mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-12-15 04:36:37 +00:00
feat: add psl check in cookie domain
This commit is contained in:
Stavros
@@ -28,7 +28,6 @@ type AppContextResponse struct {
|
||||
Title string `json:"title"`
|
||||
GenericName string `json:"genericName"`
|
||||
AppURL string `json:"appUrl"`
|
||||
RootDomain string `json:"rootDomain"`
|
||||
ForgotPasswordMessage string `json:"forgotPasswordMessage"`
|
||||
BackgroundImage string `json:"backgroundImage"`
|
||||
OAuthAutoRedirect string `json:"oauthAutoRedirect"`
|
||||
@@ -39,7 +38,6 @@ type ContextControllerConfig struct {
|
||||
Title string
|
||||
GenericName string
|
||||
AppURL string
|
||||
RootDomain string
|
||||
ForgotPasswordMessage string
|
||||
BackgroundImage string
|
||||
OAuthAutoRedirect string
|
||||
@@ -100,7 +98,6 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
|
||||
Title: controller.config.Title,
|
||||
GenericName: controller.config.GenericName,
|
||||
AppURL: fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
|
||||
RootDomain: controller.config.RootDomain,
|
||||
ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
|
||||
BackgroundImage: controller.config.BackgroundImage,
|
||||
OAuthAutoRedirect: controller.config.OAuthAutoRedirect,
|
||||
|
||||
@@ -16,7 +16,6 @@ var controllerCfg = controller.ContextControllerConfig{
|
||||
Title: "Test App",
|
||||
GenericName: "Generic",
|
||||
AppURL: "http://localhost:8080",
|
||||
RootDomain: "localhost",
|
||||
ForgotPasswordMessage: "Contact admin to reset your password.",
|
||||
BackgroundImage: "/assets/bg.jpg",
|
||||
OAuthAutoRedirect: "google",
|
||||
@@ -62,7 +61,6 @@ func TestAppContextHandler(t *testing.T) {
|
||||
Title: controllerCfg.Title,
|
||||
GenericName: controllerCfg.GenericName,
|
||||
AppURL: controllerCfg.AppURL,
|
||||
RootDomain: controllerCfg.RootDomain,
|
||||
ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
|
||||
BackgroundImage: controllerCfg.BackgroundImage,
|
||||
OAuthAutoRedirect: controllerCfg.OAuthAutoRedirect,
|
||||
|
||||
@@ -23,7 +23,7 @@ type OAuthControllerConfig struct {
|
||||
RedirectCookieName string
|
||||
SecureCookie bool
|
||||
AppURL string
|
||||
RootDomain string
|
||||
CookieDomain string
|
||||
}
|
||||
|
||||
type OAuthController struct {
|
||||
@@ -74,13 +74,13 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
|
||||
|
||||
state := service.GenerateState()
|
||||
authURL := service.GetAuthURL(state)
|
||||
c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
|
||||
c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
|
||||
|
||||
redirectURI := c.Query("redirect_uri")
|
||||
|
||||
if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
|
||||
if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
|
||||
log.Debug().Msg("Setting redirect URI cookie")
|
||||
c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
|
||||
c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
|
||||
}
|
||||
|
||||
c.JSON(200, gin.H{
|
||||
@@ -108,12 +108,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
|
||||
|
||||
if err != nil || state != csrfCookie {
|
||||
log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
|
||||
c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
|
||||
c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
|
||||
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
|
||||
return
|
||||
}
|
||||
|
||||
c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
|
||||
c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
|
||||
|
||||
code := c.Query("code")
|
||||
service, exists := controller.broker.GetService(req.Provider)
|
||||
@@ -196,7 +196,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
|
||||
|
||||
redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
|
||||
|
||||
if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
|
||||
if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
|
||||
log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
|
||||
c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
|
||||
return
|
||||
@@ -212,6 +212,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
|
||||
c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
|
||||
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
|
||||
OauthWhitelist: "",
|
||||
SessionExpiry: 3600,
|
||||
SecureCookie: false,
|
||||
RootDomain: "localhost",
|
||||
CookieDomain: "localhost",
|
||||
LoginTimeout: 300,
|
||||
LoginMaxRetries: 3,
|
||||
SessionCookieName: "tinyauth-session",
|
||||
|
||||
@@ -24,6 +24,7 @@ func TestResourcesHandler(t *testing.T) {
|
||||
// Create test data
|
||||
err := os.Mkdir("/tmp/tinyauth", 0755)
|
||||
assert.NilError(t, err)
|
||||
defer os.RemoveAll("/tmp/tinyauth")
|
||||
|
||||
file, err := os.Create("/tmp/tinyauth/test.txt")
|
||||
assert.NilError(t, err)
|
||||
|
||||
@@ -22,7 +22,7 @@ type TotpRequest struct {
|
||||
}
|
||||
|
||||
type UserControllerConfig struct {
|
||||
RootDomain string
|
||||
CookieDomain string
|
||||
}
|
||||
|
||||
type UserController struct {
|
||||
@@ -115,7 +115,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
|
||||
err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
|
||||
Username: user.Username,
|
||||
Name: utils.Capitalize(req.Username),
|
||||
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
|
||||
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
|
||||
Provider: "username",
|
||||
TotpPending: true,
|
||||
})
|
||||
@@ -141,7 +141,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
|
||||
err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
|
||||
Username: req.Username,
|
||||
Name: utils.Capitalize(req.Username),
|
||||
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
|
||||
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
|
||||
Provider: "username",
|
||||
})
|
||||
|
||||
@@ -246,7 +246,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
|
||||
err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
|
||||
Username: user.Username,
|
||||
Name: utils.Capitalize(user.Username),
|
||||
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.RootDomain),
|
||||
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
|
||||
Provider: "username",
|
||||
})
|
||||
|
||||
|
||||
@@ -58,7 +58,7 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng
|
||||
OauthWhitelist: "",
|
||||
SessionExpiry: 3600,
|
||||
SecureCookie: false,
|
||||
RootDomain: "localhost",
|
||||
CookieDomain: "localhost",
|
||||
LoginTimeout: 300,
|
||||
LoginMaxRetries: 3,
|
||||
SessionCookieName: "tinyauth-session",
|
||||
@@ -66,7 +66,7 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng
|
||||
|
||||
// Controller
|
||||
ctrl := controller.NewUserController(controller.UserControllerConfig{
|
||||
RootDomain: "localhost",
|
||||
CookieDomain: "localhost",
|
||||
}, group, authService)
|
||||
ctrl.SetupRoutes()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user