From d90e3d652d410788f67c906967743e28a649a59a Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Thu, 12 Mar 2026 18:34:49 +0100
Subject: [PATCH] Add TINYAUTH_AUTH_SUBDOMAINSENABLED option

Setting it to false allows to use Tinyauth on top-level domain only,
but forbids automatic cross-app authentication using Traefik/Nginx.
---
 internal/bootstrap/app_bootstrap.go | 8 +++++++-
 internal/config/config.go           | 2 ++
 internal/utils/app_utils.go         | 9 +++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/internal/bootstrap/app_bootstrap.go b/internal/bootstrap/app_bootstrap.go
index 18d9068b..55c0f477 100644
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -106,7 +106,13 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
+	cookieDomainResolver := utils.GetCookieDomain
+	if !app.config.Auth.SubdomainsEnabled {
+		tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
+		cookieDomainResolver = utils.GetStandaloneCookieDomain
+	}
+
+	cookieDomain, err := cookieDomainResolver(app.context.appUrl)
 
 	if err != nil {
 		return err
diff --git a/internal/config/config.go b/internal/config/config.go
index b8db08a9..f9280f8e 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -18,6 +18,7 @@ func NewDefaultConfiguration() *Config {
 			Address: "0.0.0.0",
 		},
 		Auth: AuthConfig{
+			SubdomainsEnabled:  true,
 			SessionExpiry:      86400, // 1 day
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
@@ -116,6 +117,7 @@ type AuthConfig struct {
 	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
 	Users              []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
 	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
+	SubdomainsEnabled  bool     `description:"Enable subdomains support." yaml:"subdomainsEnabled"`
 	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
 	SessionExpiry      int      `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
 	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
diff --git a/internal/utils/app_utils.go b/internal/utils/app_utils.go
index c5055e36..0cbc16eb 100644
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -49,6 +49,15 @@ func GetCookieDomain(u string) (string, error) {
 	return domain, nil
 }
 
+func GetStandaloneCookieDomain(u string) (string, error) {
+	parsed, err := url.Parse(u)
+	if err != nil {
+		return "", err
+	}
+
+	return parsed.Hostname(), nil
+}
+
 func ParseFileToLine(content string) string {
 	lines := strings.Split(content, "\n")
 	users := make([]string, 0)