[public-api-server] Forward Origin header where provided

geropl · geropl · commit f70eeed78e58 · 2023-02-15T06:34:20.000Z
diff --git a/components/gitpod-protocol/go/gitpod-service.go b/components/gitpod-protocol/go/gitpod-service.go
@@ -262,7 +262,7 @@ type ConnectToServerOpts struct {
 	Context             context.Context
 	Token               string
 	Cookie              string
-	NoOrigin            bool
+	Origin              string
 	Log                 *logrus.Entry
 	ReconnectionHandler func()
 	CloseHandler        func(error)
@@ -281,16 +281,7 @@ func ConnectToServer(endpoint string, opts ConnectToServerOpts) (*APIoverJSONRPC
 	}
 
 	reqHeader := http.Header{}
-	if !opts.NoOrigin {
-		var protocol string
-		if epURL.Scheme == "wss:" {
-			protocol = "https"
-		} else {
-			protocol = "http"
-		}
-		origin := fmt.Sprintf("%s://%s/", protocol, epURL.Hostname())
-		reqHeader.Set("Origin", origin)
-	}
+	reqHeader.Set("Origin", opts.Origin)
 
 	for k, v := range opts.ExtraHeaders {
 		reqHeader.Set(k, v)
diff --git a/components/public-api-server/pkg/auth/context.go b/components/public-api-server/pkg/auth/context.go
@@ -25,6 +25,8 @@ const (
 type Token struct {
 	Type  TokenType
 	Value string
+	// Only relevant for CookieTokenType
+	OriginHeader string
 }
 
 func NewAccessToken(token string) Token {
@@ -34,10 +36,11 @@ func NewAccessToken(token string) Token {
 	}
 }
 
-func NewCookieToken(cookie string) Token {
+func NewCookieToken(cookie string, origin string) Token {
 	return Token{
-		Type:  CookieTokenType,
-		Value: cookie,
+		Type:         CookieTokenType,
+		Value:        cookie,
+		OriginHeader: origin,
 	}
 }
 
diff --git a/components/public-api-server/pkg/auth/context_test.go b/components/public-api-server/pkg/auth/context_test.go
@@ -20,7 +20,7 @@ func TestTokenToAndFromContext_AccessToken(t *testing.T) {
 }
 
 func TestTokenToAndFromContext_CookieToken(t *testing.T) {
-	token := NewCookieToken("my_token")
+	token := NewCookieToken("my_token", "gitpod.io")
 
 	extracted, err := TokenFromContext(TokenToContext(context.Background(), token))
 	require.NoError(t, err)
diff --git a/components/public-api-server/pkg/auth/middleware.go b/components/public-api-server/pkg/auth/middleware.go
@@ -66,8 +66,9 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error
 	}
 
 	cookie := req.Header().Get("Cookie")
+	origin := req.Header().Get("Origin")
 	if cookie != "" {
-		return NewCookieToken(cookie), nil
+		return NewCookieToken(cookie, origin), nil
 	}
 
 	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))
@@ -82,8 +83,9 @@ func tokenFromConn(ctx context.Context, conn connect.StreamingHandlerConn) (Toke
 	}
 
 	cookie := conn.RequestHeader().Get("Cookie")
+	origin := conn.RequestHeader().Get("Origin")
 	if cookie != "" {
-		return NewCookieToken(cookie), nil
+		return NewCookieToken(cookie, origin), nil
 	}
 
 	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))
diff --git a/components/public-api-server/pkg/proxy/conn.go b/components/public-api-server/pkg/proxy/conn.go
@@ -48,6 +48,7 @@ func (p *NoConnectionPool) Get(ctx context.Context, token auth.Token) (gitpod.AP
 		opts.Token = token.Value
 	case auth.CookieTokenType:
 		opts.Cookie = token.Value
+		opts.Origin = token.OriginHeader
 	default:
 		return nil, errors.New("unknown token type")
 	}
@@ -85,9 +86,8 @@ func NewConnectionPool(address *url.URL, poolSize int) (*ConnectionPool, error)
 		connConstructor: func(token auth.Token) (gitpod.APIInterface, error) {
 			opts := gitpod.ConnectToServerOpts{
 				// We're using Background context as we want the connection to persist beyond the lifecycle of a single request
-				Context:  context.Background(),
-				Log:      log.Log,
-				NoOrigin: true,
+				Context: context.Background(),
+				Log:     log.Log,
 				CloseHandler: func(_ error) {
 					cache.Remove(token)
 					connectionPoolSize.Dec()
@@ -99,6 +99,7 @@ func NewConnectionPool(address *url.URL, poolSize int) (*ConnectionPool, error)
 				opts.Token = token.Value
 			case auth.CookieTokenType:
 				opts.Cookie = token.Value
+				opts.Origin = token.OriginHeader
 			default:
 				return nil, errors.New("unknown token type")
 			}
diff --git a/components/public-api-server/pkg/proxy/conn_test.go b/components/public-api-server/pkg/proxy/conn_test.go
@@ -57,7 +57,7 @@ func TestEndpointBasedOnToken(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "wss://server:3000/v1", endpointForAccessToken)
 
-	endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo"), u)
+	endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo", "server"), u)
 	require.NoError(t, err)
 	require.Equal(t, "wss://server:3000/gitpod", endpointForCookie)
 }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ const (`
`25`	`25`	`type Token struct {`
`26`	`26`	`Type TokenType`
`27`	`27`	`Value string`
	`28`	`+ // Only relevant for CookieTokenType`
	`29`	`+ OriginHeader string`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`func NewAccessToken(token string) Token {`
`@@ -34,10 +36,11 @@ func NewAccessToken(token string) Token {`
`34`	`36`	`}`
`35`	`37`	`}`
`36`	`38`
`37`		`-func NewCookieToken(cookie string) Token {`
	`39`	`+func NewCookieToken(cookie string, origin string) Token {`
`38`	`40`	`return Token{`
`39`		`- Type: CookieTokenType,`
`40`		`- Value: cookie,`
	`41`	`+ Type: CookieTokenType,`
	`42`	`+ Value: cookie,`
	`43`	`+ OriginHeader: origin,`
`41`	`44`	`}`
`42`	`45`	`}`
`43`	`46`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func TestTokenToAndFromContext_AccessToken(t *testing.T) {`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`func TestTokenToAndFromContext_CookieToken(t *testing.T) {`
`23`		`- token := NewCookieToken("my_token")`
	`23`	`+ token := NewCookieToken("my_token", "gitpod.io")`
`24`	`24`
`25`	`25`	`extracted, err := TokenFromContext(TokenToContext(context.Background(), token))`
`26`	`26`	`require.NoError(t, err)`
Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,9 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`cookie := req.Header().Get("Cookie")`
	`69`	`+ origin := req.Header().Get("Origin")`
`69`	`70`	`if cookie != "" {`
`70`		`- return NewCookieToken(cookie), nil`
	`71`	`+ return NewCookieToken(cookie, origin), nil`
`71`	`72`	`}`
`72`	`73`
`73`	`74`	`return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))`
`@@ -82,8 +83,9 @@ func tokenFromConn(ctx context.Context, conn connect.StreamingHandlerConn) (Toke`
`82`	`83`	`}`
`83`	`84`
`84`	`85`	`cookie := conn.RequestHeader().Get("Cookie")`
	`86`	`+ origin := conn.RequestHeader().Get("Origin")`
`85`	`87`	`if cookie != "" {`
`86`		`- return NewCookieToken(cookie), nil`
	`88`	`+ return NewCookieToken(cookie, origin), nil`
`87`	`89`	`}`
`88`	`90`
`89`	`91`	`return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ func TestEndpointBasedOnToken(t *testing.T) {`
`57`	`57`	`require.NoError(t, err)`
`58`	`58`	`require.Equal(t, "wss://server:3000/v1", endpointForAccessToken)`
`59`	`59`
`60`		`- endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo"), u)`
	`60`	`+ endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo", "server"), u)`
`61`	`61`	`require.NoError(t, err)`
`62`	`62`	`require.Equal(t, "wss://server:3000/gitpod", endpointForCookie)`
`63`	`63`	`}`