Get the client host first from x-forwarded-host header

Then use the x-forwarded-for header (doing a reverse lookup, if
possible). At last use the Host header.

modules/restserver/src/main/scala/docspell/restserver/auth/CookieData.scala

@@ -11,8 +11,8 @@ case class CookieData(auth: AuthToken) {
   def accountId: AccountId = auth.account
   def asString: String     = auth.asString
 
-  def asCookie(cfg: Config, host: Option[String]): ResponseCookie = {
+  def asCookie(cfg: Config): ResponseCookie = {
-    val domain = CookieData.getDomain(cfg, host)
+    val domain = CookieData.getDomain(cfg)
     val sec    = cfg.baseUrl.scheme.exists(_.endsWith("s"))
     val path   = cfg.baseUrl.path / "api" / "v1" / "sec"
     ResponseCookie(
@@ -29,8 +29,8 @@ object CookieData {
   val cookieName = "docspell_auth"
   val headerName = "X-Docspell-Auth"
 
-  private def getDomain(cfg: Config, remote: Option[String]): Option[String] =
+  private def getDomain(cfg: Config): Option[String] =
-    if (cfg.baseUrl.isLocal) remote.orElse(cfg.baseUrl.host)
+    if (cfg.baseUrl.isLocal) None
     else cfg.baseUrl.host
 
   def authenticator[F[_]](r: Request[F]): Either[String, String] =
@@ -51,11 +51,11 @@ object CookieData {
       .map(_.value)
       .toRight("Couldn't find an authenticator")
 
-  def deleteCookie(cfg: Config, remoteHost: Option[String]): ResponseCookie =
+  def deleteCookie(cfg: Config): ResponseCookie =
     ResponseCookie(
       cookieName,
       "",
-      domain = getDomain(cfg, remoteHost),
+      domain = getDomain(cfg),
       path = Some(cfg.baseUrl.path / "api" / "v1" / "sec").map(_.asString),
       httpOnly = true,
       secure = cfg.baseUrl.scheme.exists(_.endsWith("s")),

modules/restserver/src/main/scala/docspell/restserver/http4s/ClientHost.scala

@@ -9,8 +9,8 @@ import org.http4s.util.CaseInsensitiveString
 object ClientHost {
 
   def get[F[_]](req: Request[F]): Option[String] =
-    xForwardedFor(req)
+    xForwardedHost(req)
-      .orElse(xForwardedHost(req))
+      .orElse(xForwardedFor(req))
       .orElse(host(req))
 
   private def host[F[_]](req: Request[F]): Option[String] =

modules/restserver/src/main/scala/docspell/restserver/routes/LoginRoutes.scala

@@ -7,7 +7,6 @@ import docspell.backend.auth._
 import docspell.restapi.model._
 import docspell.restserver._
 import docspell.restserver.auth._
-import docspell.restserver.http4s.ClientHost
 
 import org.http4s._
 import org.http4s.circe.CirceEntityDecoder._
@@ -24,8 +23,7 @@ object LoginRoutes {
       for {
         up  <- req.as[UserPass]
         res <- S.loginUserPass(cfg.auth)(Login.UserPass(up.account, up.password))
-        remote = ClientHost.get(req)
+        resp <- makeResponse(dsl, cfg, res, up.account)
-        resp <- makeResponse(dsl, cfg, remote, res, up.account)
       } yield resp
     }
   }
@@ -38,17 +36,16 @@ object LoginRoutes {
       case req @ POST -> Root / "session" =>
         Authenticate
           .authenticateRequest(S.loginSession(cfg.auth))(req)
-          .flatMap(res => makeResponse(dsl, cfg, ClientHost.get(req), res, ""))
+          .flatMap(res => makeResponse(dsl, cfg, res, ""))
 
-      case req @ POST -> Root / "logout" =>
+      case POST -> Root / "logout" =>
-        Ok().map(_.addCookie(CookieData.deleteCookie(cfg, ClientHost.get(req))))
+        Ok().map(_.addCookie(CookieData.deleteCookie(cfg)))
     }
   }
 
   def makeResponse[F[_]: Effect](
       dsl: Http4sDsl[F],
       cfg: Config,
-      remoteHost: Option[String],
       res: Login.Result,
       account: String
   ): F[Response[F]] = {
@@ -66,7 +63,7 @@ object LoginRoutes {
               Some(cd.asString),
               cfg.auth.sessionValid.millis
             )
-          ).map(_.addCookie(cd.asCookie(cfg, remoteHost)))
+          ).map(_.addCookie(cd.asCookie(cfg)))
         } yield resp
       case _ =>
         Ok(AuthResult("", account, false, "Login failed.", None, 0L))