diff --git a/server/auth/sessions/resource.ts b/server/auth/sessions/resource.ts index 0bc7f092..3336ebde 100644 --- a/server/auth/sessions/resource.ts +++ b/server/auth/sessions/resource.ts @@ -170,9 +170,9 @@ export function serializeResourceSessionCookie( isHttp: boolean = false ): string { if (!isHttp) { - return `${cookieName}_s=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES / 1000}; Path=/; Secure; Domain=${"." + domain}`; + return `${cookieName}_s=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES / 1000}; Path=/; Secure; Domain=${"." + domain}`; } else { - return `${cookieName}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES / 1000}; Path=/; Domain=${"." + domain}`; + return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES / 1000}; Path=/; Domain=${"." + domain}`; } } @@ -182,9 +182,9 @@ export function createBlankResourceSessionTokenCookie( isHttp: boolean = false ): string { if (!isHttp) { - return `${cookieName}_s=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Secure; Domain=${"." + domain}`; + return `${cookieName}_s=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${"." + domain}`; } else { - return `${cookieName}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Domain=${"." + domain}`; + return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${"." + domain}`; } } diff --git a/server/lib/config.ts b/server/lib/config.ts index 04f00335..74f2d9dd 100644 --- a/server/lib/config.ts +++ b/server/lib/config.ts @@ -41,7 +41,9 @@ const configSchema = z.object({ domains: z.record( z.string(), z.object({ - base_domain: hostnameSchema.transform((url) => url.toLowerCase()) + base_domain: hostnameSchema.transform((url) => url.toLowerCase()), + cert_resolver: z.string(), + prefer_wildcard_cert: z.boolean().optional() }) ), server: z.object({ @@ -89,8 +91,6 @@ const configSchema = z.object({ traefik: z.object({ http_entrypoint: z.string(), https_entrypoint: z.string().optional(), - cert_resolver: z.string().optional(), - prefer_wildcard_cert: z.boolean().optional(), additional_middlewares: z.array(z.string()).optional() }), gerbil: z.object({ @@ -290,6 +290,10 @@ export class Config { ); } + public getDomain(domainId: string) { + return this.rawConfig.domains[domainId]; + } + private createTraefikConfig() { try { // check if traefik_config.yml and dynamic_config.yml exists in APP_PATH/traefik diff --git a/server/routers/traefik/getTraefikConfig.ts b/server/routers/traefik/getTraefikConfig.ts index 55e0e290..5f6f194f 100644 --- a/server/routers/traefik/getTraefikConfig.ts +++ b/server/routers/traefik/getTraefikConfig.ts @@ -143,9 +143,18 @@ export async function traefikConfigProvider( wildCard = `*.${domainParts.slice(1).join(".")}`; } + const configDomain = config.getDomain(resource.domainId); + + if (!configDomain) { + logger.error( + `Failed to get domain from config for resource ${resource.resourceId}` + ); + continue; + } + const tls = { - certResolver: config.getRawConfig().traefik.cert_resolver, - ...(config.getRawConfig().traefik.prefer_wildcard_cert + certResolver: configDomain.cert_resolver, + ...(configDomain.prefer_wildcard_cert ? { domains: [ { diff --git a/src/app/auth/resource/[resourceId]/ResourceAuthPortal.tsx b/src/app/auth/resource/[resourceId]/ResourceAuthPortal.tsx index 5eda0809..2b959094 100644 --- a/src/app/auth/resource/[resourceId]/ResourceAuthPortal.tsx +++ b/src/app/auth/resource/[resourceId]/ResourceAuthPortal.tsx @@ -263,7 +263,8 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) { } if (isAllowed) { - window.location.href = props.redirect; + // window.location.href = props.redirect; + router.refresh(); } }