feat(session): multiple cookie domains

[mind-ar]

This PR replaces #3744 and implements support for multiple domains

Closes #1198

Configuration will looks like:

session:
  domain: example.com
  expiration: 3600
  inactivity: 300
  remember_me_duration: 1y
  portal_url: https://login.example.com
  domains:
    - domain: "example2.com"
      portal_url: https://login.example2.com
      expiration: 3600
      inactivity: 300
      remember_me_duration: 1y
    - domain: example3.com
      portal_url: https://example3.com/auth

Expected features

• Support for Multiple root domains

Task List:

• Configuration
  • add multidomain support on schema.session
  • add validations of configurations related to multiple domains in schema.sessions
  • add tests
• Suites
  • add support to multiple domains to suite's html pages
• Handlers
  • add support for portal_url redirection
    • allow redirection to specified portal_url
    • modify nginx configuration
    • modify traefik configuration
  • map requests to correct domain_cookie
  • validate requests (safe url, protected domain)
  • tests
• Session
  • add support for multiple fasthttp sessions
  • tests
• Documentation

[authelia]

Artifacts

These changes are published for testing on Buildkite, DockerHub and GitHub Container Registry.

Docker Container

• docker pull authelia/authelia:feat-multi-root-domain-2
• docker pull ghcr.io/authelia/authelia:feat-multi-root-domain-2

[codecov]

Codecov Report

Merging #3754 (f4079d0) into master (ad1a804) will decrease coverage by 0.04%.
The diff coverage is 73.75%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3754      +/-   ##
==========================================
- Coverage   67.19%   67.15%   -0.05%     
==========================================
  Files         266      267       +1     
  Lines       19505    19727     +222     
  Branches      429      429              
==========================================
+ Hits        13106    13247     +141     
- Misses       5639     5704      +65     
- Partials      760      776      +16     

Flag	Coverage Δ
backend	67.50% <73.75%> (-0.07%)	⬇️
frontend	62.74% <ø> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
internal/handlers/handler_sign_totp.go	39.13% <0.00%> (ø)
internal/handlers/handler_sign_webauthn.go	0.00% <0.00%> (ø)
internal/notification/smtp_notifier.go	53.98% <ø> (-0.81%)	⬇️
internal/handlers/handler_firstfactor.go	60.00% <21.05%> (-7.28%)	⬇️
internal/handlers/handler_verify.go	74.27% <50.00%> (-2.53%)	⬇️
internal/utils/strings.go	94.30% <50.00%> (-1.75%)	⬇️
internal/middlewares/authelia_context.go	75.86% <58.49%> (-4.06%)	⬇️
internal/session/session.go	58.82% <58.82%> (ø)
internal/session/provider.go	64.70% <60.86%> (+3.16%)	⬆️
internal/utils/url.go	92.30% <62.50%> (-7.70%)	⬇️
... and 19 more

[netlify]

✅ Deploy Preview for authelia-staging ready!

Name	Link
🔨 Latest commit	d4ae073
🔍 Latest deploy log	https://app.netlify.com/sites/authelia-staging/deploys/63bd1f8483833d0009f891d3
😎 Deploy Preview	https://deploy-preview-3754--authelia-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[james-d-elliott]

LGTM

[Leopere]

I'm not sure I know the release cycle of Authelia will this be in the docker images any time soon now that its done?

[james-d-elliott]

It's part of the master image already, I've got a few more things I'd like to finish for 4.38, I'd suspect we'll be ready to release next weekend however. #4296 is going to add some sweet functionality to this as well with authelia portal URL detection by matching the cookie domain to an optional configuration option when using the new endpoints so you only need a single middleware for traefik, or single snippet for caddy, envoy, etc. Only proxies not receiving this benefit due to technical limitations on their end are NGINX and HAProxy.

[Leopere]

I am absolutely elated that this is about to exist you have no idea. I have a multi-tennancy cloud deployment that has both staging and production nodes within it and I want to Authelia-off a number of things.

[ColinHebert]

Hihi quick piece of feedback, the release cycle of the documentation is slightly out of sync with the latest version, which means that the current version of the documentation doesn't quite work in reality.
I've been banging my head against the wall because session.domain is "deprecated" but the latest version of authelia wouldn't let me set it up without session.domain being defined.

Additionally, it introduces a new environment variable (which is auto-documented) AUTHELIA_SESSION_COOKIES which I now gather isn't quite meant to be used.
If I understand correctly, the Environment page should be updated to mention that:

It is not possible to configure the session cookies, the access control rules section , or OpenID Connect identity provider clients section using environment variables at this time.

[james-d-elliott]

Hihi quick piece of feedback, the release cycle of the documentation is slightly out of sync with the latest version, which means that the current version of the documentation doesn't quite work in reality.
I've been banging my head against the wall because session.domain is "deprecated" but the latest version of authelia wouldn't let me set it up without session.domain being defined.

Yeah this is unfortunately occasionally the case with the docs. With bigger features we either have to do some inhuman juggling with pull requests, get versioned documentation working which is also pretty difficult to do right (you don't want docs only changes being excluded from updating the current docs, but also don't want the ones which only affect new features to affect old, etc), or we do it as we do now where as features are merged the docs are updated.

The likely future for this is versioned docs. However this project is entirely supported by the free time of individuals and provided completely free of charge, corporate interests, etc.

Additionally, it introduces a new environment variable (which is auto-documented) AUTHELIA_SESSION_COOKIES which I now gather isn't quite meant to be used.

Yeah the generators seem to include the key names of lists, we welcome a PR to fix this.

If I understand correctly, the Environment page should be updated to mention that:

It is not possible to configure the session cookies, the access control rules section , or OpenID Connect identity provider clients section using environment variables at this time.

Correct, feel free to make a PR.

These matters can be further discussed in an appropriate setting such as the PR in question, or the GitHub Discussions.

[james-d-elliott]

I've also reverted the docs for now.

[gpnunes75]

my Authelia is showing this message:
"level=warning msg="Configuration: session: option 'domain' is deprecated in v4.38.0 and has been replaced by a multi-domain configuration: this has automatically been mapped for you but you will need to adjust your configuration to remove this message and receive the latest messages"

if it automatically mapped to me, it should show me this mapped.

I couldn't find any documentation about what I need to change. Can you help me and point a a multi-domain documentation ?