Fix domain for auth cookie

The domain was incorrectly extracted from the request. It must be using the `Host` header at last, trying now `X-Forwarded-For` and `X-Forwarded-Host` first.
2025-06-21 09:58:26 +00:00 · 2020-09-28 00:28:31 +02:00
parent ee3ae0a402
commit 67e1ba05f4
2 changed files with 33 additions and 3 deletions
--- a/modules/restserver/src/main/scala/docspell/restserver/http4s/ClientHost.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/http4s/ClientHost.scala
@ -0,0 +1,29 @@
+package docspell.restserver.http4s
+
+import org.http4s._
+import org.http4s.headers._
+import org.http4s.util.CaseInsensitiveString
+
+/** Obtain the host name of the client from the request.
+  */
+object ClientHost {
+
+  def get[F[_]](req: Request[F]): Option[String] =
+    xForwardedFor(req)
+      .orElse(xForwardedHost(req))
+      .orElse(host(req))
+
+  private def host[F[_]](req: Request[F]): Option[String] =
+    req.headers.get(Host).map(_.host)
+
+  private def xForwardedFor[F[_]](req: Request[F]): Option[String] =
+    req.headers
+      .get(`X-Forwarded-For`)
+      .flatMap(_.values.head)
+      .flatMap(inet => Option(inet.getHostName).orElse(Option(inet.getHostAddress)))
+
+  private def xForwardedHost[F[_]](req: Request[F]): Option[String] =
+    req.headers
+      .get(CaseInsensitiveString("X-Forwarded-Host"))
+      .map(_.value)
+}
--- a/modules/restserver/src/main/scala/docspell/restserver/routes/LoginRoutes.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/routes/LoginRoutes.scala
@ -7,6 +7,7 @@ import docspell.backend.auth._
 import docspell.restapi.model._
 import docspell.restserver._
 import docspell.restserver.auth._
+import docspell.restserver.http4s.ClientHost

 import org.http4s._
 import org.http4s.circe.CirceEntityDecoder._
@ -23,7 +24,7 @@ object LoginRoutes {
      for {
        up  <- req.as[UserPass]
        res <- S.loginUserPass(cfg.auth)(Login.UserPass(up.account, up.password))
-        remote = req.from.map(_.getHostName())
+        remote = ClientHost.get(req)
        resp <- makeResponse(dsl, cfg, remote, res, up.account)
      } yield resp
    }
@ -37,10 +38,10 @@ object LoginRoutes {
      case req @ POST -> Root / "session" =>
        Authenticate
          .authenticateRequest(S.loginSession(cfg.auth))(req)
-          .flatMap(res => makeResponse(dsl, cfg, req.from.map(_.getHostName), res, ""))
+          .flatMap(res => makeResponse(dsl, cfg, ClientHost.get(req), res, ""))

      case req @ POST -> Root / "logout" =>
-        Ok().map(_.addCookie(CookieData.deleteCookie(cfg, req.from.map(_.getHostName))))
+        Ok().map(_.addCookie(CookieData.deleteCookie(cfg, ClientHost.get(req))))
    }
  }