From 8929b6e7d2c30753cf2573f4c44010752dbf9264 Mon Sep 17 00:00:00 2001 From: Sergio <77530549+sergi0g@users.noreply.github.com> Date: Sat, 11 Jan 2025 09:09:11 +0200 Subject: [PATCH] Add option to allow extra domains in the auth cookie other than the one in base url (#39) * Add CONFIG_ALLOWED_COOKIE_DOMAINS option * Apply suggestions from @BrunoBernardino --------- Co-authored-by: Bruno Bernardino --- lib/auth.ts | 5 +++++ lib/config.ts | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/lib/auth.ts b/lib/auth.ts index e9b72b2..6d9c055 100644 --- a/lib/auth.ts +++ b/lib/auth.ts @@ -6,6 +6,7 @@ import 'std/dotenv/load.ts'; import { baseUrl, generateHash, isRunningLocally } from './utils/misc.ts'; import { User, UserSession } from './types.ts'; import { createUserSession, deleteUserSession, getUserByEmail, validateUserAndSession } from './data/user.ts'; +import { isCookieDomainAllowed } from './config.ts'; const JWT_SECRET = Deno.env.get('JWT_SECRET') || ''; export const PASSWORD_SALT = Deno.env.get('PASSWORD_SALT') || ''; @@ -52,6 +53,10 @@ async function verifyAuthJwt(key: CryptoKey, jwt: string) { function resolveCookieDomain(request: Request) { if (!isBaseUrlAnIp() || isRunningLocally(request)) { + const domain = new URL(request.url).hostname; + if (isCookieDomainAllowed(domain)) { + return domain; + } return baseUrl.replace('https://', '').replace('http://', '').split(':')[0]; } return ''; diff --git a/lib/config.ts b/lib/config.ts index 09c6d04..5ca1e5c 100644 --- a/lib/config.ts +++ b/lib/config.ts @@ -20,6 +20,16 @@ export function isAppEnabled(app: 'news' | 'notes' | 'photos') { return enabledApps.includes(app); } +export function isCookieDomainAllowed(domain: string) { + const allowedDomains = (Deno.env.get('CONFIG_ALLOWED_COOKIE_DOMAINS') || '').split(',') as typeof domain[]; + + if (allowedDomains.length === 0) { + return true; + } + + return allowedDomains.includes(domain); +} + export function isEmailEnabled() { const areEmailsAllowed = Deno.env.get('CONFIG_ENABLE_EMAILS') === 'true';