Fix dual-domain cookie invalidation on logout#91
Merged
Conversation
In OAuth mode, setCookieDomain ignored the tenant's interceptor cookie domain and fell back to the request host (e.g. login.ops.gcb-cloud.de). This created a cookie on a different domain than the interceptor login (e.g. .ops.gcb-cloud.de), resulting in two separate browser cookies. Now both modes prefer tenant.config.interceptor.cookieOrDomain when configured, so only one cookie domain is used consistently.
The Helm values.yaml has a cookieDomain per domain entry (e.g. login.ops.gcb-cloud.de -> .ops.gcb-cloud.de) but it was never consumed. Now the Helm chart serializes the mapping as a JSON env var (COOKIE_DOMAINS) in the environment-config ConfigMap. CookieDomainMapping reads it at startup and resolves cookie domains for OAuth login and logout flows, so that cookies are set on the correct broad domain (e.g. .ops.gcb-cloud.de) instead of the specific login host (login.ops.gcb-cloud.de).
The e2e Helm values had cookieDomain: "*.bnbc.example" which is not a valid Set-Cookie Domain attribute. Browsers reject wildcards and the cookie is silently dropped, breaking the silent login flow. Fix the e2e config to use ".bnbc.example" and add defensive sanitization in CookieDomainMapping that converts "*.x" to ".x".
- Remove trailing whitespace in TokenController.swift - Extract session storage configuration into configureSessionStorage() and configureInMemoryStorage() to fix function body length warning in configure.swift
WebKit/Safari may not send SameSite=Strict cookies on meta-refresh navigations, causing the /logout/finalize endpoint to fail when the uitsmijter-sso cookie is absent. The doLogout method now uses try? for JWT verification and falls back to the tenant resolved by RequestClientMiddleware from the location query parameter. Also removes leftover debug dump() calls from TokenController and a misleading debug log from configure.swift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.ops.example.com) and an OAuth login page on a different host (e.g.login.ops.example.com), the browser holds two separate SSO cookies. Logout now invalidates both viaExtraCookiesMiddleware, which appends extraSet-Cookieheaders after Vapor'sSessionsMiddlewaredictionary round-trip.cookieDomainmapping: The per-domaincookieDomainfromvalues.domains[]is now passed to the application via adomain-cookiesConfigMap (COOKIE_DOMAINSenv var), so OAuth login cookies are set on the correct broad domain./logout/finalizeno longer requires a valid JWT — WebKit may not sendSameSite=Strictcookies on meta-refresh navigations. The endpoint falls back to the tenant fromRequestClientMiddleware.*.example.comin Helm values is automatically sanitized to.example.com.Test plan
swift buildcompiles without errors./tooling.sh lint— 0 violationsswift test --filter LoginControllerLogoutTests— 6/6 tests pass./tooling.sh e2e— 837 passed, 28 skipped, 0 failures (all browsers including WebKit)