set the right domain

This commit is contained in:
2026-04-19 13:30:47 +01:00
parent 00e8f167f9
commit 26cfe4eb5b
3 changed files with 50 additions and 3 deletions
+3 -1
View File
@@ -1,3 +1,4 @@
import { getCookieDomain } from "@/lib/getDomain";
import { NextResponse } from "next/server";
export async function GET(req: Request) {
@@ -5,6 +6,7 @@ export async function GET(req: Request) {
const code = url.searchParams.get("code");
const origin = url.origin;
const isHttps = url.protocol === "https:";
const domain = getCookieDomain(url.hostname); // ← domain only
if (!code) {
return NextResponse.redirect(`${origin}/login?error=missing_code`);
@@ -49,7 +51,7 @@ export async function GET(req: Request) {
sameSite: "lax",
path: "/",
maxAge: data.expires_in,
domain: "localhost",
...(domain ? { domain } : {}),
});
return res;
+6 -2
View File
@@ -1,6 +1,10 @@
export async function GET() {
export async function GET(req: Request) {
const url = new URL(req.url);
const origin = url.origin;
const redirect = encodeURIComponent(
"http://localhost:3000/api/auth/callback"
`${origin}/api/auth/callback`
);
const keycloakUrl =
+41
View File
@@ -0,0 +1,41 @@
const PUBLIC_SUFFIX_BLOCKLIST = new Set([
"localhost",
"127.0.0.1",
]);
export function getCookieDomain(hostname: string): string | undefined {
if (!hostname) return undefined;
const cleanHost = hostname.toLowerCase().split(":")[0];
// 1. Local / dev environments → no domain
if (PUBLIC_SUFFIX_BLOCKLIST.has(cleanHost) || cleanHost.endsWith(".local")) {
return undefined;
}
const parts = cleanHost.split(".").filter(Boolean);
// 2. IP address → no domain cookies
const isIp = parts.every((p) => /^\d+$/.test(p));
if (isIp) return undefined;
// 3. Must have at least domain + tld
if (parts.length < 2) return undefined;
// 4. Handle common case: api.example.com → example.com
const rootDomain = parts.slice(-2).join(".");
// 5. Safety: avoid setting cookie on known public suffix-like domains
const unsafeTlds = new Set([
"vercel.app",
"netlify.app",
"github.io",
"firebaseapp.com",
]);
if (unsafeTlds.has(rootDomain)) {
return undefined;
}
return `.${rootDomain}`;
}