From e53cbf414d4101105f4b2be0fc1e5a6010543ae5 Mon Sep 17 00:00:00 2001 From: Stavros Date: Sun, 21 Jun 2026 17:32:36 +0300 Subject: [PATCH] fix: remove port from cookie domain --- internal/controller/oauth_controller.go | 7 ++++++- internal/utils/app_utils.go | 8 ++------ internal/utils/app_utils_test.go | 2 +- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go index fffc363c..93e4e9bc 100644 --- a/internal/controller/oauth_controller.go +++ b/internal/controller/oauth_controller.go @@ -335,6 +335,11 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool { return false } + if u.Port() != au.Port() { + controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI port does not match app URL port") + return false + } + if strings.EqualFold(u.Host, au.Host) { return true } @@ -343,7 +348,7 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool { return false } - if strings.HasSuffix(strings.ToLower(u.Host), "."+strings.ToLower(controller.runtime.CookieDomain)) { + if strings.HasSuffix(strings.ToLower(u.Hostname()), "."+strings.ToLower(controller.runtime.CookieDomain)) { return true } diff --git a/internal/utils/app_utils.go b/internal/utils/app_utils.go index 5c660894..00adf246 100644 --- a/internal/utils/app_utils.go +++ b/internal/utils/app_utils.go @@ -36,7 +36,7 @@ func GetCookieDomain(appUrl string, subdomainsEnabled bool) (string, error) { return "", fmt.Errorf("domain in public suffix list, cannot set cookies: %w", err) } - return strings.ToLower(u.Host), nil + return hostname, nil } domain := strings.Join(parts[1:], ".") @@ -47,11 +47,7 @@ func GetCookieDomain(appUrl string, subdomainsEnabled bool) (string, error) { return "", fmt.Errorf("domain in public suffix list, cannot set cookies: %w", err) } - // now that we validated the domain, return with the port - parts = strings.Split(strings.ToLower(u.Host), ".") - host := strings.Join(parts[1:], ".") - - return host, nil + return domain, nil } func ParseFileToLine(content string) string { diff --git a/internal/utils/app_utils_test.go b/internal/utils/app_utils_test.go index b49dc9e0..e4525335 100644 --- a/internal/utils/app_utils_test.go +++ b/internal/utils/app_utils_test.go @@ -46,7 +46,7 @@ func TestGetRootDomain(t *testing.T) { // URL with port domain = "http://sub.tinyauth.app:8080" - expected = "tinyauth.app:8080" + expected = "tinyauth.app" result, err = utils.GetCookieDomain(domain, true) assert.NoError(t, err) assert.Equal(t, expected, result)