From 3491836b6a67774b12440fa09a0f860998613463 Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Thu, 28 May 2020 13:10:38 +0300
Subject: [PATCH] Fixed a bug where the session was not set properly when the
 API used an IP with non-standard port as hostname #353

---
 CHANGES.md   | 1 +
 app/app.php  | 5 +++--
 app/init.php | 8 +++++---
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index caab53b6d..39a104637 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -13,6 +13,7 @@
 - Fixed a bug where single permission tag in the console was not being saved
 - Added missing webhooks events in the console
 - Added missing option to delete project
+- Fixed a bug where the session was not set properly when the API used an IP with non-standard port as hostname
 
 ## Security
 
diff --git a/app/app.php b/app/app.php
index 447a593ae..9fba836c2 100644
--- a/app/app.php
+++ b/app/app.php
@@ -69,11 +69,12 @@ $utopia->init(function () use ($utopia, $request, $response, &$user, $project, $
     $refDomain = $protocol.'://'.((in_array($origin, $clients))
         ? $origin : 'localhost') . (!empty($port) ? ':'.$port : '');
 
-    $selfDomain = new Domain(Config::getParam('domain'));
+    $selfDomain = new Domain(Config::getParam('hostname'));
     $endDomain = new Domain($origin);
 
     Config::setParam('domainVerification',
-        ($selfDomain->getRegisterable() === $endDomain->getRegisterable()));
+        ($selfDomain->getRegisterable() === $endDomain->getRegisterable()) &&
+            $endDomain->getRegisterable() !== '');
         
     /*
      * Security Headers
diff --git a/app/init.php b/app/init.php
index 88e58cef7..98df75477 100644
--- a/app/init.php
+++ b/app/init.php
@@ -66,6 +66,7 @@ Config::setParam('domainVerification', false);
 Config::setParam('version', $request->getServer('_APP_VERSION', 'UNKNOWN'));
 Config::setParam('protocol', $request->getServer('HTTP_X_FORWARDED_PROTO', $request->getServer('REQUEST_SCHEME', 'https')));
 Config::setParam('port', (string) parse_url(Config::getParam('protocol').'://'.$request->getServer('HTTP_HOST', ''), PHP_URL_PORT));
+Config::setParam('hostname', parse_url(Config::getParam('protocol').'://'.$request->getServer('HTTP_HOST', null), PHP_URL_HOST));
 
 $utopia = new App('Asia/Tel_Aviv', Config::getParam('env'));
 
@@ -76,10 +77,11 @@ define('COOKIE_DOMAIN',
     (
         $request->getServer('HTTP_HOST', null) === 'localhost' ||
         $request->getServer('HTTP_HOST', null) === 'localhost:'.Config::getParam('port') ||
-        (filter_var($request->getServer('HTTP_HOST', null), FILTER_VALIDATE_IP) !== false)
+        (filter_var(Config::getParam('hostname'), FILTER_VALIDATE_IP) !== false)
     )
         ? null
-        : '.'.parse_url(Config::getParam('protocol').'://'.$request->getServer('HTTP_HOST', ''), PHP_URL_HOST));
+        : '.'.Config::getParam('hostname')
+    );
 define('COOKIE_SAMESITE', Response::COOKIE_SAMESITE_NONE);
 
 /*
@@ -256,7 +258,7 @@ if (APP_MODE_ADMIN === $mode) {
 $session = Auth::decodeSession(
     $request->getCookie(Auth::$cookieName, // Get sessions
         $request->getCookie(Auth::$cookieName.'_legacy', // Get fallback session from old clients (no SameSite support)
-                $request->getHeader('X-Appwrite-Key', '')))); // Get API Key
+            $request->getHeader('X-Appwrite-Key', '')))); // Get API Key
 
 // Get fallback session from clients who block 3rd-party cookies
 $response->addHeader('X-Debug-Fallback', 'false');