chore: remove trusted domains and rely on single app url

frontend/src/components/layout/layout.tsx

@@ -40,11 +40,7 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (
+  if (!ignoreDomainWarning && ui.warningsEnabled && currentUrl !== app.appUrl) {
-    !ignoreDomainWarning &&
-    ui.warningsEnabled &&
-    !app.trustedDomains.includes(currentUrl)
-  ) {
     return (
       <BaseLayout>
         <DomainWarning

frontend/src/schemas/app-context-schema.ts

@@ -24,7 +24,6 @@ const uiSchema = z.object({
 const appSchema = z.object({
   appUrl: z.string(),
   cookieDomain: z.string(),
-  trustedDomains: z.array(z.string()),
 });
 
 export const appContextSchema = z.object({

internal/bootstrap/app_bootstrap.go

@@ -99,7 +99,6 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
-	app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
@@ -286,9 +285,13 @@ func (app *BootstrapApp) Setup() error {
 
 	app.runtime.ConfiguredProviders = configuredProviders
 
-	// throw in tailscale if it's configured just before setting up the controllers
+	// replace the default app url with the tailscale hostname if tailscale is enabled
 	if app.services.tailscaleService != nil {
-		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
+		tailscaleUrl := "https://" + app.services.tailscaleService.GetHostname()
+		if tailscaleUrl != app.runtime.AppURL {
+			app.log.App.Info().Msg("Tailscale is enabled, replacing app url with tailscale hostname")
+			app.runtime.AppURL = tailscaleUrl
+		}
 	}
 
 	// setup router

internal/controller/context_controller.go

@@ -58,9 +58,8 @@ type ACRUI struct {
 }
 
 type ACRApp struct {
-	AppURL         string   `json:"appUrl"`
+	AppURL       string `json:"appUrl"`
-	CookieDomain   string   `json:"cookieDomain"`
+	CookieDomain string `json:"cookieDomain"`
-	TrustedDomains []string `json:"trustedDomains"`
 }
 
 type AppContextResponse struct {
@@ -160,9 +159,8 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 			WarningsEnabled:       controller.config.UI.WarningsEnabled,
 		},
 		App: ACRApp{
-			AppURL:         controller.runtime.AppURL,
+			AppURL:       controller.runtime.AppURL,
-			CookieDomain:   controller.runtime.CookieDomain,
+			CookieDomain: controller.runtime.CookieDomain,
-			TrustedDomains: controller.runtime.TrustedDomains,
 		},
 	})
 }

internal/controller/oauth_controller.go

@@ -12,7 +12,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
@@ -314,51 +313,38 @@ func (controller *OAuthController) getCookieDomain() string {
 func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 	u, err := url.Parse(redirectURI)
 
-	if err != nil || u.Host == "" || u.Scheme == "" {
+	if err != nil {
+		controller.log.App.Error().Err(err).Str("redirectUri", redirectURI).Msg("Failed to parse redirect URI")
 		return false
 	}
 
-	for _, allowed := range controller.runtime.TrustedDomains {
+	if u.Scheme == "" || u.Host == "" {
-		tu, err := url.Parse(allowed)
+		controller.log.App.Warn().Str("redirectUri", redirectURI).Msg("Redirect URI has invalid scheme or host")
-		if err != nil {
+		return false
-			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
+	}
-			continue
-		}
 
-		if tu.Scheme != u.Scheme {
+	au, err := url.Parse(controller.runtime.AppURL)
-			continue
-		}
 
-		// exact match
+	if err != nil {
-		if strings.EqualFold(u.Host, tu.Host) {
+		controller.log.App.Error().Err(err).Str("appUrl", controller.runtime.AppURL).Msg("Failed to parse app URL")
-			return true
+		return false
-		}
+	}
 
-		// if subdomains are disabled, end here
+	if u.Scheme != au.Scheme {
-		if !controller.config.Auth.SubdomainsEnabled {
+		controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI scheme does not match app URL scheme")
-			continue
+		return false
-		}
+	}
 
-		// get the root domain (e.g. tinyauth.example.com -> example.com or
+	if u.Host == au.Host {
-		// tinyauth.sub.example.com -> sub.example.com)
+		return true
-		_, root, ok := strings.Cut(tu.Host, ".")
+	}
-		if !ok {
-			continue
-		}
 
-		root = strings.ToLower(root)
+	if !controller.config.Auth.SubdomainsEnabled {
+		return false
+	}
 
-		// check if the root domain is in the psl
+	if strings.HasSuffix(u.Host, "."+au.Host) {
-		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
+		return true
-
-		if err != nil {
-			continue
-		}
-
-		// subdomain match
-		if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
-			return true
-		}
 	}
 
 	return false

internal/model/runtime.go

@@ -12,7 +12,6 @@ type RuntimeConfig struct {
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
-	TrustedDomains         []string
 }
 
 type Provider struct {