fix(lib): use a new cookie per domain when COOKIE_DOMAIN is set (#490)

Also properly re-brand the cookies so that some of the /x/ heritage is lost. This will invalidate existing cookies and probably affects tests. Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-05-12 09:23:42 -04:00 · 2025-05-12 09:23:42 -04:00 · 6c0ff3f4d5
commit 6c0ff3f4d5
parent 9009596ded
5 changed files with 20 additions and 8 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -67,6 +67,7 @@ type Server struct {
 	priv       ed25519.PrivateKey
 	pub        ed25519.PublicKey
 	opts       Options
+	cookieName string
 }

 func (s *Server) challengeFor(r *http.Request, difficulty int) string {
@ -117,7 +118,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 		return
 	}

-	ckie, err := r.Cookie(anubis.CookieName)
+	ckie, err := r.Cookie(s.cookieName)
 	if err != nil {
 		lg.Debug("cookie not found", "path", r.URL.Path)
 		s.ClearCookie(w)
@ -360,7 +361,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}

 	http.SetCookie(w, &http.Cookie{
-		Name:        anubis.CookieName,
+		Name:        s.cookieName,
 		Value:       tokenString,
 		Expires:     time.Now().Add(s.opts.CookieExpiration),
 		SameSite:    http.SameSiteLaxMode,
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@ -198,13 +198,13 @@ func TestCookieCustomExpiration(t *testing.T) {
 	var ckie *http.Cookie
 	for _, cookie := range resp.Cookies() {
 		t.Logf("%#v", cookie)
-		if cookie.Name == anubis.CookieName {
+		if cookie.Name == srv.cookieName {
 			ckie = cookie
 			break
 		}
 	}
 	if ckie == nil {
-		t.Errorf("Cookie %q not found", anubis.CookieName)
+		t.Errorf("Cookie %q not found", srv.cookieName)
 		return
 	}

@ -288,13 +288,13 @@ func TestCookieSettings(t *testing.T) {
 	var ckie *http.Cookie
 	for _, cookie := range resp.Cookies() {
 		t.Logf("%#v", cookie)
-		if cookie.Name == anubis.CookieName {
+		if cookie.Name == srv.cookieName {
 			ckie = cookie
 			break
 		}
 	}
 	if ckie == nil {
-		t.Errorf("Cookie %q not found", anubis.CookieName)
+		t.Errorf("Cookie %q not found", srv.cookieName)
 		return
 	}

--- a/lib/config.go
+++ b/lib/config.go
@ -81,6 +81,12 @@ func New(opts Options) (*Server, error) {

 	anubis.BasePrefix = opts.BasePrefix

+	cookieName := anubis.CookieName
+
+	if opts.CookieDomain != "" {
+		cookieName = anubis.WithDomainCookieName + opts.CookieDomain
+	}
+
 	result := &Server{
 		next:       opts.Next,
 		priv:       opts.PrivateKey,
@ -89,6 +95,7 @@ func New(opts Options) (*Server, error) {
 		opts:       opts,
 		DNSBLCache: decaymap.New[string, dnsbl.DroneBLResponse](),
 		OGTags:     ogtags.NewOGTagCache(opts.Target, opts.OGPassthrough, opts.OGTimeToLive, opts.OGCacheConsidersHost),
+		cookieName: cookieName,
 	}

 	mux := http.NewServeMux()