Giters

lipp / login-with

Stateless login-with microservice for OAuth

Home Page:https://login-with.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Issue with multi dot subdomains

feluxe opened this issue · comments

commented

Hi there,

thanks for this awesome project!

I just noticed that if you use multiple subdomains (multi dot subdomains) like this one:

dev.login.mydomain.com

You will get a cookie for .login.mydomain.com. I don't think this is intentional, since a cookie for .login.mydomain.com is not really useful ;)

Extracting a multidot subdomain from a domain is not trivial, since there are TLDs (or second level domains) like co.uk, that also contain a dot.

I googled around and found out that there is a public maintained list with all TLDs:

https://publicsuffix.org/

There are also tools that use the list to parse domain names, e.g.:

https://github.com/wrangr/psl

It looks like wrangr/psl does not have any dependencies and might be save for use. It uses MIT license as well.

commented

Thanks for spotting that issue! I'd suggest to provide an optional env Parameter "LW_COOKIE_DOMAIN". When this is empty, the cookie domain will be "LW_SUBDOMAIN" skipping first sub (

login-with/src/opts.js

Line 10 in 6fc0726

cookieDomain: env.LW_SUBDOMAIN ? '.' + subDomain.split('.').slice(1).join('.') : null,
).

So in your case the env would be "LW_SUBDOMAIN=dev.login.mydomain.com" LW_COOKIE_DOMAIN=".mydomain.com".

I guess the additional config work can be forgiven and we don't depend on any other resource or would make things more complicated.

@feluxe What do you think?

commented

I guess it makes a lot of sense to skip the complicated url-parser and the bit of extra control over the cookie domain might be useful in other situations as well. Looks like a fine solution to me!