fix: fix domain check in acl service

This commit is contained in:
Stavros
2026-07-13 22:01:49 +03:00
parent b62bb2d37a
commit 25a41bf62b
2 changed files with 53 additions and 8 deletions
+4 -1
View File
@@ -350,7 +350,10 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
return false return false
} }
if strings.EqualFold(u.Hostname(), au.Hostname()) { nu := strings.TrimSuffix(u.Hostname(), ".")
nau := strings.TrimSuffix(au.Hostname(), ".")
if strings.EqualFold(nu, nau) {
return true return true
} }
+49 -7
View File
@@ -1,6 +1,8 @@
package service package service
import ( import (
"fmt"
"net/url"
"strings" "strings"
"github.com/tinyauthapp/tinyauth/internal/model" "github.com/tinyauthapp/tinyauth/internal/model"
@@ -35,27 +37,35 @@ func NewAccessControlsService(i AccessControlServiceInput) *AccessControlsServic
} }
} }
func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App { func (service *AccessControlsService) lookupStaticACLs(domain string) (*model.App, error) {
var nameMatch *model.App var nameMatch *model.App
// First try to find a matching app by domain, then fallback to matching by app name (subdomain) // First try to find a matching app by domain, then fallback to matching by app name (subdomain)
for app, config := range service.config.Apps { for app, config := range service.config.Apps {
if config.Config.Domain == domain { match, err := service.checkDomain(domain, config.Config.Domain)
service.log.App.Debug().Str("name", app).Msg("Found matching container by domain") if err != nil {
return &config return nil, err
} }
if strings.SplitN(domain, ".", 2)[0] == app { if match {
service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
return &config, nil
}
if strings.HasPrefix(domain, app+".") {
service.log.App.Debug().Str("name", app).Msg("Found matching container by app name") service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
nameMatch = &config nameMatch = &config
} }
} }
return nameMatch return nameMatch, nil
} }
func (service *AccessControlsService) GetAccessControls(domain string) (*model.App, error) { func (service *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
// First check in the static config // First check in the static config
app := service.lookupStaticACLs(domain) app, err := service.lookupStaticACLs(domain)
if err != nil {
return nil, err
}
if app != nil { if app != nil {
service.log.App.Debug().Msg("Using static ACLs for app") service.log.App.Debug().Msg("Using static ACLs for app")
@@ -70,3 +80,35 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
// no labels // no labels
return nil, nil return nil, nil
} }
func (service *AccessControlsService) checkDomain(check, target string) (bool, error) {
// Domains don't have a scheme, so we use a mock one
cu, err := url.Parse("tinyauth://" + check)
if err != nil {
return false, fmt.Errorf("failed to parse check domain: %w", err)
}
if cu.Host == "" {
return false, fmt.Errorf("check domain is empty")
}
tu, err := url.Parse("tinyauth://" + target)
if err != nil {
return false, fmt.Errorf("failed to parse target domain: %w", err)
}
if tu.Host == "" {
return false, fmt.Errorf("target domain is empty")
}
// non-dns check url
ndcu := strings.TrimSuffix(cu.Hostname(), ".")
// non-dns target url
ndtu := strings.TrimSuffix(tu.Hostname(), ".")
// Strip out the port
return strings.EqualFold(ndcu, ndtu), nil
}