feat: invalid domain warning by steveiliop56 · Pull Request #332 · tinyauthapp/tinyauth

steveiliop56 · 2025-09-01T12:47:10Z

Summary by CodeRabbit

New Features
- Domain-mismatch warning before loading the app with a per-session "Ignore" option.
- Two-step redirect flow: automatic safe redirect plus a "Redirect me manually" option and clearer untrusted/insecure redirect screens with accessibility alerts.
Style
- Adjusted warning button dark-mode styling.
- Code elements now wrap to avoid overflow.
Localization
- Updated and reorganized redirect and domain-warning copy; added new labels.
Chores
- Removed CLI flag to disable continue.
- Removed sanitization dependency; redirects now use URL-based handling with timed navigation and cleanup.

coderabbitai · 2025-09-01T12:47:17Z

Caution

Review failed

The pull request is closed.

Walkthrough

Removes the CLI flag disable-continue. Replaces backend Domain/DisableContinue with AppURL/RootDomain and exposes them in the context response. Frontend adds a DomainWarning and session-dismissable layout gate, rewrites the /continue flow to use URL parsing and timed auto/manual redirects, updates i18n keys, and removes DOMPurify.

Changes

Cohort / File(s)	Summary
CLI Flag Removal `cmd/root.go`	Drops the `--disable-continue` CLI flag definition.
Backend Config & Bootstrap `internal/config/config.go`, `internal/bootstrap/...`	Removes `DisableContinue` from Config; replaces `Domain` with `AppURL`/`RootDomain` in bootstrap wiring and controller configs; cookieId now derived from AppURL hostname.
Context Controller `internal/controller/context_controller.go`	AppContextResponse now exposes `appUrl` and `rootDomain`; `DisableContinue`/`Domain` removed; `Oauth` renamed to `OAuth`.
OAuth/User Controllers & Auth Service `internal/controller/oauth_controller.go`, `internal/controller/user_controller.go`, `internal/service/auth_service.go`	Renames exported config fields from `Domain` → `RootDomain`; cookie domain logic and redirect safety checks now use `RootDomain`.
Middleware `internal/middleware/context_middleware.go`	`ContextMiddlewareConfig.Domain` → `RootDomain`; email construction uses `RootDomain`.
Utils Rename `internal/utils/app_utils.go`	`GetUpperDomain` renamed to `GetRootDomain` (same behavior).
Frontend App Context Schema `frontend/src/schemas/app-context-schema.ts`	Replaces `disableContinue` and `domain` with `appUrl` and `rootDomain` in Zod schema.
Layout & Domain Warning UI `frontend/src/components/layout/layout.tsx`, `frontend/src/components/domain-warning/domain-warning.tsx`	Adds `DomainWarning` component and `BaseLayout`; Layout shows a sessionStorage-dismissable domain-mismatch alert when `appUrl` differs from `window.location.origin`.
Continue Page Flow `frontend/src/pages/continue-page.tsx`	Removes DOMPurify; parses redirect using URL; adds validators (protocol, trusted/rootDomain, HTTPS downgrade); auto-redirects (100ms) when safe; reveals manual redirect after 1s; separates untrusted/insecure flows; updates i18n keys.
Frontend Pages: Redirect Timing & Guards `frontend/src/pages/login-page.tsx`, `frontend/src/pages/logout-page.tsx`, `frontend/src/pages/totp-page.tsx`, `frontend/src/pages/unauthorized-page.tsx`	Moves early redirect guards to after hooks/mutations, adds useRef timer-based delayed redirects (~500ms) with cleanup effects, and consolidates i18n/loading usage.
i18n Key Rework `frontend/src/lib/i18n/locales/en.json`, `frontend/src/lib/i18n/locales/en-US.json`	Removes legacy continue/untrusted keys; adds `continueRedirectManually`, `continueUntrustedRedirectTitle`/`Subtitle`, `domainWarningTitle`/`Subtitle`, `ignoreTitle`, `goToCorrectDomainTitle`; placeholders updated to `rootDomain`/`appUrl`/`currentUrl`.
UI / Style Tweaks `frontend/src/components/ui/button.tsx`, `frontend/src/index.css`	Removes `dark:bg-amber-600` from warning button variant; adds `break-all` to `code` selector to wrap long tokens.
Dependency cleanup `frontend/package.json`	Removes `dompurify` dependency from frontend.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Browser
  participant Layout
  participant DomainWarning
  participant App

  User->>Browser: Load app
  Browser->>Layout: Render with appUrl/rootDomain
  alt origin != configured appUrl AND no session ignore
    Layout->>DomainWarning: Show warning (appUrl, currentUrl)
    User-->>DomainWarning: Click "Ignore"
    DomainWarning->>Layout: onClick() -> sessionStorage.setItem + update state
    Layout->>App: Render content
  else
    Layout->>App: Render content
  end

sequenceDiagram
  autonumber
  actor User
  participant Browser
  participant ContinuePage

  User->>ContinuePage: Navigate with redirect_uri
  ContinuePage->>ContinuePage: Parse redirect_uri (URL) & validate proto/host/rootDomain/https downgrade
  alt valid & trusted
    Note over ContinuePage: schedule auto-redirect (100ms)
    ContinuePage->>Browser: window.location.replace(redirect) (auto)
  else if untrusted or insecure
    ContinuePage->>User: Render alert card (continueUntrusted/insecure)
    User->>ContinuePage: Click proceed
    ContinuePage->>Browser: window.location.assign(redirect) (manual)
  end
  Note over ContinuePage: reveal manual button after 1s if auto pending

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

New Crowdin updates #245 — i18n edits for redirect/domain warning strings overlap with this PR's locale key changes.
feat: map info from OIDC claims to headers #122 — touches cmd/root.go and domain-related CLI/config handling; likely tied to the CLI flag/domain changes.
feat: generate a unique id for the cookie names based on the domain #161 — modifies cookie naming/identifier generation and domain-derived cookie logic, related to RootDomain/cookie changes.

Poem

A rabbit sniffs the root and checks each door,
"Is this the app URL or some distant shore?" 🐇
I flash a yellow card, then wait a beat,
Auto-hop quick, or press to make the leap.
Ignore for this session — then onward, fleet. ✨

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c80c37b and 95f8a95.

📒 Files selected for processing (6)

internal/bootstrap/app_bootstrap.go (6 hunks)
internal/controller/oauth_controller.go (5 hunks)
internal/controller/user_controller.go (4 hunks)
internal/middleware/context_middleware.go (3 hunks)
internal/service/auth_service.go (3 hunks)
internal/utils/app_utils.go (2 hunks)

✨ Finishing Touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch feat/domain-warning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

codecov · 2025-09-01T12:48:29Z

Codecov Report

❌ Patch coverage is 0% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 0.00%. Comparing base (17048d9) to head (95f8a95).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/bootstrap/app_bootstrap.go	0.00%	9 Missing ⚠️
internal/controller/oauth_controller.go	0.00%	6 Missing ⚠️
internal/controller/context_controller.go	0.00%	5 Missing ⚠️
internal/controller/user_controller.go	0.00%	3 Missing ⚠️
internal/middleware/context_middleware.go	0.00%	2 Missing ⚠️
internal/service/auth_service.go	0.00%	2 Missing ⚠️
internal/utils/app_utils.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #332   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files         32      32           
  Lines       2378    2380    +2     
=====================================
- Misses      2378    2380    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

frontend/src/pages/continue-page.tsx (2)

20-28: Hooks called conditionally; restructure to top-level.

useAppContext, useLocation, useState, useTranslation, useNavigate, and useEffect are placed after early returns, violating Hooks rules and triggering Biome errors. Move all Hooks to the top and gate side-effects logically.

Apply:

 export const ContinuePage = () => {
-  const { isLoggedIn } = useUserContext();
-
-  if (!isLoggedIn) {
-    return <Navigate to="/login" />;
-  }
-
-  const { rootDomain } = useAppContext();
-  const { search } = useLocation();
-  const [loading, setLoading] = useState(false);
-  const [showRedirectButton, setShowRedirectButton] = useState(false);
+  const { isLoggedIn } = useUserContext();
+  const { rootDomain } = useAppContext();
+  const { search } = useLocation();
+  const [loading, setLoading] = useState(false);
+  const [showRedirectButton, setShowRedirectButton] = useState(false);
+  const { t } = useTranslation();
+  const navigate = useNavigate();

-  const { t } = useTranslation();
-  const navigate = useNavigate();
+  const searchParams = new URLSearchParams(search);
+  const redirectURI = searchParams.get("redirect_uri");
+  const sanitizedRedirectURI = redirectURI ? DOMPurify.sanitize(redirectURI) : "";
+  const isRedirectUriValid = !!redirectURI && isValidUrl(sanitizedRedirectURI);
+  const redirectURLObj = isRedirectUriValid ? new URL(sanitizedRedirectURI) : null;
+  const normalizeHost = (h: string) => h.toLowerCase().replace(/\.$/, "");
+  const rd = normalizeHost(rootDomain ?? "");
+  const host = redirectURLObj ? normalizeHost(redirectURLObj.hostname) : "";
+  const isTrusted =
+    redirectURLObj ? host === rd || host.endsWith(`.${rd}`) : false;
+  const isHttpsDowngrade =
+    redirectURLObj
+      ? redirectURLObj.protocol === "http:" && window.location.protocol === "https:"
+      : false;

-  const handleRedirect = () => {
+  const handleRedirect = () => {
     setLoading(true);
-    window.location.href = DOMPurify.sanitize(redirectURI);
+    // replace() avoids polluting history with the interstitial page
+    window.location.replace(sanitizedRedirectURI);
   };
 
-  const redirectURLObj = new URL(redirectURI);
+  // Auto-redirect only when safe and applicable
+  useEffect(() => {
+    if (!isLoggedIn || !isRedirectUriValid || !isTrusted || isHttpsDowngrade) {
+      return;
+    }
+    const t1 = setTimeout(() => {
+      handleRedirect();
+    }, 100);
+    const t2 = setTimeout(() => {
+      setLoading(false);
+      setShowRedirectButton(true);
+    }, 1000);
+    return () => {
+      clearTimeout(t1);
+      clearTimeout(t2);
+    };
+  }, [isLoggedIn, isRedirectUriValid, isTrusted, isHttpsDowngrade]);
 
+  // Early returns after hooks are declared
+  if (!isLoggedIn) {
+    return <Navigate to="/login" />;
+  }
-  const searchParams = new URLSearchParams(search);
-  const redirectURI = searchParams.get("redirect_uri");
-
   if (!redirectURI) {
     return <Navigate to="/logout" />;
   }
 
-  if (!isValidUrl(DOMPurify.sanitize(redirectURI))) {
+  if (!isRedirectUriValid) {
     return <Navigate to="/logout" />;
   }

Also applies to: 40-41, 127-135

75-78: Button label key exists?

These buttons use t("continueTitle") but that key was removed from locales in this PR. Either re-add the key (preferred, see locale comments) or swap to an existing key. Re-adding keeps copy concise (“Continue” vs “Redirect me manually”).

Also applies to: 112-114

🧹 Nitpick comments (9)

frontend/src/index.css (1)
158-160: Prefer break-words over break-all to avoid mid-token breaks in code.

break-all can split URLs/tokens awkwardly. break-words wraps long strings without breaking every character.
-code {
-  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-all;
-}
+code {
+  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-words;
+}
frontend/src/components/ui/button.tsx (1)
24-26: Dark-mode warning button may lose contrast; consider restoring dark:bg.

Without a dark:bg token, bg-amber-500 is used in dark too; white text may be borderline. Suggest adding dark:bg-amber-600 (and optional dark:hover).
-        warning:
-          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40",
+        warning:
+          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40 dark:bg-amber-600 dark:hover:bg-amber-500",
frontend/src/schemas/app-context-schema.ts (1)
7-8: Tighten validation: appUrl should be a URL; rootDomain should be a bare domain.

Prevents malformed values from breaking the domain-warning gate.
-  appUrl: z.string(),
-  rootDomain: z.string(),
+  appUrl: z.string().url(),
+  rootDomain: z
+    .string()
+    .transform((s) => s.trim().toLowerCase())
+    .regex(
+      /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/i,
+      "rootDomain must be a domain like example.com",
+    ),
internal/controller/context_controller.go (1)
35-45: Remove unused DisableContinue field from ContextControllerConfig.
 internal/controller/context_controller.go
 type ContextControllerConfig struct {
-  DisableContinue bool
 }
internal/bootstrap/app_bootstrap.go (1)
47-56: Optional: sanity-check AppURL host vs derived domain at startup.

Prevents misconfig where AppURL host doesn’t end with RootDomain.
   // Get domain
   domain, err := utils.GetUpperDomain(app.Config.AppURL)
   if err != nil {
     return err
   }
+  if host, herr := utils.GetHost(app.Config.AppURL); herr == nil && !strings.HasSuffix(host, domain) {
+    return fmt.Errorf("app-url host %q does not match derived root domain %q", host, domain)
+  }
frontend/src/pages/continue-page.tsx (1)
112-121: Severity style consistency.

Consider variant="warning" (not "destructive") for the untrusted-redirect confirm to match the insecure-redirect confirm and convey caution rather than irreversible action.
-          <Button
-            onClick={handleRedirect}
-            loading={loading}
-            variant="destructive"
-          >
+          <Button onClick={handleRedirect} loading={loading} variant="warning">
             {t("continueTitle")}
           </Button>
frontend/src/components/domain-warning/domain-warning.tsx (2)
22-22: Add alert semantics for accessibility

Expose the warning to assistive tech.

Apply this diff:
-    <Card className="min-w-xs sm:min-w-sm">
+    <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
34-38: Offer a “Go to the correct domain” primary action

Improves UX by giving a safe path in addition to “ignore”.

Apply this diff (assumes i18n key goToCorrectDomainTitle exists):
       <CardFooter className="flex flex-col items-stretch">
         <Button onClick={onClick} variant="warning">
           {t("ignoreTitle")}
         </Button>
+        <Button onClick={() => window.location.assign(appUrl)} className="mt-2">
+          {t("goToCorrectDomainTitle")}
+        </Button>
       </CardFooter>
frontend/src/components/layout/layout.tsx (1)

36-40: Consider matching by registrable root domain (eTLD+1) if subdomains are legitimate

If your deployment spans subdomains (e.g., auth.example.com vs. app.example.com), origin mismatch may be too strict.

Options:

Use the provided rootDomain from context to allow any subdomain of that root.

Otherwise, parse with URL and compare .hostname suffix against rootDomain.

Keep the stricter origin check behind a feature flag if necessary.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 17048d9 and 3873bb2.

📒 Files selected for processing (12)

cmd/root.go (0 hunks)
frontend/src/components/domain-warning/domain-warning.tsx (1 hunks)
frontend/src/components/layout/layout.tsx (2 hunks)
frontend/src/components/ui/button.tsx (1 hunks)
frontend/src/index.css (1 hunks)
frontend/src/lib/i18n/locales/en-US.json (2 hunks)
frontend/src/lib/i18n/locales/en.json (2 hunks)
frontend/src/pages/continue-page.tsx (5 hunks)
frontend/src/schemas/app-context-schema.ts (1 hunks)
internal/bootstrap/app_bootstrap.go (1 hunks)
internal/config/config.go (0 hunks)
internal/controller/context_controller.go (4 hunks)

💤 Files with no reviewable changes (2)

internal/config/config.go
cmd/root.go

🧰 Additional context used

🧬 Code graph analysis (7)

frontend/src/components/domain-warning/domain-warning.tsx (1)

frontend/src/components/ui/card.tsx (10)

Card (85-85)

CardHeader (86-86)

CardTitle (88-88)

CardDescription (90-90)

CardFooter (87-87)

CardTitle (31-39)

CardDescription (41-49)

Card (5-16)

CardHeader (18-29)

CardAction (51-62)

internal/bootstrap/app_bootstrap.go (4)

internal/config/config.go (1)

Config (17-56)

internal/controller/user_controller.go (2)

Domain (24-26)

Config (28-32)

internal/controller/proxy_controller.go (1)

AppURL (20-22)

internal/middleware/context_middleware.go (1)

Domain (14-16)

frontend/src/components/layout/layout.tsx (2)

frontend/src/context/app-context.tsx (1)

useAppContext (36-44)

frontend/src/components/domain-warning/domain-warning.tsx (1)

DomainWarning (17-41)

frontend/src/pages/continue-page.tsx (2)

frontend/src/context/app-context.tsx (1)

useAppContext (36-44)

frontend/src/pages/totp-page.tsx (1)

window (42-46)

frontend/src/lib/i18n/locales/en.json (1)

frontend/src/pages/totp-page.tsx (1)

window (42-46)

internal/controller/context_controller.go (3)

internal/config/config.go (1)

Config (17-56)

internal/controller/oauth_controller.go (3)

Config (29-34)

CSRFCookieName (21-27)

controller (93-210)

internal/controller/user_controller.go (2)

Config (28-32)

Domain (24-26)

frontend/src/lib/i18n/locales/en-US.json (1)

frontend/src/pages/totp-page.tsx (2)

window (42-46)

toast (37-47)

🪛 Biome (2.1.2)

frontend/src/pages/continue-page.tsx

[error] 24-24: This hook is being called conditionally, but all hooks must be called in the exact same order in every component render.

Hooks should not be called after an early return.

For React to preserve state between calls, hooks needs to be called unconditionally and always in the same order.
See https://reactjs.org/docs/hooks-rules.html#only-call-hooks-at-the-top-level