@@ -98,27 +98,36 @@ export const redirect = (
9898
9999/**
100100 * Get the value that should be used for setting a cookie domain. This will
101- * allow the user to authenticate only once. This will use the highest level
102- * domain (e.g. `coder.com` over `test.coder.com` if both are specified).
101+ * allow the user to authenticate once no matter what sub-domain they use to log
102+ * in. This will use the highest level proxy domain (e.g. `coder.com` over
103+ * `test.coder.com` if both are specified).
103104 */
104105export const getCookieDomain = ( host : string , proxyDomains : string [ ] ) : string | undefined => {
105106 const idx = host . lastIndexOf ( ":" )
106107 host = idx !== - 1 ? host . substring ( 0 , idx ) : host
108+ // If any of these are true we will still set cookies but without an explicit
109+ // `Domain` attribute on the cookie.
107110 if (
108- // Might be blank/ missing, so there's nothing more to do .
111+ // The host can be be blank or missing so there's nothing we can set .
109112 ! host ||
110113 // IP addresses can't have subdomains so there's no value in setting the
111- // domain for them. Assume anything with a : is ipv6 (valid domain name
112- // characters are alphanumeric or dashes).
114+ // domain for them. Assume that anything with a : is ipv6 (valid domain name
115+ // characters are alphanumeric or dashes)...
113116 host . includes ( ":" ) ||
114- // Assume anything entirely numbers and dots is ipv4 (currently tlds
117+ // ...and that anything entirely numbers and dots is ipv4 (currently tlds
115118 // cannot be entirely numbers).
116119 ! / [ ^ 0 - 9 . ] / . test ( host ) ||
117- // localhost subdomains don't seem to work at all (browser bug?).
120+ // localhost subdomains don't seem to work at all (browser bug?). A cookie
121+ // set at dev.localhost cannot be read by 8080.dev.localhost.
118122 host . endsWith ( ".localhost" ) ||
119- // It might be localhost (or an IP, see above) if it's a proxy and it
120- // isn't setting the host header to match the access domain.
121- host === "localhost"
123+ // Domains without at least one dot (technically two since domain.tld will
124+ // become .domain.tld) are considered invalid according to the spec so don't
125+ // set the domain for them. In my testing though localhost is the only
126+ // problem (the browser just doesn't store the cookie at all). localhost has
127+ // an additional problem which is that a reverse proxy might give
128+ // code-server localhost even though the domain is really domain.tld (by
129+ // default NGINX does this).
130+ ! host . includes ( "." )
122131 ) {
123132 logger . debug ( "no valid cookie doman" , field ( "host" , host ) )
124133 return undefined
0 commit comments