHsKICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAiaWRlbnRpZmllciI6IHRydWUKICAgICAgIH0KICAgICAgfSwKICAgICAgInJlY292ZXJ5IjogewogICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgfSwKICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICJ2aWEiOiAiZW1haWwiCiAgICAgIH0KICAgICB9LAogICAgICJ0aXRsZSI6ICJFLU1haWwiLAogICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0sCiAgICAibmFtZSI6IHsKICAgICAibWluTGVuZ3RoIjogMSwKICAgICAidGl0bGUiOiAiTmFtZSIsCiAgICAgInR5cGUiOiAic3RyaW5nIgogICAgfQogICB9LAogICAicmVxdWlyZWQiOiBbCiAgICAiZW1haWwiLAogICAgImNvbnNlbnQiLAogICAgIm5hbWUiCiAgIF0sCiAgICJ0eXBlIjogIm9iamVjdCIKICB9CiB9LAogInRpdGxlIjogIlBlcnNvbiIsCiAidHlwZSI6ICJvYmplY3QiCn0= -secrets: - default: - - 10yn1c7grc46j6zg284vtynebjpcvakj - cipher: - - secret-thirty-two-character-long - -selfservice: - default_browser_return_url: "#/definitions/defaultReturnTo" - flows: - error: - ui_url: http://local.oryapis.localhost:8080/error/kratos - login: - ui_url: http://local.oryapis.localhost:8080/login - recovery: - enabled: true - ui_url: http://local.oryapis.localhost:8080/recovery - registration: - after: "#/definitions/selfServiceAfterRegistration" - settings: - privileged_session_max_age: 15m - ui_url: http://local.oryapis.localhost:8080/settings - verification: - enabled: true - ui_url: http://local.oryapis.localhost:8080/verification - methods: - link: - enabled: true - password: - enabled: true - whitelisted_return_urls: - - http://localhost - - http://localhost:4000 -serve: - public: - base_url: "#/definitions/baseUrl" - domain_aliases: - - base_path: /.ory/kratos/public - match_domain: localhost - scheme: http -session: - cookie: - domain: '' - name: ory_session_ory - path: / - -dsn: foo - -courier: - template_override_path: foo - smtp: - connection_uri: smtps://foo:bar@my-mailserver:1234/ - from_address: no-reply@ory.kratos.sh diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go index 30007da53bc8..8be06b07e534 100644 --- a/x/http_secure_redirect.go +++ b/x/http_secure_redirect.go @@ -133,7 +133,7 @@ func SecureContentNegotiationRedirection( append([]SecureRedirectOption{ SecureRedirectUseSourceURL(requestURL), SecureRedirectAllowURLs(c.SelfServiceBrowserWhitelistedReturnToDomains()), - SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(r)), + SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL()), }, opts...)..., ) if err != nil { diff --git a/x/nosurf.go b/x/nosurf.go index ee020bfe5507..a0d5c0f0271b 100644 --- a/x/nosurf.go +++ b/x/nosurf.go @@ -128,7 +128,7 @@ type CSRFProvider interface { func CSRFCookieName(reg interface { config.Provider }, r *http.Request) string { - return "csrf_token_" + fmt.Sprintf("%x", sha256.Sum256([]byte(reg.Config(r.Context()).SelfPublicURL(r).String()))) + return "csrf_token_" + fmt.Sprintf("%x", sha256.Sum256([]byte(reg.Config(r.Context()).SelfPublicURL().String()))) } func NosurfBaseCookieHandler(reg interface { @@ -158,7 +158,7 @@ func NosurfBaseCookieHandler(reg interface { SameSite: sameSite, } - if alias := reg.Config(r.Context()).SelfPublicURL(r); reg.Config(r.Context()).SelfPublicURL(nil).String() != alias.String() { + if alias := reg.Config(r.Context()).SelfPublicURL(); reg.Config(r.Context()).SelfPublicURL().String() != alias.String() { // If a domain alias is detected use that instead. cookie.Domain = alias.Hostname() cookie.Path = alias.Path diff --git a/x/nosurf_test.go b/x/nosurf_test.go index f3b2b71dec68..409adbc1ed02 100644 --- a/x/nosurf_test.go +++ b/x/nosurf_test.go @@ -57,26 +57,17 @@ func TestNosurfBaseCookieHandlerAliasing(t *testing.T) { conf, reg := internal.NewFastRegistryWithMocks(t) require.NoError(t, conf.Source().Set(config.ViperKeyPublicBaseURL, "http://foo.com/bar")) - require.NoError(t, conf.Source().Set(config.ViperKeyPublicDomainAliases, [...]config.DomainAlias{{MatchDomain: "example.com", BasePath: "/bar", Scheme: "http"}})) cookie := x.NosurfBaseCookieHandler(reg)(httptest.NewRecorder(), httptest.NewRequest("GET", "http://foo.com/bar", nil)) assert.EqualValues(t, "", cookie.Domain, "remains unset") assert.EqualValues(t, "/", cookie.Path, "cookie path is site root by default") - cookie = x.NosurfBaseCookieHandler(reg)(httptest.NewRecorder(), httptest.NewRequest("GET", "http://example.com/bar", nil)) - assert.EqualValues(t, "example.com", cookie.Domain, "alias domain is used when request is from an alias") - assert.EqualValues(t, "/bar", cookie.Path, "cookie path is alias root") - // Check root settings require.NoError(t, conf.Source().Set(config.ViperKeyCookieDomain, "bar.com")) require.NoError(t, conf.Source().Set(config.ViperKeyCookiePath, "/baz")) cookie = x.NosurfBaseCookieHandler(reg)(httptest.NewRecorder(), httptest.NewRequest("GET", "http://foo.com/bar", nil)) assert.EqualValues(t, "bar.com", cookie.Domain, "domain doesn't change when request not from an alias but is overwritten by ViperKeyCookieDomain") assert.EqualValues(t, "/baz", cookie.Path, "cookie path is site root by default but is overwritten by ViperKeyCookiePath") - - cookie = x.NosurfBaseCookieHandler(reg)(httptest.NewRecorder(), httptest.NewRequest("GET", "http://example.com/bar", nil)) - assert.EqualValues(t, "example.com", cookie.Domain, "alias domain is used when request is from an alias and ignores global config") - assert.EqualValues(t, "/bar", cookie.Path, "cookie path is alias root and ignores global config") } func TestNosurfBaseCookieErrorHandler(t *testing.T) { diff --git a/x/redir.go b/x/redir.go index 441ebd061006..6ce6c7585a16 100644 --- a/x/redir.go +++ b/x/redir.go @@ -24,7 +24,7 @@ func RedirectToAdminRoute(reg config.Provider) httprouter.Handle { func RedirectToPublicRoute(reg config.Provider) httprouter.Handle { return func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) { - public := reg.Config(r.Context()).SelfPublicURL(r) + public := reg.Config(r.Context()).SelfPublicURL() dest := *r.URL dest.Host = public.Host