barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 12:45:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(redirect): allow root cookie domain host redirects (#409)

Browse Source 
Previously IsRedirectSafe rejected redirects to the exact cookie domain
when AppURL had multiple subdomain levels, because it stripped the first
label twice.
This commit is contained in:
Scott McKendry
2025-10-13 21:55:43 +13:00
committed by GitHub
parent a9c1bf8865
commit f628d1f0b3
2 changed files with 42 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/utils/app_utils.go
View File

@@ -100,17 +100,17 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
return false return false
} }
cookieDomain, err := GetCookieDomain(redirectURL) host := parsedURL.Hostname()
if host == domain {
return true
}
cookieDomain, err := GetCookieDomain(redirectURL)
if err != nil { if err != nil {
return false return false
} }
if cookieDomain != domain { return cookieDomain == domain
return false
}
return true
} }
func GetLogLevel(level string) zerolog.Level { func GetLogLevel(level string) zerolog.Level {

37
internal/utils/app_utils_test.go
View File

@@ -164,7 +164,7 @@ func TestIsRedirectSafe(t *testing.T) {
// Case with no subdomain // Case with no subdomain
redirectURL := "http://example.com/welcome" redirectURL := "http://example.com/welcome"
result := utils.IsRedirectSafe(redirectURL, domain) result := utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result) assert.Equal(t, true, result)
// Case with different domain // Case with different domain
redirectURL = "http://malicious.com/phishing" redirectURL = "http://malicious.com/phishing"
@@ -202,6 +202,41 @@ func TestIsRedirectSafe(t *testing.T) {
assert.Equal(t, false, result) assert.Equal(t, false, result)
} }
func TestIsRedirectSafeMultiLevel(t *testing.T) {
// Setup
cookieDomain := "tinyauth.example.com"
// Case with 3rd level domain
redirectURL := "http://tinyauth.example.com/welcome"
result := utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, true, result)
// Case with root domain
redirectURL = "http://example.com/unsafe"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
// Case with 4th level domain
redirectURL = "http://auth.tinyauth.example.com/post-login"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, true, result)
// Case with 5th level domain (should be unsafe)
redirectURL = "http://x.auth.tinyauth.example.com/deep"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
// Case with different subdomain
redirectURL = "http://auth.tinyauth.example.net/attack"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
// Case with malformed URL
redirectURL = "http://[::1]:namedport"
result = utils.IsRedirectSafe(redirectURL, cookieDomain)
assert.Equal(t, false, result)
}
func TestGetOAuthProvidersConfig(t *testing.T) { func TestGetOAuthProvidersConfig(t *testing.T) {
env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"} env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"}
args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"} args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"}