fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

[Bug]: Hosted backend does not support second-level domains

Open spwitt opened this issue 9 months ago • 3 comments

What happened?

Problem

FusionAuth's hosted backend API creates cookies on the broadest domain that is not a top-level domain. This causes issues for second-level domains such as .co.uk as the cookies are defined too broadly.

Solution

Set the cookie domain by removing the left-most subdomain from the current URL.

There are tradeoffs to any solution, but this approach seems to cover the broadest set of use cases. It allows for multiple subdomains for different environments or customers along with resolving the second-level domain issue.

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/2479

Version

1.49.1

Affects Versions

>= 1.45.0

spwitt avatar May 02 '24 16:05 spwitt

Suggest using the public suffix list https://publicsuffix.org/list/public_suffix_list.dat which will resolve this issue going forward for more than the co.uk domain.

I don't know how often that file changes, but it's licensed liberally and maintained.

mooreds avatar May 08 '24 17:05 mooreds

https://publicsuffix.org/list/

If you wish to make your app download an updated list periodically, please use this URL and have your app download the list no more than once per day. (The list usually changes a few times per week; more frequent downloading is pointless and hammers our servers.)

The public suffix approach resolves this issue but does not resolve the related issue where a registrable domain has multiple FusionAuth deployments hosted on different subdomains or multiple domains that point to the same FusionAuth deployments.

spwitt avatar May 08 '24 21:05 spwitt

I agree that it doesn't fix the related issue. But the related issue feels more like an enhancement, so I'd advocate solving it in a backwards compatible manner.

I also think we could take a subset of the public suffix list. We don't need to work with every one. We could take all the ICANN domains, or even just all the domains that have a two letter root domain (like the .ac and .uk ones).

I'd advocate for solving this bug in the right way, and solving https://github.com/FusionAuth/fusionauth-issues/issues/2479 via configuration in a backwards compatible way.

mooreds avatar May 09 '24 13:05 mooreds

Internal

  • https://github.com/FusionAuth/fusionauth-app/pull/437

spwitt avatar May 20 '24 20:05 spwitt