refactor: remove concurrent listeners and rework cookie logic (#950)

frontend/src/components/layout/layout.tsx

@@ -3,6 +3,7 @@ import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
 import { QuickActions } from "../quick-actions/quick-actions";
+import { isTrustedDomain } from "@/lib/hooks/redirect-uri";
 
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
   const { ui } = useAppContext();
@@ -40,11 +41,18 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (
-    !ignoreDomainWarning &&
-    ui.warningsEnabled &&
-    !app.trustedDomains.includes(currentUrl)
-  ) {
+  const isTrusted = (() => {
+    try {
+      const appUrlObj = new URL(app.appUrl);
+      const currentUrlObj = new URL(currentUrl);
+
+      return isTrustedDomain(currentUrlObj, appUrlObj, "", false);
+    } catch {
+      return false;
+    }
+  })();
+
+  if (!ignoreDomainWarning && ui.warningsEnabled && !isTrusted) {
     return (
       <BaseLayout>
         <DomainWarning

frontend/src/lib/hooks/redirect-uri.ts

@@ -9,12 +9,27 @@ type IuseRedirectUri = {
 export const useRedirectUri = (
   redirect_uri: string | undefined,
   cookieDomain: string,
+  appUrl: string,
+  subdomainsEnabled: boolean,
 ): IuseRedirectUri => {
   let isValid = false;
   let isTrusted = false;
   let isAllowedProto = false;
   let isHttpsDowngrade = false;
 
+  let appUrlObj: URL;
+
+  try {
+    appUrlObj = new URL(appUrl);
+  } catch {
+    return {
+      valid: isValid,
+      trusted: isTrusted,
+      allowedProto: isAllowedProto,
+      httpsDowngrade: isHttpsDowngrade,
+    };
+  }
+
   if (!redirect_uri) {
     return {
       valid: isValid,
@@ -39,10 +54,7 @@ export const useRedirectUri = (
 
   isValid = true;
 
-  if (
-    url.hostname == cookieDomain ||
-    url.hostname.endsWith(`.${cookieDomain}`)
-  ) {
+  if (isTrustedDomain(url, appUrlObj, cookieDomain, subdomainsEnabled)) {
     isTrusted = true;
   }
 
@@ -62,3 +74,45 @@ export const useRedirectUri = (
     httpsDowngrade: isHttpsDowngrade,
   };
 };
+
+// ported from internal/controller/oauth_controller.go
+const getEffectivePort = (url: URL): string => {
+  if (url.port) {
+    return url.port;
+  }
+
+  if (url.protocol == "https:") {
+    return "443";
+  }
+
+  return "80";
+};
+
+export const isTrustedDomain = (
+  url: URL,
+  appUrl: URL,
+  cookieDomain: string,
+  subdomainsEnabled: boolean,
+): boolean => {
+  if (url.protocol != appUrl.protocol) {
+    return false;
+  }
+
+  if (getEffectivePort(url) != getEffectivePort(appUrl)) {
+    return false;
+  }
+
+  if (url.hostname == appUrl.hostname) {
+    return true;
+  }
+
+  if (!subdomainsEnabled) {
+    return false;
+  }
+
+  if (url.hostname.endsWith("." + cookieDomain.toLowerCase())) {
+    return true;
+  }
+
+  return false;
+};

frontend/src/pages/continue-page.tsx

@@ -37,6 +37,8 @@ export const ContinuePage = () => {
   const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
     redirectUri,
     app.cookieDomain,
+    app.appUrl,
+    app.subdomainsEnabled,
   );
 
   const urlHref = url?.href;
@@ -108,7 +110,11 @@ export const ContinuePage = () => {
               components={{
                 code: <code />,
               }}
-              values={{ cookieDomain: app.cookieDomain }}
+              values={{
+                cookieDomain: app.subdomainsEnabled
+                  ? `.${app.cookieDomain}`
+                  : app.cookieDomain,
+              }}
               shouldUnescape={true}
             />
           </CardDescription>

frontend/src/schemas/app-context-schema.ts

@@ -24,7 +24,7 @@ const uiSchema = z.object({
 const appSchema = z.object({
   appUrl: z.string(),
   cookieDomain: z.string(),
-  trustedDomains: z.array(z.string()),
+  subdomainsEnabled: z.boolean(),
 });
 
 export const appContextSchema = z.object({