Infrastructure/logto
0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-03-10 22:22:45 -05:00
Code Issues Activity

refactor: block admin tenant from using creating jwt-customizer API

Browse source
This commit is contained in:
Darcy Ye 2024-03-20 19:11:25 +08:00
parent ddd93dc977
commit 8513dae8af
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
2 changed files with 38 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
packages/core/src/oidc/init.ts
View file

@ -218,16 +218,6 @@ export default function initOidc(
const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
/**
* Cloud connection should not go through this custom JWT logic.
*/
if (isTokenClientCredentials) {
const { appId } = await cloudConnection.getCloudConnectionData();
if (token.clientId === appId) {
return;
}
}
const { script, envVars } =
(await trySafe(
logtoConfigs.getJwtCustomizer(

70
packages/core/src/routes/logto-config.ts
View file

@ -18,6 +18,7 @@ import {
LogtoJwtTokenPath,
jsonObjectGuard,
} from '@logto/schemas';
import { adminTenantId } from '@logto/schemas';
import { z } from 'zod';
import { EnvSet } from '#src/env-set/index.js';
@ -77,7 +78,10 @@ const getRedactedOidcKeyResponse = async (
);
export default function logtoConfigRoutes<T extends AuthedRouter>(
...[router, { queries, logtoConfigs, invalidateCache, cloudConnection }]: RouterInitArgs<T>
...[
router,
{ id: tenantId, queries, logtoConfigs, invalidateCache, cloudConnection },
]: RouterInitArgs<T>
) {
const {
getAdminConsoleConfig,
@ -207,42 +211,44 @@ export default function logtoConfigRoutes<T extends AuthedRouter>(
}
);
router.put(
'/configs/jwt-customizer/:tokenTypePath',
koaGuard({
params: z.object({
tokenTypePath: z.nativeEnum(LogtoJwtTokenPath),
if (tenantId !== adminTenantId) {
router.put(
'/configs/jwt-customizer/:tokenTypePath',
koaGuard({
params: z.object({
tokenTypePath: z.nativeEnum(LogtoJwtTokenPath),
}),
/**
* Use `z.unknown()` to guard the request body as a JSON object, since the actual guard depends
* on the `tokenTypePath` and we can not get the value of `tokenTypePath` before parsing the request body,
* we will do more specific guard as long as we can get the value of `tokenTypePath`.
*
* Should specify `body` in koaGuard, otherwise the request body is not accessible even via `ctx.request.body`.
*/
body: z.unknown(),
response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
status: [200, 201, 400],
}),
/**
* Use `z.unknown()` to guard the request body as a JSON object, since the actual guard depends
* on the `tokenTypePath` and we can not get the value of `tokenTypePath` before parsing the request body,
* we will do more specific guard as long as we can get the value of `tokenTypePath`.
*
* Should specify `body` in koaGuard, otherwise the request body is not accessible even via `ctx.request.body`.
*/
body: z.unknown(),
response: accessTokenJwtCustomizerGuard.or(clientCredentialsJwtCustomizerGuard),
status: [200, 201, 400],
}),
async (ctx, next) => {
const {
params: { tokenTypePath },
body: rawBody,
} = ctx.guard;
const { key, body } = getJwtTokenKeyAndBody(tokenTypePath, rawBody);
async (ctx, next) => {
const {
params: { tokenTypePath },
body: rawBody,
} = ctx.guard;
const { key, body } = getJwtTokenKeyAndBody(tokenTypePath, rawBody);
const { rows } = await getRowsByKeys([key]);
const { rows } = await getRowsByKeys([key]);
const jwtCustomizer = await upsertJwtCustomizer(key, body);
const jwtCustomizer = await upsertJwtCustomizer(key, body);
if (rows.length === 0) {
ctx.status = 201;
if (rows.length === 0) {
ctx.status = 201;
}
ctx.body = jwtCustomizer.value;
return next();
}
ctx.body = jwtCustomizer.value;
return next();
}
);
);
}
router.get(
'/configs/jwt-customizer/:tokenTypePath',