feat: dynamic cookie domains (#722)

* feat: dynamic cookie domains Replaces #685 I was having weird testing issues when trying to merge #685, so I rewrote it from scratch to be a lot more minimal. * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-06-26 08:11:59 -04:00 · 2025-06-26 08:11:59 -04:00 · a1b7d2ccda
commit a1b7d2ccda
parent 7cf6ac5de6
8 changed files with 137 additions and 37 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -148,21 +148,21 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 	ckie, err := r.Cookie(s.cookieName)
 	if err != nil {
 		lg.Debug("cookie not found", "path", r.URL.Path)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}

 	if err := ckie.Valid(); err != nil {
 		lg.Debug("cookie is invalid", "err", err)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}

 	if time.Now().After(ckie.Expires) && !ckie.Expires.IsZero() {
 		lg.Debug("cookie expired", "path", r.URL.Path)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}
@ -171,7 +171,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS

 	if err != nil || !token.Valid {
 		lg.Debug("invalid token", "path", r.URL.Path, "err", err)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}
@ -179,7 +179,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok {
 		lg.Debug("invalid token claims type", "path", r.URL.Path)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}
@ -187,14 +187,14 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 	policyRule, ok := claims["policyRule"].(string)
 	if !ok {
 		lg.Debug("policyRule claim is not a string")
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}

 	if policyRule != rule.Hash() {
 		lg.Debug("user originally passed with a different rule, issuing new challenge", "old", policyRule, "new", rule.Name)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.RenderIndex(w, r, rule, httpStatusOnly)
 		return
 	}
@ -216,7 +216,7 @@ func (s *Server) checkRules(w http.ResponseWriter, r *http.Request, cr policy.Ch
 		s.ServeHTTPNext(w, r)
 		return true
 	case config.RuleDeny:
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		lg.Info("explicit deny")
 		if rule == nil {
 			lg.Error("rule is nil, cannot calculate checksum")
@ -235,7 +235,7 @@ func (s *Server) checkRules(w http.ResponseWriter, r *http.Request, cr policy.Ch
 		s.RenderBench(w, r)
 		return true
 	default:
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		slog.Error("CONFIG ERROR: unknown rule", "rule", cr.Rule)
 		s.respondWithError(w, r, "Internal Server Error: administrator has misconfigured Anubis. Please contact the administrator and ask them to look for the logs around \"maybeReverseProxy.Rules\"")
 		return true
@ -302,7 +302,7 @@ func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
 	lg = lg.With("check_result", cr)
 	chal := s.challengeFor(r, rule.Challenge.Difficulty)

-	s.SetCookie(w, anubis.TestCookieName, chal, "/")
+	s.SetCookie(w, anubis.TestCookieName, chal, "/", r.Host)

 	err = encoder.Encode(struct {
 		Rules     *config.ChallengeRules `json:"rules"`
@ -330,14 +330,14 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}

 	if _, err := r.Cookie(anubis.TestCookieName); errors.Is(err, http.ErrNoCookie) {
-		s.ClearCookie(w, s.cookieName, cookiePath)
-		s.ClearCookie(w, anubis.TestCookieName, "/")
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
+		s.ClearCookie(w, anubis.TestCookieName, "/", r.Host)
 		lg.Warn("user has cookies disabled, this is not an anubis bug")
 		s.respondWithError(w, r, "Your browser is configured to disable cookies. Anubis requires cookies for the legitimate interest of making sure you are a valid client. Please enable cookies for this domain")
 		return
 	}

-	s.ClearCookie(w, anubis.TestCookieName, "/")
+	s.ClearCookie(w, anubis.TestCookieName, "/", r.Host)

 	redir := r.FormValue("redir")
 	redirURL, err := url.ParseRequestURI(redir)
@ -379,7 +379,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	if err := impl.Validate(r, lg, rule, challengeStr); err != nil {
 		failedValidations.WithLabelValues(rule.Challenge.Algorithm).Inc()
 		var cerr *challenge.Error
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		lg.Debug("challenge validate call failed", "err", err)

 		switch {
@ -402,12 +402,12 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	})
 	if err != nil {
 		lg.Error("failed to sign JWT", "err", err)
-		s.ClearCookie(w, s.cookieName, cookiePath)
+		s.ClearCookie(w, s.cookieName, cookiePath, r.Host)
 		s.respondWithError(w, r, "failed to sign JWT")
 		return
 	}

-	s.SetCookie(w, s.cookieName, tokenString, cookiePath)
+	s.SetCookie(w, s.cookieName, tokenString, cookiePath, r.Host)

 	challengesValidated.WithLabelValues(rule.Challenge.Algorithm).Inc()
 	lg.Debug("challenge passed, redirecting to app")