feat: add option to run tinyauth on a top-level domain (#710)

* Add TINYAUTH_AUTH_SUBDOMAINSENABLED option Setting it to false allows to use Tinyauth on top-level domain only, but forbids automatic cross-app authentication using Traefik/Nginx. * fix: inform services and controllers if subdomain cookie domain is enabled * chore: rabbit feedback * fix: deny ip addresses for standalone domain --------- Co-authored-by: Stavros <steveiliop56@gmail.com>
2026-05-08 05:18:11 +00:00 · 2026-05-07 15:12:24 +02:00
parent 1382ab41e7
commit ca6a7fa551
8 changed files with 103 additions and 5 deletions
@@ -84,6 +84,7 @@ type AuthServiceConfig struct {
 	SessionCookieName  string
 	IP                 model.IPConfig
 	LDAPGroupsCacheTTL int
+	SubdomainsEnabled  bool
 }

 type AuthService struct {
@@ -397,6 +398,12 @@ func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.
 		tlog.App.Warn().Err(err).Msg("Failed to delete session from database, proceeding to clear cookie anyway")
 	}

+	err = auth.queries.DeleteSession(ctx, uuid)
+
+	if err != nil {
+		return nil, err
+	}
+
 	return &http.Cookie{
 		Name:     auth.config.SessionCookieName,
 		Value:    "",
@@ -838,3 +845,10 @@ func (auth *AuthService) ClearRateLimitsTestingOnly() {
 	}
 	auth.loginMutex.Unlock()
 }
+
+func (auth *AuthService) getCookieDomain() string {
+	if auth.config.SubdomainsEnabled {
+		return "." + auth.config.CookieDomain
+	}
+	return auth.config.CookieDomain
+}