fix(configuration): default redirection url check fails (#6867)

This fixes an error for the legacy mapping of the default redirection url.
authelia · Mar 15, 2024 · 65a7fc2 · 65a7fc2
1 parent 5ba9e9b
commit 65a7fc2
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/internal/configuration/validator/session.go b/internal/configuration/validator/session.go
@@ -163,6 +163,8 @@ func validateSessionUniqueCookieDomain(i int, config *schema.Session, domains []
 }
 
 // validateSessionCookiesURLs validates the AutheliaURL and DefaultRedirectionURL.
+//
+//nolint:gocyclo
 func validateSessionCookiesURLs(i int, config *schema.Session, validator *schema.StructValidator) {
 	var d = config.Cookies[i]
 
@@ -190,7 +192,12 @@ func validateSessionCookiesURLs(i int, config *schema.Session, validator *schema
 		}
 
 		if d.Domain != "" && !utils.HasURIDomainSuffix(d.DefaultRedirectionURL, d.Domain) {
-			validator.Push(fmt.Errorf(errFmtSessionDomainURLNotInCookieScope, sessionDomainDescriptor(i, d), attrDefaultRedirectionURL, d.Domain, d.DefaultRedirectionURL))
+			if d.Legacy {
+				validator.PushWarning(fmt.Errorf(errFmtSessionDomainURLNotInCookieScope, sessionDomainDescriptor(i, d), attrDefaultRedirectionURL, d.Domain, d.DefaultRedirectionURL))
+				d.DefaultRedirectionURL = nil
+			} else {
+				validator.Push(fmt.Errorf(errFmtSessionDomainURLNotInCookieScope, sessionDomainDescriptor(i, d), attrDefaultRedirectionURL, d.Domain, d.DefaultRedirectionURL))
+			}
 		}
 
 		if d.AutheliaURL != nil && utils.EqualURLs(d.AutheliaURL, d.DefaultRedirectionURL) {

diff --git a/internal/configuration/validator/session_test.go b/internal/configuration/validator/session_test.go
@@ -757,13 +757,26 @@ func TestShouldRaiseErrorWhenHaveNonAbsDefaultRedirectionURL(t *testing.T) {
 			AutheliaURL:           MustParseURL("https://login.example.com"),
 			DefaultRedirectionURL: MustParseURL("home.example.com"),
 		},
+		{
+			Domain:                "example2.com",
+			AutheliaURL:           MustParseURL("https://login.example2.com"),
+			DefaultRedirectionURL: MustParseURL("https://google.com"),
+		},
+		{
+			Legacy:                true,
+			Domain:                "example3.com",
+			AutheliaURL:           MustParseURL("https://login.example3.com"),
+			DefaultRedirectionURL: MustParseURL("https://google.com"),
+		},
 	}
 
 	ValidateSession(&config, validator)
-	assert.False(t, validator.HasWarnings())
-	require.Len(t, validator.Errors(), 2)
+	require.Len(t, validator.Warnings(), 1)
+	require.Len(t, validator.Errors(), 3)
 	assert.EqualError(t, validator.Errors()[0], "session: domain config #1 (domain 'example.com'): option 'default_redirection_url' is not absolute with a value of 'home.example.com'")
 	assert.EqualError(t, validator.Errors()[1], "session: domain config #1 (domain 'example.com'): option 'default_redirection_url' does not share a cookie scope with domain 'example.com' with a value of 'home.example.com'")
+	assert.EqualError(t, validator.Errors()[2], "session: domain config #2 (domain 'example2.com'): option 'default_redirection_url' does not share a cookie scope with domain 'example2.com' with a value of 'https://google.com'")
+	assert.EqualError(t, validator.Warnings()[0], "session: domain config #3 (domain 'example3.com'): option 'default_redirection_url' does not share a cookie scope with domain 'example3.com' with a value of 'https://google.com'")
 }
 
 func TestShouldRaiseErrorWhenHaveNonSecureDefaultRedirectionURL(t *testing.T) {