fix: remove port from cookie domain

2026-06-22 03:10:16 +00:00 · 2026-06-21 17:32:36 +03:00
parent a4f9c897a6
commit e53cbf414d
3 changed files with 9 additions and 8 deletions
@@ -335,6 +335,11 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 		return false
 	}

+	if u.Port() != au.Port() {
+		controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI port does not match app URL port")
+		return false
+	}
+
 	if strings.EqualFold(u.Host, au.Host) {
 		return true
 	}
@@ -343,7 +348,7 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 		return false
 	}

-	if strings.HasSuffix(strings.ToLower(u.Host), "."+strings.ToLower(controller.runtime.CookieDomain)) {
+	if strings.HasSuffix(strings.ToLower(u.Hostname()), "."+strings.ToLower(controller.runtime.CookieDomain)) {
 		return true
 	}

@@ -36,7 +36,7 @@ func GetCookieDomain(appUrl string, subdomainsEnabled bool) (string, error) {
 			return "", fmt.Errorf("domain in public suffix list, cannot set cookies: %w", err)
 		}

-		return strings.ToLower(u.Host), nil
+		return hostname, nil
 	}

 	domain := strings.Join(parts[1:], ".")
@@ -47,11 +47,7 @@ func GetCookieDomain(appUrl string, subdomainsEnabled bool) (string, error) {
 		return "", fmt.Errorf("domain in public suffix list, cannot set cookies: %w", err)
 	}

-	// now that we validated the domain, return with the port
-	parts = strings.Split(strings.ToLower(u.Host), ".")
-	host := strings.Join(parts[1:], ".")
-
-	return host, nil
+	return domain, nil
 }

 func ParseFileToLine(content string) string {
@@ -46,7 +46,7 @@ func TestGetRootDomain(t *testing.T) {

 	// URL with port
 	domain = "http://sub.tinyauth.app:8080"
-	expected = "tinyauth.app:8080"
+	expected = "tinyauth.app"
 	result, err = utils.GetCookieDomain(domain, true)
 	assert.NoError(t, err)
 	assert.Equal(t, expected, result)