feat: add option to run tinyauth on a top-level domain (#710)

* Add TINYAUTH_AUTH_SUBDOMAINSENABLED option

Setting it to false allows to use Tinyauth on top-level domain only,
but forbids automatic cross-app authentication using Traefik/Nginx.

* fix: inform services and controllers if subdomain cookie domain is enabled

* chore: rabbit feedback

* fix: deny ip addresses for standalone domain

---------

Co-authored-by: Stavros <steveiliop56@gmail.com>

internal/bootstrap/app_bootstrap.go

@@ -104,7 +104,13 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
+	cookieDomainResolver := utils.GetCookieDomain
+	if !app.config.Auth.SubdomainsEnabled {
+		tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
+		cookieDomainResolver = utils.GetStandaloneCookieDomain
+	}
+
+	cookieDomain, err := cookieDomainResolver(app.context.appUrl)
 
 	if err != nil {
 		return err

internal/bootstrap/router_bootstrap.go

@@ -84,6 +84,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		RedirectCookieName:     app.context.redirectCookieName,
 		CookieDomain:           app.context.cookieDomain,
 		OAuthSessionCookieName: app.context.oauthSessionCookieName,
+		SubdomainsEnabled:      app.config.Auth.SubdomainsEnabled,
 	}, apiRouter, app.services.authService)
 
 	oauthController.SetupRoutes()

internal/bootstrap/service_bootstrap.go

@@ -100,6 +100,7 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 		SessionCookieName:  app.context.sessionCookieName,
 		IP:                 app.config.Auth.IP,
 		LDAPGroupsCacheTTL: app.config.LDAP.GroupCacheTTL,
+		SubdomainsEnabled:  app.config.Auth.SubdomainsEnabled,
 	}, services.ldapService, queries, services.oauthBrokerService)
 
 	err = authService.Init()