Fixed a bug where the session was not set properly when the API used an IP with non-standard port as hostname #353
This commit is contained in:
Eldad Fux
parent
3aca35c130
commit
3491836b6a
|
|
@ -13,6 +13,7 @@
|
|||
- Fixed a bug where single permission tag in the console was not being saved
|
||||
- Added missing webhooks events in the console
|
||||
- Added missing option to delete project
|
||||
- Fixed a bug where the session was not set properly when the API used an IP with non-standard port as hostname
|
||||
|
||||
## Security
|
||||
|
||||
|
|
|
|||
|
|
@ -69,11 +69,12 @@ $utopia->init(function () use ($utopia, $request, $response, &$user, $project, $
|
|||
$refDomain = $protocol.'://'.((in_array($origin, $clients))
|
||||
? $origin : 'localhost') . (!empty($port) ? ':'.$port : '');
|
||||
|
||||
$selfDomain = new Domain(Config::getParam('domain'));
|
||||
$selfDomain = new Domain(Config::getParam('hostname'));
|
||||
$endDomain = new Domain($origin);
|
||||
|
||||
Config::setParam('domainVerification',
|
||||
($selfDomain->getRegisterable() === $endDomain->getRegisterable()));
|
||||
($selfDomain->getRegisterable() === $endDomain->getRegisterable()) &&
|
||||
$endDomain->getRegisterable() !== '');
|
||||
|
||||
/*
|
||||
* Security Headers
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ Config::setParam('domainVerification', false);
|
|||
Config::setParam('version', $request->getServer('_APP_VERSION', 'UNKNOWN'));
|
||||
Config::setParam('protocol', $request->getServer('HTTP_X_FORWARDED_PROTO', $request->getServer('REQUEST_SCHEME', 'https')));
|
||||
Config::setParam('port', (string) parse_url(Config::getParam('protocol').'://'.$request->getServer('HTTP_HOST', ''), PHP_URL_PORT));
|
||||
Config::setParam('hostname', parse_url(Config::getParam('protocol').'://'.$request->getServer('HTTP_HOST', null), PHP_URL_HOST));
|
||||
|
||||
$utopia = new App('Asia/Tel_Aviv', Config::getParam('env'));
|
||||
|
||||
|
|
@ -76,10 +77,11 @@ define('COOKIE_DOMAIN',
|
|||
(
|
||||
$request->getServer('HTTP_HOST', null) === 'localhost' ||
|
||||
$request->getServer('HTTP_HOST', null) === 'localhost:'.Config::getParam('port') ||
|
||||
(filter_var($request->getServer('HTTP_HOST', null), FILTER_VALIDATE_IP) !== false)
|
||||
(filter_var(Config::getParam('hostname'), FILTER_VALIDATE_IP) !== false)
|
||||
)
|
||||
? null
|
||||
: '.'.parse_url(Config::getParam('protocol').'://'.$request->getServer('HTTP_HOST', ''), PHP_URL_HOST));
|
||||
: '.'.Config::getParam('hostname')
|
||||
);
|
||||
define('COOKIE_SAMESITE', Response::COOKIE_SAMESITE_NONE);
|
||||
|
||||
/*
|
||||
|
|
@ -256,7 +258,7 @@ if (APP_MODE_ADMIN === $mode) {
|
|||
$session = Auth::decodeSession(
|
||||
$request->getCookie(Auth::$cookieName, // Get sessions
|
||||
$request->getCookie(Auth::$cookieName.'_legacy', // Get fallback session from old clients (no SameSite support)
|
||||
$request->getHeader('X-Appwrite-Key', '')))); // Get API Key
|
||||
$request->getHeader('X-Appwrite-Key', '')))); // Get API Key
|
||||
|
||||
// Get fallback session from clients who block 3rd-party cookies
|
||||
$response->addHeader('X-Debug-Fallback', 'false');
|
||||
|
|
|
|||
Loading…
Reference in a new issue