diff --git a/internal/bootstrap/service_bootstrap.go b/internal/bootstrap/service_bootstrap.go index 7bd4a620..a6d518e6 100644 --- a/internal/bootstrap/service_bootstrap.go +++ b/internal/bootstrap/service_bootstrap.go @@ -80,6 +80,7 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er SessionCookieName: app.context.sessionCookieName, IP: app.config.Auth.IP, LDAPGroupsCacheTTL: app.config.Ldap.GroupCacheTTL, + SubdomainsEnabled: app.config.Auth.SubdomainsEnabled, }, dockerService, services.ldapService, queries, services.oauthBrokerService) err = authService.Init() diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go index aa116134..f36e269d 100644 --- a/internal/controller/oauth_controller.go +++ b/internal/controller/oauth_controller.go @@ -27,6 +27,7 @@ type OAuthControllerConfig struct { SecureCookie bool AppURL string CookieDomain string + SubdomainsEnabled bool } type OAuthController struct { @@ -106,7 +107,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) { return } - c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true) + c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.SecureCookie, true) c.JSON(200, gin.H{ "status": 200, @@ -136,7 +137,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) { return } - c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true) + c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.SecureCookie, true) oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie) @@ -282,3 +283,10 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) params.ClientID != "" && params.RedirectURI != "" } + +func (controller *OAuthController) getCookieDomain() string { + if controller.config.SubdomainsEnabled { + return "." + controller.config.CookieDomain + } + return controller.config.CookieDomain +} diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go index 807d39c5..46758572 100644 --- a/internal/service/auth_service.go +++ b/internal/service/auth_service.go @@ -78,6 +78,7 @@ type AuthServiceConfig struct { SessionCookieName string IP config.IPConfig LDAPGroupsCacheTTL int + SubdomainsEnabled bool } type AuthService struct { @@ -327,7 +328,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *repository.Se return err } - c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true) + c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", auth.getCookieDomain(), auth.config.SecureCookie, true) return nil } @@ -378,7 +379,7 @@ func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error { return err } - c.SetCookie(auth.config.SessionCookieName, cookie, int(newExpiry-currentTime), "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true) + c.SetCookie(auth.config.SessionCookieName, cookie, int(newExpiry-currentTime), "/", auth.getCookieDomain(), auth.config.SecureCookie, true) tlog.App.Trace().Str("username", session.Username).Msg("Session cookie refreshed") return nil @@ -397,7 +398,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error { return err } - c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true) + c.SetCookie(auth.config.SessionCookieName, "", -1, "/", auth.getCookieDomain(), auth.config.SecureCookie, true) return nil } @@ -834,3 +835,10 @@ func (auth *AuthService) ClearRateLimitsTestingOnly() { } auth.loginMutex.Unlock() } + +func (auth *AuthService) getCookieDomain() string { + if auth.config.SubdomainsEnabled { + return "." + auth.config.CookieDomain + } + return auth.config.CookieDomain +}