mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-06-22 19:30:15 +00:00
chore: remove trusted domains and rely on single app url
This commit is contained in:
Stavros
@@ -40,11 +40,7 @@ export const Layout = () => {
|
||||
setIgnoreDomainWarning(true);
|
||||
}, [setIgnoreDomainWarning]);
|
||||
|
||||
if (
|
||||
!ignoreDomainWarning &&
|
||||
ui.warningsEnabled &&
|
||||
!app.trustedDomains.includes(currentUrl)
|
||||
) {
|
||||
if (!ignoreDomainWarning && ui.warningsEnabled && currentUrl !== app.appUrl) {
|
||||
return (
|
||||
<BaseLayout>
|
||||
<DomainWarning
|
||||
|
||||
@@ -24,7 +24,6 @@ const uiSchema = z.object({
|
||||
const appSchema = z.object({
|
||||
appUrl: z.string(),
|
||||
cookieDomain: z.string(),
|
||||
trustedDomains: z.array(z.string()),
|
||||
});
|
||||
|
||||
export const appContextSchema = z.object({
|
||||
|
||||
@@ -99,7 +99,6 @@ func (app *BootstrapApp) Setup() error {
|
||||
}
|
||||
|
||||
app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
|
||||
app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
|
||||
|
||||
// validate session config
|
||||
if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
|
||||
@@ -286,9 +285,13 @@ func (app *BootstrapApp) Setup() error {
|
||||
|
||||
app.runtime.ConfiguredProviders = configuredProviders
|
||||
|
||||
// throw in tailscale if it's configured just before setting up the controllers
|
||||
// replace the default app url with the tailscale hostname if tailscale is enabled
|
||||
if app.services.tailscaleService != nil {
|
||||
app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
|
||||
tailscaleUrl := "https://" + app.services.tailscaleService.GetHostname()
|
||||
if tailscaleUrl != app.runtime.AppURL {
|
||||
app.log.App.Info().Msg("Tailscale is enabled, replacing app url with tailscale hostname")
|
||||
app.runtime.AppURL = tailscaleUrl
|
||||
}
|
||||
}
|
||||
|
||||
// setup router
|
||||
|
||||
@@ -58,9 +58,8 @@ type ACRUI struct {
|
||||
}
|
||||
|
||||
type ACRApp struct {
|
||||
AppURL string `json:"appUrl"`
|
||||
CookieDomain string `json:"cookieDomain"`
|
||||
TrustedDomains []string `json:"trustedDomains"`
|
||||
AppURL string `json:"appUrl"`
|
||||
CookieDomain string `json:"cookieDomain"`
|
||||
}
|
||||
|
||||
type AppContextResponse struct {
|
||||
@@ -160,9 +159,8 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
|
||||
WarningsEnabled: controller.config.UI.WarningsEnabled,
|
||||
},
|
||||
App: ACRApp{
|
||||
AppURL: controller.runtime.AppURL,
|
||||
CookieDomain: controller.runtime.CookieDomain,
|
||||
TrustedDomains: controller.runtime.TrustedDomains,
|
||||
AppURL: controller.runtime.AppURL,
|
||||
CookieDomain: controller.runtime.CookieDomain,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
@@ -12,7 +12,6 @@ import (
|
||||
"github.com/tinyauthapp/tinyauth/internal/service"
|
||||
"github.com/tinyauthapp/tinyauth/internal/utils"
|
||||
"github.com/tinyauthapp/tinyauth/internal/utils/logger"
|
||||
"github.com/weppos/publicsuffix-go/publicsuffix"
|
||||
"go.uber.org/dig"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
@@ -314,51 +313,38 @@ func (controller *OAuthController) getCookieDomain() string {
|
||||
func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
|
||||
u, err := url.Parse(redirectURI)
|
||||
|
||||
if err != nil || u.Host == "" || u.Scheme == "" {
|
||||
if err != nil {
|
||||
controller.log.App.Error().Err(err).Str("redirectUri", redirectURI).Msg("Failed to parse redirect URI")
|
||||
return false
|
||||
}
|
||||
|
||||
for _, allowed := range controller.runtime.TrustedDomains {
|
||||
tu, err := url.Parse(allowed)
|
||||
if err != nil {
|
||||
controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
|
||||
continue
|
||||
}
|
||||
if u.Scheme == "" || u.Host == "" {
|
||||
controller.log.App.Warn().Str("redirectUri", redirectURI).Msg("Redirect URI has invalid scheme or host")
|
||||
return false
|
||||
}
|
||||
|
||||
if tu.Scheme != u.Scheme {
|
||||
continue
|
||||
}
|
||||
au, err := url.Parse(controller.runtime.AppURL)
|
||||
|
||||
// exact match
|
||||
if strings.EqualFold(u.Host, tu.Host) {
|
||||
return true
|
||||
}
|
||||
if err != nil {
|
||||
controller.log.App.Error().Err(err).Str("appUrl", controller.runtime.AppURL).Msg("Failed to parse app URL")
|
||||
return false
|
||||
}
|
||||
|
||||
// if subdomains are disabled, end here
|
||||
if !controller.config.Auth.SubdomainsEnabled {
|
||||
continue
|
||||
}
|
||||
if u.Scheme != au.Scheme {
|
||||
controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI scheme does not match app URL scheme")
|
||||
return false
|
||||
}
|
||||
|
||||
// get the root domain (e.g. tinyauth.example.com -> example.com or
|
||||
// tinyauth.sub.example.com -> sub.example.com)
|
||||
_, root, ok := strings.Cut(tu.Host, ".")
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
if u.Host == au.Host {
|
||||
return true
|
||||
}
|
||||
|
||||
root = strings.ToLower(root)
|
||||
if !controller.config.Auth.SubdomainsEnabled {
|
||||
return false
|
||||
}
|
||||
|
||||
// check if the root domain is in the psl
|
||||
_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
|
||||
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
|
||||
// subdomain match
|
||||
if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
|
||||
return true
|
||||
}
|
||||
if strings.HasSuffix(u.Host, "."+au.Host) {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
|
||||
@@ -12,7 +12,6 @@ type RuntimeConfig struct {
|
||||
OAuthProviders map[string]OAuthServiceConfig
|
||||
OAuthWhitelist []string
|
||||
ConfiguredProviders []Provider
|
||||
TrustedDomains []string
|
||||
}
|
||||
|
||||
type Provider struct {
|
||||
|
||||
Reference in New Issue
Block a user