From 39c50801463e5cee938b8bd36387256c5cdd037b Mon Sep 17 00:00:00 2001
From: Alex Tugarev <alex.tugarev@typefox.io>
Date: Fri, 25 Sep 2020 13:18:41 +0000
Subject: [PATCH] [server] Fix domain scope for session cookie

With this change slicing of hostname will only be applied for preview environments.

ACK this still only works for preview environments deployed without a 2nd level TLD.
OTOH it should quickly enable SH installations with 2nd level TLDs!
---
 components/server/src/session-handler.ts | 29 ++++++++++++++++--------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/components/server/src/session-handler.ts b/components/server/src/session-handler.ts
index 787d62b05c305c..e96ab52640d5b4 100644
--- a/components/server/src/session-handler.ts
+++ b/components/server/src/session-handler.ts
@@ -43,11 +43,25 @@ export class SessionHandlerProvider {
     }
 
     protected getCookieOptions(env: Env): express.CookieOptions {
-        const hostParts = env.hostUrl.url.host.split('.');
-        const baseDomain = hostParts.slice(hostParts.length - 2).join('.');
-        let domain = `.${baseDomain}`;
+        const hostName = env.hostUrl.url.host;
+
+        let domain = hostName;
+        if (env.devBranch) {
+            // Use cookie for base domain to allow cookies being sent via ingress proxy in preview environments
+            //
+            // Otherwise, clients (in this case Chrome) may ignore (as in: save it, but don't send it on consequent requests) the 'Set-Cookie:...' send with a redirect (302, to github oauth)
+            // For details, see:
+            // - RFC draft sameSite: http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-same-site.html
+            // - https://bugs.chromium.org/p/chromium/issues/detail?id=150066
+            // - google: chromium not sending cookies set with redirect
+            
+            const hostParts = hostName.split('.');
+            const baseDomain = hostParts.slice(hostParts.length - 2).join('.');
+            domain = `.${baseDomain}`;
+        }
+
         if (this.env.insecureNoDomain) {
-            domain = baseDomain.split(":")[0];
+            domain = hostName.split(":")[0];
         }
 
         return {
@@ -56,12 +70,7 @@ export class SessionHandlerProvider {
             secure: false,                // default, TODO SSL! Config proxy
             maxAge: env.sessionMaxAgeMs,  // configured in Helm chart, defaults to 3 days.
             sameSite: "lax",              // default: true. "Lax" needed for OAuth.
-            domain: `${domain}`           // Use cookie for base domain (works for *.staging.gitpod.io because of the name, see below)
-            // Otherwise, clients (in this case Chrome) may ignore (as in: save it, but don't send it on consequent requests) the 'Set-Cookie:...' send with a redirect (302, to github oauth)
-            // For details, see:
-            // - RFC draft sameSite: http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-same-site.html
-            // - https://bugs.chromium.org/p/chromium/issues/detail?id=150066
-            // - google: chromium not sending cookies set with redirect
+            domain: `${domain}`
         };
     }