Add option to allow extra domains in the auth cookie other than the one in base url (#39)

* Add CONFIG_ALLOWED_COOKIE_DOMAINS option * Apply suggestions from @BrunoBernardino --------- Co-authored-by: Bruno Bernardino <me@brunobernardino.com>
2025-01-11 09:09:11 +02:00
parent aaeaac0285
commit 8929b6e7d2
2 changed files with 15 additions and 0 deletions
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -6,6 +6,7 @@ import 'std/dotenv/load.ts';
 import { baseUrl, generateHash, isRunningLocally } from './utils/misc.ts';
 import { User, UserSession } from './types.ts';
 import { createUserSession, deleteUserSession, getUserByEmail, validateUserAndSession } from './data/user.ts';
+import { isCookieDomainAllowed } from './config.ts';

 const JWT_SECRET = Deno.env.get('JWT_SECRET') || '';
 export const PASSWORD_SALT = Deno.env.get('PASSWORD_SALT') || '';
@@ -52,6 +53,10 @@ async function verifyAuthJwt(key: CryptoKey, jwt: string) {

 function resolveCookieDomain(request: Request) {
  if (!isBaseUrlAnIp() || isRunningLocally(request)) {
+    const domain = new URL(request.url).hostname;
+    if (isCookieDomainAllowed(domain)) {
+      return domain;
+    }
    return baseUrl.replace('https://', '').replace('http://', '').split(':')[0];
  }
  return '';
--- a/lib/config.ts
+++ b/lib/config.ts
@@ -20,6 +20,16 @@ export function isAppEnabled(app: 'news' | 'notes' | 'photos') {
  return enabledApps.includes(app);
 }

+export function isCookieDomainAllowed(domain: string) {
+  const allowedDomains = (Deno.env.get('CONFIG_ALLOWED_COOKIE_DOMAINS') || '').split(',') as typeof domain[];
+  
+  if (allowedDomains.length === 0) {
+    return true;
+  }
+
+  return allowedDomains.includes(domain);
+}
+
 export function isEmailEnabled() {
  const areEmailsAllowed = Deno.env.get('CONFIG_ENABLE_EMAILS') === 'true';