Surface ZTA payload

Closes #2320.
2025-11-08 05:04:46 +08:00 · 2024-03-28 08:53:38 +01:00 · 2024-03-28 08:53:38 +01:00 · 6027a0bd70
commit 6027a0bd70
parent 65632603a3
9 changed files with 27 additions and 9 deletions
--- a/lib/livebook/users/user.ex
+++ b/lib/livebook/users/user.ex
@ -25,6 +25,7 @@ defmodule Livebook.Users.User do
  embedded_schema do
    field :name, :string
    field :email, :string
+    field :payload, :map
    field :hex_color, Livebook.EctoTypes.HexColor
  end

--- a/lib/livebook/zta/cloudflare.ex
+++ b/lib/livebook/zta/cloudflare.ex
@ -49,7 +49,7 @@ defmodule Livebook.ZTA.Cloudflare do
         {:ok, token} <- verify_token(encoded_token, keys),
         :ok <- verify_iss(token, identity.iss),
         {:ok, user} <- get_user_identity(encoded_token, identity.user_identity) do
-      for({k, v} <- user, new_k = @fields[k], do: {new_k, v}, into: %{})
+      for({k, v} <- user, new_k = @fields[k], do: {new_k, v}, into: %{payload: token.fields})
    else
      _ -> nil
    end
--- a/lib/livebook/zta/google_iap.ex
+++ b/lib/livebook/zta/google_iap.ex
@ -48,7 +48,12 @@ defmodule Livebook.ZTA.GoogleIAP do
    with [encoded_token] <- token,
         {:ok, token} <- verify_token(encoded_token, keys),
         :ok <- verify_iss(token, identity.iss, identity.key) do
-      for({k, v} <- token.fields, new_k = @fields[k], do: {new_k, v}, into: %{})
+      for(
+        {k, v} <- token.fields,
+        new_k = @fields[k],
+        do: {new_k, v},
+        into: %{payload: token.fields}
+      )
    else
      _ -> nil
    end
--- a/lib/livebook/zta/teleport.ex
+++ b/lib/livebook/zta/teleport.ex
@ -51,7 +51,12 @@ defmodule Livebook.ZTA.Teleport do
         {:ok, %{fields: %{"exp" => exp, "nbf" => nbf}} = token} <-
           verify_token(encoded_token, jwks),
         :ok <- verify_timestamps(exp, nbf) do
-      for({k, v} <- token.fields, new_k = @fields[k], do: {new_k, v}, into: %{})
+      for(
+        {k, v} <- token.fields,
+        new_k = @fields[k],
+        do: {new_k, v},
+        into: %{payload: token.fields}
+      )
    else
      _ ->
        nil
--- a/lib/livebook_web/plugs/user_plug.ex
+++ b/lib/livebook_web/plugs/user_plug.ex
@ -52,7 +52,7 @@ defmodule LivebookWeb.UserPlug do
      conn
    else
      identity_data = get_session(conn, :identity_data)
-      user_data = User.new() |> user_data() |> Map.merge(identity_data)
+      user_data = User.new() |> client_user_data() |> Map.merge(identity_data)
      encoded = user_data |> Jason.encode!() |> Base.encode64()

      # We disable HttpOnly, so that it can be accessed on the client
@ -62,10 +62,11 @@ defmodule LivebookWeb.UserPlug do
    end
  end

-  defp user_data(user) do
+  defp client_user_data(user) do
    user
    |> Map.from_struct()
    |> Map.delete(:id)
+    |> Map.delete(:payload)
  end

  # Copies user_data from cookie to session, so that it's
--- a/test/livebook/zta/cloudflare_test.exs
+++ b/test/livebook/zta/cloudflare_test.exs
@ -62,7 +62,8 @@ defmodule Livebook.ZTA.CloudflareTest do
    start_supervised!({Cloudflare, context.options})
    {_conn, user} = Cloudflare.authenticate(@name, context.conn, fields: @fields)

-    assert %{id: "1234567890", email: "tuka@peralta.com", name: "Tuka Peralta"} = user
+    assert %{id: "1234567890", email: "tuka@peralta.com", name: "Tuka Peralta", payload: %{}} =
+             user
  end

  test "returns nil when the user_identity fails", context do
--- a/test/livebook/zta/google_iap_test.exs
+++ b/test/livebook/zta/google_iap_test.exs
@ -46,7 +46,7 @@ defmodule Livebook.ZTA.GoogleIAPTest do
  test "returns the user when it's valid", %{options: options, conn: conn} do
    start_supervised!({GoogleIAP, options})
    {_conn, user} = GoogleIAP.authenticate(@name, conn, fields: @fields)
-    assert %{id: "1234567890", email: "tuka@peralta.com"} = user
+    assert %{id: "1234567890", email: "tuka@peralta.com", payload: %{}} = user
  end

  test "returns nil when the iss is invalid", %{options: options, conn: conn} do
--- a/test/livebook/zta/teleport_test.exs
+++ b/test/livebook/zta/teleport_test.exs
@ -46,7 +46,7 @@ defmodule Livebook.ZTA.TeleportTest do
  test "returns the user when it's valid", %{options: options, conn: conn} do
    start_supervised!({Teleport, options})
    {_conn, user} = Teleport.authenticate(@name, conn, fields: @fields)
-    assert %{id: "my-user-id", username: "myusername"} = user
+    assert %{id: "my-user-id", username: "myusername", payload: %{}} = user
  end

  test "returns nil when the exp is in the past", %{options: options, conn: conn} do
--- a/test/livebook_web/plugs/user_plug_test.exs
+++ b/test/livebook_web/plugs/user_plug_test.exs
@ -33,7 +33,12 @@ defmodule LivebookWeb.UserPlugTest do
      |> fetch_cookies()
      |> call()

-    assert conn.cookies["lb:user_data"] != nil
+    assert %{
+             "email" => nil,
+             "hex_color" => <<_::binary>>,
+             "id" => <<_::binary>>,
+             "name" => nil
+           } = conn.cookies["lb:user_data"] |> Base.decode64!() |> Jason.decode!()
  end

  test "keeps user_data cookie if present" do