ydb-platform
diff --git a/‎ydb/mvp/oidc_proxy/context.cpp‎
Lines changed: 91 additions & 0 deletions b/‎ydb/mvp/oidc_proxy/context.cpp‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎ydb/mvp/oidc_proxy/context.h‎
Lines changed: 41 additions & 0 deletions b/‎ydb/mvp/oidc_proxy/context.h‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎ydb/mvp/oidc_proxy/oidc_protected_page.cpp‎
Lines changed: 0 additions & 1 deletion b/‎ydb/mvp/oidc_proxy/oidc_protected_page.cpp‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎ydb/mvp/oidc_proxy/oidc_protected_page.h‎
Lines changed: 1 addition & 1 deletion b/‎ydb/mvp/oidc_proxy/oidc_protected_page.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp‎
Lines changed: 3 additions & 1 deletion b/‎ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎ydb/mvp/oidc_proxy/oidc_protected_page_yandex.cpp‎
Lines changed: 3 additions & 1 deletion b/‎ydb/mvp/oidc_proxy/oidc_protected_page_yandex.cpp‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp‎
Lines changed: 14 additions & 11 deletions b/‎ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp‎
Lines changed: 14 additions & 11 deletions
@@ -0,0 +1,91 @@
+#include <util/generic/string.h>
+#include <util/random/random.h>
+#include <util/string/builder.h>
+#include <library/cpp/string_utils/base64/base64.h>
+#include <ydb/library/actors/http/http.h>
+#include "openid_connect.h"
+#include "context.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+TContext::TContext(const TString& state, const TString& requestedAddress, bool isAjaxRequest)
+    : State(state)
+    , IsAjaxRequest(isAjaxRequest)
+    , RequestedAddress(requestedAddress)
+{}
+
+TContext::TContext(const NHttp::THttpIncomingRequestPtr& request)
+    : State(GenerateState())
+    , IsAjaxRequest(DetectAjaxRequest(request))
+    , RequestedAddress(GetRequestedUrl(request, IsAjaxRequest))
+{}
+
+TString TContext::GetState() const {
+    return State;
+}
+
+bool TContext::GetIsAjaxRequest() const {
+    return IsAjaxRequest;
+}
+
+TString TContext::GetRequestedAddress() const {
+    return RequestedAddress;
+}
+
+TString TContext::CreateYdbOidcCookie(const TString& secret) const {
+    static constexpr size_t COOKIE_MAX_AGE_SEC = 420;
+    return TStringBuilder() << CreateNameYdbOidcCookie(secret, State) << "="
+                            << GenerateCookie(secret) << ";"
+                            " Path=" << GetAuthCallbackUrl() << ";"
+                            " Max-Age=" << COOKIE_MAX_AGE_SEC << ";"
+                            " SameSite=None; Secure";
+}
+
+TString TContext::GenerateCookie(const TString& secret) const {
+    const TDuration StateLifeTime = TDuration::Minutes(10);
+    TInstant expirationTime = TInstant::Now() + StateLifeTime;
+    TStringBuilder stateStruct;
+    stateStruct << "{\"state\":\"" << State
+                << "\",\"requested_address\":\"" << RequestedAddress
+                << "\",\"expiration_time\":" << ToString(expirationTime.TimeT())
+                << ",\"ajax_request\":" << (IsAjaxRequest ? "true" : "false") << "}";
+    TString digest = HmacSHA256(secret, stateStruct);
+    TString cookieStruct {"{\"state_struct\":\"" + Base64Encode(stateStruct) + "\",\"digest\":\"" + Base64Encode(digest) + "\"}"};
+    return Base64Encode(cookieStruct);
+}
+
+TString TContext::GenerateState() {
+    TStringBuilder sb;
+    static constexpr size_t CHAR_NUMBER = 15;
+    for (size_t i{0}; i < CHAR_NUMBER; i++) {
+        sb << RandomNumber<char>();
+    }
+    return Base64EncodeUrlNoPadding(sb);
+}
+
+bool TContext::DetectAjaxRequest(const NHttp::THttpIncomingRequestPtr& request) {
+    static const THashMap<TStringBuf, TStringBuf> expectedHeaders {
+        {"Accept", "application/json"}
+    };
+    NHttp::THeaders headers(request->Headers);
+    for (const auto& el : expectedHeaders) {
+        TStringBuf headerValue = headers.Get(el.first);
+        if (!headerValue || headerValue.find(el.second) == TStringBuf::npos) {
+            return false;
+        }
+    }
+    return true;
+}
+
+TStringBuf TContext::GetRequestedUrl(const NHttp::THttpIncomingRequestPtr& request, bool isAjaxRequest) {
+    NHttp::THeaders headers(request->Headers);
+    TStringBuf requestedUrl = headers.Get("Referer");
+    if (!isAjaxRequest || requestedUrl.empty()) {
+        return request->URL;
+    }
+    return requestedUrl;
+}
+
+} // NOIDC
+} // NMVP
@@ -0,0 +1,41 @@
+#pragma once
+
+#include <util/generic/string.h>
+#include <util/generic/ptr.h>
+
+namespace NHttp {
+
+class THttpIncomingRequest;
+using THttpIncomingRequestPtr = TIntrusivePtr<THttpIncomingRequest>;
+
+}
+
+namespace NMVP {
+namespace NOIDC {
+
+class TContext {
+private:
+    TString State;
+    bool IsAjaxRequest = false;
+    TString RequestedAddress;
+
+public:
+    TContext(const TString& state = "", const TString& requestedAddress = "", bool isAjaxRequest = false);
+    TContext(const NHttp::THttpIncomingRequestPtr& request);
+
+    TString GetState() const;
+    bool GetIsAjaxRequest() const;
+    TString GetRequestedAddress() const;
+
+    TString CreateYdbOidcCookie(const TString& secret) const;
+
+private:
+    static TString GenerateState();
+    static bool DetectAjaxRequest(const NHttp::THttpIncomingRequestPtr& request);
+    static TStringBuf GetRequestedUrl(const NHttp::THttpIncomingRequestPtr& request, bool isAjaxRequest);
+
+    TString GenerateCookie(const TString& secret) const;
+};
+
+} // NOIDC
+} // NMVP
@@ -26,7 +26,6 @@ void THandlerSessionServiceCheck::Bootstrap(const NActors::TActorContext& ctx) {
         return;
     }
     NHttp::THeaders headers(Request->Headers);
-    IsAjaxRequest = DetectAjaxRequest(headers);
     TStringBuf authHeader = headers.Get(AUTH_HEADER_NAME);
     if (Request->Method == "OPTIONS" || IsAuthorizedRequest(authHeader)) {
         ForwardUserRequest(TString(authHeader), ctx);
 
@@ -21,7 +21,7 @@ class THandlerSessionServiceCheck : public NActors::TActorBootstrapped<THandlerS
     const TOpenIdConnectSettings Settings;
     TString ProtectedPageUrl;
     TString RequestedPageScheme;
-    bool IsAjaxRequest = false;
+    // bool IsAjaxRequest = false;
 
     const static inline TStringBuf IAM_TOKEN_SCHEME = "Bearer ";
     const static inline TStringBuf IAM_TOKEN_SCHEME_LOWER = "bearer ";
 
@@ -5,6 +5,7 @@
 #include <ydb/mvp/core/mvp_tokens.h>
 #include <ydb/mvp/core/mvp_log.h>
 #include "openid_connect.h"
+#include "context.h"
 #include "oidc_protected_page_nebius.h"
 
 namespace NMVP {
@@ -99,7 +100,8 @@ void THandlerSessionServiceCheckNebius::ExchangeSessionToken(const TString sessi
 
 void THandlerSessionServiceCheckNebius::RequestAuthorizationCode(const NActors::TActorContext& ctx) {
     LOG_DEBUG_S(ctx, EService::MVP, "Request authorization code");
-    NHttp::THttpOutgoingResponsePtr httpResponse = GetHttpOutgoingResponsePtr(Request, Settings, IsAjaxRequest);
+    TContext context(Request);
+    NHttp::THttpOutgoingResponsePtr httpResponse = GetHttpOutgoingResponsePtr(Request, Settings, context);
     ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
     Die(ctx);
 }
 
@@ -2,6 +2,7 @@
 #include <ydb/mvp/core/mvp_tokens.h>
 #include <ydb/mvp/core/appdata.h>
 #include <ydb/mvp/core/mvp_log.h>
+#include "context.h"
 #include "oidc_protected_page_yandex.h"
 
 namespace NMVP {
@@ -31,7 +32,8 @@ void THandlerSessionServiceCheckYandex::Handle(TEvPrivate::TEvErrorResponse::TPt
     LOG_DEBUG_S(ctx, EService::MVP, "SessionService.Check(): " << event->Get()->Status);
     NHttp::THttpOutgoingResponsePtr httpResponse;
     if (event->Get()->Status == "400") {
-        httpResponse = GetHttpOutgoingResponsePtr(Request, Settings, IsAjaxRequest);
+        TContext context(Request);
+        httpResponse = GetHttpOutgoingResponsePtr(Request, Settings, context);
     } else {
         httpResponse = Request->CreateResponse( event->Get()->Status, event->Get()->Message, "text/plain", event->Get()->Details);
     }
 
@@ -10,6 +10,7 @@
 #include "oidc_session_create_handler.h"
 #include "oidc_settings.h"
 #include "openid_connect.h"
+#include "context.h"
 
 using namespace NMVP::NOIDC;
 
@@ -657,7 +658,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
         TStringBuilder request;
         request << "GET /auth/callback?code=code_template&state=" << state << " HTTP/1.1\r\n";
         request << "Host: " + hostProxy + "\r\n";
-        request << "Cookie: " << CreateNameYdbOidcCookie(settings.ClientSecret, wrongState) << "=" << GenerateCookie(wrongState, "/requested/page", settings.ClientSecret, redirectStrategy.IsAjaxRequest()) << "\r\n";
+        TContext context(wrongState, "/requested/page", redirectStrategy.IsAjaxRequest());
+        request << "Cookie: " << context.CreateYdbOidcCookie(settings.ClientSecret) << "\r\n";
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
         EatWholeString(incomingRequest, redirectStrategy.CreateRequest(request));
         incomingRequest->Endpoint->Secure = true;
@@ -711,8 +713,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
         TStringBuilder request;
         request << "GET /auth/callback?code=code_template&state=" << state << " HTTP/1.1\r\n";
         request << "Host: oidcproxy.net\r\n";
-        const TString oidcCookie = CreateNameYdbOidcCookie(settings.ClientSecret, state);
-        request << "Cookie: " << oidcCookie << "=" << GenerateCookie(state, "/requested/page", settings.ClientSecret, false) << "\r\n\r\n";
+        TContext context(state, "/requested/page", false);
+        request << "Cookie: " << context.CreateYdbOidcCookie(settings.ClientSecret) << "\r\n\r\n";
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
         EatWholeString(incomingRequest, request);
         runtime.Send(new IEventHandle(sessionCreator, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
@@ -761,7 +763,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
         TStringBuilder request;
         request << "GET /auth/callback?code=code_template&state=" << state << " HTTP/1.1\r\n";
         request << "Host: oidcproxy.net\r\n";
-        request << "Cookie: " << CreateNameYdbOidcCookie(settings.ClientSecret, state) << "=" << GenerateCookie(state, "/requested/page", settings.ClientSecret, redirectStrategy.IsAjaxRequest()) << "\r\n";
+        TContext context(state, "/requested/page", redirectStrategy.IsAjaxRequest());
+        request << "Cookie: " << context.CreateYdbOidcCookie(settings.ClientSecret) << "\r\n";
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
         EatWholeString(incomingRequest, redirectStrategy.CreateRequest(request));
         incomingRequest->Endpoint->Secure = true;
@@ -834,8 +837,8 @@ Y_UNIT_TEST_SUITE(Mvp) {
         TStringBuilder request;
         request << "GET /callback?code=code_template&state=" << state << " HTTP/1.1\r\n";
         request << "Host: oidcproxy.net\r\n";
-        const TString oidcCookie = CreateNameYdbOidcCookie(settings.ClientSecret, state);
-        request << "Cookie: " << oidcCookie << "=" << GenerateCookie(state, "/requested/page", settings.ClientSecret, false) << "\r\n\r\n";
+        TContext context(state, "/requested/page", false);
+        request << "Cookie: " << context.CreateYdbOidcCookie(settings.ClientSecret) << "\r\n\r\n";
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
         EatWholeString(incomingRequest, request);
         runtime.Send(new IEventHandle(sessionCreator, edge, new NHttp::TEvHttpProxy::TEvHttpIncomingRequest(incomingRequest)));
@@ -879,14 +882,14 @@ Y_UNIT_TEST_SUITE(Mvp) {
         std::unique_ptr<grpc::Server> sessionServer(builder.BuildAndStart());
 
         const NActors::TActorId sessionCreator = runtime.Register(new TSessionCreateHandler(edge, settings));
-        TStringBuf firstRequestState = "first_request_state";
-        TStringBuf secondRequestState = "second_request_state";
-        TString firstCookie {CreateNameYdbOidcCookie(settings.ClientSecret, firstRequestState) + "=" + GenerateCookie(firstRequestState, "/requested/page", settings.ClientSecret, redirectStrategy.IsAjaxRequest())};
-        TString secondCookie {CreateNameYdbOidcCookie(settings.ClientSecret, secondRequestState) + "=" + GenerateCookie(secondRequestState, "/requested/page", settings.ClientSecret, redirectStrategy.IsAjaxRequest())};
+        TString firstRequestState = "first_request_state";
+        TString secondRequestState = "second_request_state";
+        TContext context1(firstRequestState, "/requested/page", redirectStrategy.IsAjaxRequest());
+        TContext context2(secondRequestState, "/requested/page", redirectStrategy.IsAjaxRequest());
         TStringBuilder request;
         request << "GET /auth/callback?code=code_template&state=" << firstRequestState << " HTTP/1.1\r\n";
         request << "Host: oidcproxy.net\r\n";
-        request << "Cookie: " << firstCookie << "; " << secondCookie << "\r\n";
+        request << "Cookie: " << context1.CreateYdbOidcCookie(settings.ClientSecret) << "; " << context2.CreateYdbOidcCookie(settings.ClientSecret) << "\r\n";
         NHttp::THttpIncomingRequestPtr incomingRequest = new NHttp::THttpIncomingRequest();
         EatWholeString(incomingRequest, redirectStrategy.CreateRequest(request));
         incomingRequest->Endpoint->Secure = true;
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@ void THandlerSessionServiceCheck::Bootstrap(const NActors::TActorContext& ctx) {`
`26`	`26`	`return;`
`27`	`27`	`}`
`28`	`28`	`NHttp::THeaders headers(Request->Headers);`
`29`		`- IsAjaxRequest = DetectAjaxRequest(headers);`
`30`	`29`	`TStringBuf authHeader = headers.Get(AUTH_HEADER_NAME);`
`31`	`30`	`if (Request->Method == "OPTIONS" \|\| IsAuthorizedRequest(authHeader)) {`
`32`	`31`	`ForwardUserRequest(TString(authHeader), ctx);`