feat: add psl check in cookie domain

2025-10-27 20:25:41 +00:00 · 2025-09-10 13:43:08 +03:00
parent 74cb8067a8
commit e03eaf4f08
15 changed files with 102 additions and 90 deletions
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -45,8 +45,8 @@ func (app *BootstrapApp) Setup() error {
 		return err
 	}

-	// Get root domain
-	rootDomain, err := utils.GetRootDomain(app.Config.AppURL)
+	// Get cookie domain
+	cookieDomain, err := utils.GetCookieDomain(app.Config.AppURL)

 	if err != nil {
 		return err
@@ -65,7 +65,7 @@ func (app *BootstrapApp) Setup() error {
 		OauthWhitelist:    app.Config.OAuthWhitelist,
 		SessionExpiry:     app.Config.SessionExpiry,
 		SecureCookie:      app.Config.SecureCookie,
-		RootDomain:        rootDomain,
+		CookieDomain:      cookieDomain,
 		LoginTimeout:      app.Config.LoginTimeout,
 		LoginMaxRetries:   app.Config.LoginMaxRetries,
 		SessionCookieName: sessionCookieName,
@@ -156,7 +156,7 @@ func (app *BootstrapApp) Setup() error {
 	var middlewares []Middleware

 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		RootDomain: rootDomain,
+		CookieDomain: cookieDomain,
 	}, authService, oauthBrokerService)

 	uiMiddleware := middleware.NewUIMiddleware()
@@ -183,7 +183,6 @@ func (app *BootstrapApp) Setup() error {
 		Title:                 app.Config.Title,
 		GenericName:           app.Config.GenericName,
 		AppURL:                app.Config.AppURL,
-		RootDomain:            rootDomain,
 		ForgotPasswordMessage: app.Config.ForgotPasswordMessage,
 		BackgroundImage:       app.Config.BackgroundImage,
 		OAuthAutoRedirect:     app.Config.OAuthAutoRedirect,
@@ -194,7 +193,7 @@ func (app *BootstrapApp) Setup() error {
 		SecureCookie:       app.Config.SecureCookie,
 		CSRFCookieName:     csrfCookieName,
 		RedirectCookieName: redirectCookieName,
-		RootDomain:         rootDomain,
+		CookieDomain:       cookieDomain,
 	}, apiRouter, authService, oauthBrokerService)

 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
@@ -202,7 +201,7 @@ func (app *BootstrapApp) Setup() error {
 	}, apiRouter, dockerService, authService)

 	userController := controller.NewUserController(controller.UserControllerConfig{
-		RootDomain: rootDomain,
+		CookieDomain: cookieDomain,
 	}, apiRouter, authService)

 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -28,7 +28,6 @@ type AppContextResponse struct {
 	Title                 string   `json:"title"`
 	GenericName           string   `json:"genericName"`
 	AppURL                string   `json:"appUrl"`
-	RootDomain            string   `json:"rootDomain"`
 	ForgotPasswordMessage string   `json:"forgotPasswordMessage"`
 	BackgroundImage       string   `json:"backgroundImage"`
 	OAuthAutoRedirect     string   `json:"oauthAutoRedirect"`
@@ -39,7 +38,6 @@ type ContextControllerConfig struct {
 	Title                 string
 	GenericName           string
 	AppURL                string
-	RootDomain            string
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
@@ -100,7 +98,6 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 		Title:                 controller.config.Title,
 		GenericName:           controller.config.GenericName,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		RootDomain:            controller.config.RootDomain,
 		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
 		BackgroundImage:       controller.config.BackgroundImage,
 		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -16,7 +16,6 @@ var controllerCfg = controller.ContextControllerConfig{
 	Title:                 "Test App",
 	GenericName:           "Generic",
 	AppURL:                "http://localhost:8080",
-	RootDomain:            "localhost",
 	ForgotPasswordMessage: "Contact admin to reset your password.",
 	BackgroundImage:       "/assets/bg.jpg",
 	OAuthAutoRedirect:     "google",
@@ -62,7 +61,6 @@ func TestAppContextHandler(t *testing.T) {
 		Title:                 controllerCfg.Title,
 		GenericName:           controllerCfg.GenericName,
 		AppURL:                controllerCfg.AppURL,
-		RootDomain:            controllerCfg.RootDomain,
 		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
 		BackgroundImage:       controllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -23,7 +23,7 @@ type OAuthControllerConfig struct {
 	RedirectCookieName string
 	SecureCookie       bool
 	AppURL             string
-	RootDomain         string
+	CookieDomain       string
 }

 type OAuthController struct {
@@ -74,13 +74,13 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {

 	state := service.GenerateState()
 	authURL := service.GetAuthURL(state)
-	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)

 	redirectURI := c.Query("redirect_uri")

-	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
+	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("Setting redirect URI cookie")
-		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	}

 	c.JSON(200, gin.H{
@@ -108,12 +108,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	if err != nil || state != csrfCookie {
 		log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
-		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

-	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)

 	code := c.Query("code")
 	service, exists := controller.broker.GetService(req.Provider)
@@ -196,7 +196,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)

-	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
+	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
 		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
@@ -212,6 +212,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 }
--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -50,7 +50,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 		OauthWhitelist:    "",
 		SessionExpiry:     3600,
 		SecureCookie:      false,
-		RootDomain:        "localhost",
+		CookieDomain:      "localhost",
 		LoginTimeout:      300,
 		LoginMaxRetries:   3,
 		SessionCookieName: "tinyauth-session",
--- a/internal/controller/resources_controller_test.go
+++ b/internal/controller/resources_controller_test.go
@@ -24,6 +24,7 @@ func TestResourcesHandler(t *testing.T) {
 	// Create test data
 	err := os.Mkdir("/tmp/tinyauth", 0755)
 	assert.NilError(t, err)
+	defer os.RemoveAll("/tmp/tinyauth")

 	file, err := os.Create("/tmp/tinyauth/test.txt")
 	assert.NilError(t, err)
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -22,7 +22,7 @@ type TotpRequest struct {
 }

 type UserControllerConfig struct {
-	RootDomain string
+	CookieDomain string
 }

 type UserController struct {
@@ -115,7 +115,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 				Username:    user.Username,
 				Name:        utils.Capitalize(req.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 				Provider:    "username",
 				TotpPending: true,
 			})
@@ -141,7 +141,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 		Provider: "username",
 	})

@@ -246,7 +246,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.RootDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
 		Provider: "username",
 	})

--- a/internal/controller/user_controller_test.go
+++ b/internal/controller/user_controller_test.go
@@ -58,7 +58,7 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng
 		OauthWhitelist:    "",
 		SessionExpiry:     3600,
 		SecureCookie:      false,
-		RootDomain:        "localhost",
+		CookieDomain:      "localhost",
 		LoginTimeout:      300,
 		LoginMaxRetries:   3,
 		SessionCookieName: "tinyauth-session",
@@ -66,7 +66,7 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng

 	// Controller
 	ctrl := controller.NewUserController(controller.UserControllerConfig{
-		RootDomain: "localhost",
+		CookieDomain: "localhost",
 	}, group, authService)
 	ctrl.SetupRoutes()

--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -12,7 +12,7 @@ import (
 )

 type ContextMiddlewareConfig struct {
-	RootDomain string
+	CookieDomain string
 }

 type ContextMiddleware struct {
@@ -134,7 +134,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.RootDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
 				Provider:    "basic",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
@@ -146,7 +146,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:   basic.Username,
 				Name:       utils.Capitalize(basic.Username),
-				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.RootDomain),
+				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
 				Provider:   "basic",
 				IsLoggedIn: true,
 			})
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -28,7 +28,7 @@ type AuthServiceConfig struct {
 	OauthWhitelist    string
 	SessionExpiry     int
 	SecureCookie      bool
-	RootDomain        string
+	CookieDomain      string
 	LoginTimeout      int
 	LoginMaxRetries   int
 	SessionCookieName string
@@ -218,7 +218,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		return err
 	}

-	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.RootDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)

 	return nil
 }
@@ -236,7 +236,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 		return res.Error
 	}

-	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.RootDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)

 	return nil
 }
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -8,30 +8,38 @@ import (
 	"tinyauth/internal/config"

 	"github.com/gin-gonic/gin"
-
 	"github.com/rs/zerolog"
+	"github.com/weppos/publicsuffix-go/publicsuffix"
 )

-// Get root domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetRootDomain(u string) (string, error) {
-	appUrl, err := url.Parse(u)
+// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+func GetCookieDomain(u string) (string, error) {
+	parsed, err := url.Parse(u)
 	if err != nil {
 		return "", err
 	}

-	host := appUrl.Hostname()
+	host := parsed.Hostname()

 	if netIP := net.ParseIP(host); netIP != nil {
-		return "", errors.New("IP addresses are not allowed")
+		return "", errors.New("IP addresses not allowed")
 	}

-	urlParts := strings.Split(host, ".")
+	parts := strings.Split(host, ".")

-	if len(urlParts) < 3 {
-		return "", errors.New("invalid domain, must be at least second level domain")
+	if len(parts) < 3 {
+		return "", errors.New("invalid app url, must be at least second level domain")
 	}

-	return strings.Join(urlParts[1:], "."), nil
+	domain := strings.Join(parts[1:], ".")
+
+	_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, domain, nil)
+
+	if err != nil {
+		return "", errors.New("domain in public suffix list, cannot set cookies")
+	}
+
+	return domain, nil
 }

 func ParseFileToLine(content string) string {
@@ -89,13 +97,13 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
 		return false
 	}

-	upper, err := GetRootDomain(redirectURL)
+	cookieDomain, err := GetCookieDomain(redirectURL)

 	if err != nil {
 		return false
 	}

-	if upper != domain {
+	if cookieDomain != domain {
 		return false
 	}

--- a/internal/utils/app_utils_test.go
+++ b/internal/utils/app_utils_test.go
@@ -11,53 +11,58 @@ import (

 func TestGetRootDomain(t *testing.T) {
 	// Normal case
-	domain := "http://sub.example.com"
-	expected := "example.com"
-	result, err := utils.GetRootDomain(domain)
+	domain := "http://sub.tinyauth.app"
+	expected := "tinyauth.app"
+	result, err := utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)

 	// Domain with multiple subdomains
-	domain = "http://b.c.example.com"
-	expected = "c.example.com"
-	result, err = utils.GetRootDomain(domain)
+	domain = "http://b.c.tinyauth.app"
+	expected = "c.tinyauth.app"
+	result, err = utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)

 	// Domain with no subdomain
-	domain = "http://example.com"
-	expected = "example.com"
-	_, err = utils.GetRootDomain(domain)
-	assert.Error(t, err, "invalid domain, must be at least second level domain")
+	domain = "http://tinyauth.app"
+	expected = "tinyauth.app"
+	_, err = utils.GetCookieDomain(domain)
+	assert.Error(t, err, "invalid app url, must be at least second level domain")

 	// Invalid domain (only TLD)
 	domain = "com"
-	_, err = utils.GetRootDomain(domain)
-	assert.ErrorContains(t, err, "invalid domain")
+	_, err = utils.GetCookieDomain(domain)
+	assert.ErrorContains(t, err, "invalid app url, must be at least second level domain")

 	// IP address
 	domain = "http://10.10.10.10"
-	_, err = utils.GetRootDomain(domain)
-	assert.ErrorContains(t, err, "IP addresses are not allowed")
+	_, err = utils.GetCookieDomain(domain)
+	assert.ErrorContains(t, err, "IP addresses not allowed")

 	// Invalid URL
 	domain = "http://[::1]:namedport"
-	_, err = utils.GetRootDomain(domain)
+	_, err = utils.GetCookieDomain(domain)
 	assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")

 	// URL with scheme and path
-	domain = "https://sub.example.com/path"
-	expected = "example.com"
-	result, err = utils.GetRootDomain(domain)
+	domain = "https://sub.tinyauth.app/path"
+	expected = "tinyauth.app"
+	result, err = utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)

 	// URL with port
-	domain = "http://sub.example.com:8080"
-	expected = "example.com"
-	result, err = utils.GetRootDomain(domain)
+	domain = "http://sub.tinyauth.app:8080"
+	expected = "tinyauth.app"
+	result, err = utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)
+
+	// Domain managed by ICANN
+	domain = "http://example.co.uk"
+	_, err = utils.GetCookieDomain(domain)
+	assert.Error(t, err, "domain in public suffix list, cannot set cookies")
 }

 func TestParseFileToLine(t *testing.T) {