Address review feedback on COOKIE_DOMAIN

- Apply Domain attribute to all three Set-Cookie sites, including the
  origin-response success path that was missed in the first pass.
- Move the cookie builder into helpers/misc with input validation:
  trim whitespace and reject anything other than hostname-safe chars
  so a malformed env var can't inject into the Set-Cookie header.
- Invalid values are logged and ignored (cookie falls back to
  host-only), keeping the worker resilient to operator typos.

Author: luke-owen-crowdhandler

dist/README.md

@@ -1 +1 @@
-This folder contains the built output assets for the worker "crowdhandler-integration" generated at 2026-04-27T13:50:38.241Z.
+This folder contains the built output assets for the worker "crowdhandler-integration" generated at 2026-04-27T14:01:55.277Z.

dist/index.js

@@ -52,6 +52,23 @@ const helpers = {
     }
     return parsedCookie
   },
+  //Build a Set-Cookie value for the crowdhandler token, optionally with a
+  //Domain attribute so the cookie can be shared across subdomains of the
+  //configured parent. The raw value is trimmed and validated against
+  //hostname-safe characters so a typo'd or malicious env var can't inject
+  //into the Set-Cookie header.
+  buildCrowdhandlerCookie: function(tokenValue, rawCookieDomain) {
+    const parts = [`crowdhandler=${tokenValue}`, 'path=/', 'Secure']
+    if (rawCookieDomain) {
+      const trimmed = String(rawCookieDomain).trim()
+      if (/^\.?[a-zA-Z0-9.-]+$/.test(trimmed)) {
+        parts.push(`Domain=${trimmed}`)
+      } else {
+        console.warn(`[CH] Ignoring invalid COOKIE_DOMAIN value: ${JSON.stringify(rawCookieDomain)}`)
+      }
+    }
+    return parts.join('; ')
+  },
   queryStringParse: function(querystring) {
     const params = new URLSearchParams(querystring)
     let qStrObject = {}

dist/index.js.map

@@ -240,18 +240,6 @@ async function handleRequest(request, env, ctx) {
     whitelabel = true
   }
 
-  //Optional cookie Domain attribute. When set, the crowdhandler cookie is shared
-  //across subdomains of the configured value (e.g. ".barbican.org.uk" makes the
-  //cookie visible to both tickets.* and spektrix.*). Browsers reject Domain
-  //values that aren't a parent of the request host, so the operator is
-  //responsible for setting a valid value.
-  const cookieDomain = env.COOKIE_DOMAIN || null
-  const buildCrowdhandlerCookie = (tokenValue) => {
-    const parts = [`crowdhandler=${tokenValue}`, 'path=/', 'Secure']
-    if (cookieDomain) parts.push(`Domain=${cookieDomain}`)
-    return parts.join('; ')
-  }
-
   if (whitelabel === true) {
     waitingRoomDomain = `${host}/ch`
   } else {
@@ -360,7 +348,7 @@ async function handleRequest(request, env, ctx) {
   //If this is a freshly promoted session, strip the special CrowdHandler parameters by issuing a redirect.
   if (freshlyPromoted) {
     let setCookie = {
-      'Set-Cookie': buildCrowdhandlerCookie(token),
+      'Set-Cookie': helpers.buildCrowdhandlerCookie(token, env.COOKIE_DOMAIN),
     }
     let redirectLocation
     if (queryString) {
@@ -500,7 +488,7 @@ async function handleRequest(request, env, ctx) {
           status: 302,
           headers: Object.assign(helpers.noCacheHeaders, {
             Location: redirectLocation,
-            'Set-Cookie': buildCrowdhandlerCookie(responseBody.token),
+            'Set-Cookie': helpers.buildCrowdhandlerCookie(responseBody.token, env.COOKIE_DOMAIN),
           }),
         })
       } else {
@@ -537,7 +525,7 @@ async function handleRequest(request, env, ctx) {
   if (validToken.test(responseBody.token) === true) {
     modifiedOriginResponse.headers.append(
       'set-cookie',
-      `crowdhandler=${responseBody.token}; path=/; Secure`,
+      helpers.buildCrowdhandlerCookie(responseBody.token, env.COOKIE_DOMAIN),
     )
   }
   //Set integration method cookie