From 611fbf6b322657e57dae5b58b01cb7e39846170e Mon Sep 17 00:00:00 2001 From: loks0n <22452787+loks0n@users.noreply.github.com> Date: Fri, 21 Jul 2023 11:08:34 +0100 Subject: [PATCH 1/2] feat: X domain console cookie --- .env | 1 + app/config/variables.php | 9 +++++++++ app/controllers/general.php | 22 +++++++++++++++------- docker-compose.yml | 1 + 4 files changed, 26 insertions(+), 7 deletions(-) diff --git a/.env b/.env index 372bfd7baa..60c2fffa07 100644 --- a/.env +++ b/.env @@ -4,6 +4,7 @@ _APP_WORKER_PER_CORE=6 _APP_CONSOLE_WHITELIST_ROOT=disabled _APP_CONSOLE_WHITELIST_EMAILS= _APP_CONSOLE_WHITELIST_IPS= +_APP_CONSOLE_ROOT_SESSION=disabled _APP_SYSTEM_EMAIL_NAME=Appwrite _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io diff --git a/app/config/variables.php b/app/config/variables.php index 3d967eb828..3160fbf5c2 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -105,6 +105,15 @@ return [ 'question' => '', 'filter' => '' ], + [ + 'name' => '_APP_CONSOLE_ROOT_SESSION', + 'description' => 'Domain policy for the Appwrite console session cookie. By default, set to \'disabled\', meaning the session cookie will be set to the domain of the Appwrite console (e.g. cloud.appwrite.io). When set to \'enabled\', the session cookie will be set to the registerable domain of the Appwrite server (e.g. appwrite.io).', + 'introduction' => '', + 'default' => 'disabled', + 'required' => false, + 'question' => '', + 'filter' => '' + ], [ 'name' => '_APP_SYSTEM_EMAIL_NAME', 'description' => 'This is the sender name value that will appear on email messages sent to developers from the Appwrite console. The default value is: \'Appwrite\'. You can use url encoded strings for spaces and special chars.', diff --git a/app/controllers/general.php b/app/controllers/general.php index f3ae607db8..fda8929fa6 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -175,13 +175,21 @@ App::init() $endDomain->getRegisterable() !== '' ); - Config::setParam('cookieDomain', ( - $request->getHostname() === 'localhost' || - $request->getHostname() === 'localhost:' . $request->getPort() || - (\filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false) - ) - ? null - : '.' . $request->getHostname()); + $isLocalHost = $request->getHostname() === 'localhost' || $request->getHostname() === 'localhost:' . $request->getPort(); + $isIpAddress = filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false; + + $isConsoleProject = $project->getAttribute('$id', '') === 'console'; + $isConsoleRootSession = App::getEnv('_APP_CONSOLE_ROOT_SESSION', 'disabled') === 'enabled'; + + Config::setParam( + 'cookieDomain', + $isLocalHost || $isIpAddress + ? null + : ($isConsoleProject && $isConsoleRootSession + ? '.' . $selfDomain->getRegisterable() + : '.' . $request->getHostname() + ) + ); /* * Response format diff --git a/docker-compose.yml b/docker-compose.yml index ecb10b9eea..560c42ae38 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -100,6 +100,7 @@ services: - _APP_CONSOLE_WHITELIST_ROOT - _APP_CONSOLE_WHITELIST_EMAILS - _APP_CONSOLE_WHITELIST_IPS + - _APP_CONSOLE_ROOT_SESSION - _APP_SYSTEM_EMAIL_NAME - _APP_SYSTEM_EMAIL_ADDRESS - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS From 80aa2374d1753c68eddc830e44913d0dff16d871 Mon Sep 17 00:00:00 2001 From: loks0n <22452787+loks0n@users.noreply.github.com> Date: Fri, 21 Jul 2023 11:23:08 +0100 Subject: [PATCH 2/2] chore: add var to docker --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 1a55209208..27323b6dba 100755 --- a/Dockerfile +++ b/Dockerfile @@ -51,6 +51,7 @@ ENV _APP_SERVER=swoole \ _APP_CONSOLE_WHITELIST_ROOT=enabled \ _APP_CONSOLE_WHITELIST_EMAILS= \ _APP_CONSOLE_WHITELIST_IPS= \ + _APP_CONSOLE_ROOT_SESSION= \ _APP_SYSTEM_EMAIL_NAME= \ _APP_SYSTEM_EMAIL_ADDRESS= \ _APP_SYSTEM_RESPONSE_FORMAT= \