Skip to content

[BUG] Safe redirects fail when using private DNS zones without a public suffix #1006

Description

@cirogargatagli

Describe the Bug

When using a private DNS zone without a public suffix (for example home), TinyAuth derives the cookie domain as the full hostname instead of the parent domain.

Example:

APPURL=https://tinyauth.home

Results in:

CookieDomain = .tinyauth.home

instead of:

CookieDomain = .home

Because isRedirectSafe() validates redirects against runtime.CookieDomain, redirects to sibling subdomains are rejected even when they are configured as applications.

This causes redirects such as:

https://app.home

to be rejected with:

Unsafe redirect URI detected, ignoring

How to Reproduce

  1. Configure TinyAuth with:

APPURL=https://tinyauth.home

  1. Configure an application:

TINYAUTH_APPS_HOMEPAGE_CONFIG_DOMAIN=app.home

  1. Protect https://app.home using Caddy ForwardAuth.

  2. Authenticate using OAuth.

  3. After successful login TinyAuth redirects to:

https://tinyauth.home/continue?redirect_uri=https://app.home/

  1. TinyAuth rejects the redirect with:

Unsafe redirect URI detected

Expected Behavior

When subdomains are enabled, sibling subdomains within the same private DNS zone should be considered safe redirects.

For example:

APPURL=https://tinyauth.home

should allow redirects to:

https://app.home
https://jellyfin.home
https://immich.home

just as public domains already work.

Currently this only works for domains with a public suffix (example.com), but not for private DNS zones commonly used in homelabs.

Additional Context

The issue appears to originate from GetCookieDomain().

For APPURL=https://tinyauth.home, hostname becomes:

tinyauth.home

Since len(parts) == 2, the function immediately returns the hostname instead of the parent domain.

As a consequence:

runtime.CookieDomain = tinyauth.home

and isRedirectSafe() rejects redirects to sibling subdomains because they are not subdomains of tinyauth.home.

The existing unit tests for isRedirectSafe() indicate that sibling subdomains are expected to work when the cookie domain is the parent domain.

Logs

WRN Unsafe redirect URI detected, ignoring redirect_uri=https://app.home/

Operating System

Debian 13

Browser

Chrom

Tinyauth Version

v5.0.7

Docker Version (if applicable)

29.4.2

Human Written Confirmation

  • I confirm this issue was written by me and not generated by an LLM or AI assistant.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions