feat(auth): allow setting external secure (#389)

This change adds the possibility to set an external secure flag to the Authenticator. This allows creating logout URLs with `https` protocol when the service is behind a reverse proxy. Closes #285 ### Definition of Ready - [x] I am happy with the code - [x] Short description of the feature/issue is added in the pr description - [x] PR is linked to the corresponding user story - [x] Acceptance criteria are met - [x] All open todos and follow ups are defined in a new ticket and justified - [x] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [x] No debug or dead code - [x] My code has no repetitions - [ ] Critical parts are tested automatically - [ ] Where possible E2E tests are implemented - [x] Documentation/examples are up-to-date - [x] All non-functional requirements are met - [ ] Functionality of the acceptance criteria is checked manually on the dev system.
zitadel · Oct 9, 2024 · 324d8db · 324d8db
2 parents bfb0be0 + 53cb67a
commit 324d8db
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/pkg/authentication/authenticate.go b/pkg/authentication/authenticate.go
@@ -27,6 +27,7 @@ type Authenticator[T Ctx] struct {
 	sessions          Sessions[T]
 	encryptionKey     string
 	sessionCookieName string
+	externalSecure    bool
 }
 
 // Option allows customization of the [Authenticator] such as logging and more.
@@ -55,6 +56,13 @@ func WithSessionCookieName[T Ctx](cookieName string) Option[T] {
 	}
 }
 
+// WithExternalSecure allows using https redirects when the service is behind a reverse proxy.
+func WithExternalSecure[T Ctx](externalSecure bool) Option[T] {
+	return func(a *Authenticator[T]) {
+		a.externalSecure = externalSecure
+	}
+}
+
 func New[T Ctx](ctx context.Context, zitadel *zitadel.Zitadel, encryptionKey string, initAuthentication HandlerInitializer[T], options ...Option[T]) (*Authenticator[T], error) {
 	authN, err := initAuthentication(ctx, zitadel)
 	if err != nil {
@@ -143,7 +151,7 @@ func (a *Authenticator[T]) Logout(w http.ResponseWriter, req *http.Request) {
 	a.deleteSessionCookie(w)
 
 	proto := "http"
-	if req.TLS != nil {
+	if req.TLS != nil || a.externalSecure {
 		proto = "https"
 	}
 	postLogout := fmt.Sprintf("%s://%s/", proto, req.Host)