From c870d686737c749306dfe95bc2bd263be1da4590 Mon Sep 17 00:00:00 2001
From: Volodymyr Matviienko <9989793+matviienko@users.noreply.github.com>
Date: Fri, 9 Feb 2024 11:50:19 +0100
Subject: [PATCH] fix: cookie domain for reverse proxy setup

---
 backend/app/api/handlers/v1/v1_ctrl_auth.go | 31 +++++++++++++++++++--
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/backend/app/api/handlers/v1/v1_ctrl_auth.go b/backend/app/api/handlers/v1/v1_ctrl_auth.go
index 47b69fd..d78401f 100644
--- a/backend/app/api/handlers/v1/v1_ctrl_auth.go
+++ b/backend/app/api/handlers/v1/v1_ctrl_auth.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"errors"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -40,6 +41,30 @@ type CookieContents struct {
 	Remember  bool
 }
 
+func GetHostFromHeader(r *http.Request, header string) string {
+	value := r.Header.Get(header)
+	if value == "" {
+		return ""
+	}
+	url, err := url.Parse(value)
+	if err != nil {
+		return ""
+	}
+	return url.Hostname()
+}
+
+func GetOriginRefererHost(r *http.Request) string {
+	origin := GetHostFromHeader(r, "Origin")
+	if origin != "" {
+		return origin
+	}
+	referer := GetHostFromHeader(r, "Referer")
+	if referer != "" {
+		return referer
+	}
+	return r.Host
+}
+
 func GetCookies(r *http.Request) (*CookieContents, error) {
 	cookie, err := r.Cookie(cookieNameToken)
 	if err != nil {
@@ -120,7 +145,7 @@ func (ctrl *V1Controller) HandleAuthLogin(ps ...AuthProvider) errchain.HandlerFu
 			return server.JSON(w, http.StatusInternalServerError, err.Error())
 		}
 
-		ctrl.setCookies(w, noPort(r.Host), newToken.Raw, newToken.ExpiresAt, true)
+		ctrl.setCookies(w, noPort(GetOriginRefererHost(r)), newToken.Raw, newToken.ExpiresAt, true)
 		return server.JSON(w, http.StatusOK, TokenResponse{
 			Token:           "Bearer " + newToken.Raw,
 			ExpiresAt:       newToken.ExpiresAt,
@@ -148,7 +173,7 @@ func (ctrl *V1Controller) HandleAuthLogout() errchain.HandlerFunc {
 			return validate.NewRequestError(err, http.StatusInternalServerError)
 		}
 
-		ctrl.unsetCookies(w, noPort(r.Host))
+		ctrl.unsetCookies(w, noPort(GetOriginRefererHost(r)))
 		return server.JSON(w, http.StatusNoContent, nil)
 	}
 }
@@ -174,7 +199,7 @@ func (ctrl *V1Controller) HandleAuthRefresh() errchain.HandlerFunc {
 			return validate.NewUnauthorizedError()
 		}
 
-		ctrl.setCookies(w, noPort(r.Host), newToken.Raw, newToken.ExpiresAt, false)
+		ctrl.setCookies(w, noPort(GetOriginRefererHost(r)), newToken.Raw, newToken.ExpiresAt, false)
 		return server.JSON(w, http.StatusOK, newToken)
 	}
 }