From 4607cb958e45e1176a2e910d6ea808edee72a0a0 Mon Sep 17 00:00:00 2001 From: jwijenbergh Date: Wed, 25 Sep 2024 15:32:47 +0200 Subject: [PATCH] HTTP + OAuth API: Enforce TLS >= 1.3 --- internal/api/api.go | 7 ++++++- internal/http/http.go | 13 ++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/internal/api/api.go b/internal/api/api.go index fe258624..97946813 100644 --- a/internal/api/api.go +++ b/internal/api/api.go @@ -64,6 +64,11 @@ type API struct { func NewAPI(ctx context.Context, clientID string, sd ServerData, cb Callbacks, tokens *eduoauth.Token) (*API, error) { cr := customRedirect(clientID) // Construct OAuth + + transp := sd.Transport + if transp == nil { + transp = httpw.TLS13Transport() + } o := eduoauth.OAuth{ ClientID: clientID, EndpointFunc: func(ctx context.Context) (*eduoauth.EndpointResponse, error) { @@ -81,7 +86,7 @@ func NewAPI(ctx context.Context, clientID string, sd ServerData, cb Callbacks, t TokensUpdated: func(tok eduoauth.Token) { cb.TokensUpdated(sd.ID, sd.Type, tok) }, - Transport: sd.Transport, + Transport: transp, UserAgent: httpw.UserAgent, } diff --git a/internal/http/http.go b/internal/http/http.go index 196998ba..615fe302 100644 --- a/internal/http/http.go +++ b/internal/http/http.go @@ -3,6 +3,7 @@ package http import ( "context" + "crypto/tls" "errors" "fmt" "io" @@ -146,12 +147,22 @@ type Client struct { Timeout time.Duration } +// TLS13Transport returns a http.Transport with the minimum TLS version set to 1.3 +func TLS13Transport() *http.Transport { + return &http.Transport{ + TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13}, + } +} + // NewClient returns a HTTP client with some default settings func NewClient(client *http.Client) *Client { c := client if c == nil { - c = &http.Client{} + c = &http.Client{ + Transport: TLS13Transport(), + } } + // ReadLimit denotes the maximum amount of bytes that are read in HTTP responses // This is used to prevent servers from sending huge amounts of data // A limit of 16MB, although maybe much larger than needed, ensures that we do not run into problems