Describe the Bug
When using a private DNS zone without a public suffix (for example home), TinyAuth derives the cookie domain as the full hostname instead of the parent domain.
Example:
APPURL=https://tinyauth.home
Results in:
CookieDomain = .tinyauth.home
instead of:
CookieDomain = .home
Because isRedirectSafe() validates redirects against runtime.CookieDomain, redirects to sibling subdomains are rejected even when they are configured as applications.
This causes redirects such as:
https://app.home
to be rejected with:
Unsafe redirect URI detected, ignoring
How to Reproduce
- Configure TinyAuth with:
APPURL=https://tinyauth.home
- Configure an application:
TINYAUTH_APPS_HOMEPAGE_CONFIG_DOMAIN=app.home
-
Protect https://app.home using Caddy ForwardAuth.
-
Authenticate using OAuth.
-
After successful login TinyAuth redirects to:
https://tinyauth.home/continue?redirect_uri=https://app.home/
- TinyAuth rejects the redirect with:
Unsafe redirect URI detected
Expected Behavior
When subdomains are enabled, sibling subdomains within the same private DNS zone should be considered safe redirects.
For example:
APPURL=https://tinyauth.home
should allow redirects to:
https://app.home
https://jellyfin.home
https://immich.home
just as public domains already work.
Currently this only works for domains with a public suffix (example.com), but not for private DNS zones commonly used in homelabs.
Additional Context
The issue appears to originate from GetCookieDomain().
For APPURL=https://tinyauth.home, hostname becomes:
tinyauth.home
Since len(parts) == 2, the function immediately returns the hostname instead of the parent domain.
As a consequence:
runtime.CookieDomain = tinyauth.home
and isRedirectSafe() rejects redirects to sibling subdomains because they are not subdomains of tinyauth.home.
The existing unit tests for isRedirectSafe() indicate that sibling subdomains are expected to work when the cookie domain is the parent domain.
Logs
WRN Unsafe redirect URI detected, ignoring redirect_uri=https://app.home/
Operating System
Debian 13
Browser
Chrom
Tinyauth Version
v5.0.7
Docker Version (if applicable)
29.4.2
Human Written Confirmation
Describe the Bug
When using a private DNS zone without a public suffix (for example
home), TinyAuth derives the cookie domain as the full hostname instead of the parent domain.Example:
APPURL=https://tinyauth.home
Results in:
CookieDomain = .tinyauth.home
instead of:
CookieDomain = .home
Because
isRedirectSafe()validates redirects againstruntime.CookieDomain, redirects to sibling subdomains are rejected even when they are configured as applications.This causes redirects such as:
https://app.home
to be rejected with:
Unsafe redirect URI detected, ignoring
How to Reproduce
APPURL=https://tinyauth.home
TINYAUTH_APPS_HOMEPAGE_CONFIG_DOMAIN=app.home
Protect
https://app.homeusing Caddy ForwardAuth.Authenticate using OAuth.
After successful login TinyAuth redirects to:
https://tinyauth.home/continue?redirect_uri=https://app.home/
Unsafe redirect URI detected
Expected Behavior
When subdomains are enabled, sibling subdomains within the same private DNS zone should be considered safe redirects.
For example:
APPURL=https://tinyauth.home
should allow redirects to:
https://app.home
https://jellyfin.home
https://immich.home
just as public domains already work.
Currently this only works for domains with a public suffix (example.com), but not for private DNS zones commonly used in homelabs.
Additional Context
The issue appears to originate from
GetCookieDomain().For
APPURL=https://tinyauth.home,hostnamebecomes:tinyauth.home
Since
len(parts) == 2, the function immediately returns the hostname instead of the parent domain.As a consequence:
runtime.CookieDomain = tinyauth.home
and
isRedirectSafe()rejects redirects to sibling subdomains because they are not subdomains oftinyauth.home.The existing unit tests for
isRedirectSafe()indicate that sibling subdomains are expected to work when the cookie domain is the parent domain.Logs
WRN Unsafe redirect URI detected, ignoring redirect_uri=https://app.home/
Operating System
Debian 13
Browser
Chrom
Tinyauth Version
v5.0.7
Docker Version (if applicable)
29.4.2
Human Written Confirmation