✨ Logic to correctly use multiple authHosts

Author: adyanth

internal/auth.go

@@ -135,28 +135,43 @@ func returnUrl(r *http.Request) string {
 
 // Get oauth redirect uri
 func redirectUri(r *http.Request) string {
-	if use, _ := useAuthDomain(r); use {
+	if use, authHost, _ := useAuthDomain(r); use {
 		p := r.Header.Get("X-Forwarded-Proto")
-		return fmt.Sprintf("%s://%s%s", p, config.AuthHost, config.Path)
+		return fmt.Sprintf("%s://%s%s", p, authHost, config.Path)
 	}
 
 	return fmt.Sprintf("%s%s", redirectBase(r), config.Path)
 }
 
 // Should we use auth host + what it is
-func useAuthDomain(r *http.Request) (bool, string) {
-	if config.AuthHost == "" {
-		return false, ""
+func useAuthDomain(r *http.Request) (bool, string, string) {
+	if len(config.AuthHosts) == 0 {
+		return false, "", ""
 	}
 
 	// Does the request match a given cookie domain?
 	reqMatch, reqHost := matchCookieDomains(r.Host)
 
 	// Do any of the auth hosts match a cookie domain?
-	authMatch, authHost := matchCookieDomains(config.AuthHost)
+	authMatch, authHost := matchAuthHosts(reqHost)
 
 	// We need both to match the same domain
-	return reqMatch && authMatch && reqHost == authHost, reqHost
+	return reqMatch && authMatch, authHost, reqHost
+}
+
+// Return matching auth host domain if exists
+func matchAuthHosts(domain string) (bool, string) {
+	// Remove port
+	p := strings.Split(domain, ":")
+
+	for _, d := range config.AuthHosts {
+		// Subdomain match?
+		if len(d) >= len(domain) && d[len(d)-len(domain):] == domain {
+			return true, d
+		}
+	}
+
+	return false, p[0]
 }
 
 // Cookie methods
@@ -287,7 +302,7 @@ func cookieDomain(r *http.Request) string {
 // Cookie domain
 func csrfCookieDomain(r *http.Request) string {
 	var host string
-	if use, domain := useAuthDomain(r); use {
+	if use, _, domain := useAuthDomain(r); use {
 		host = domain
 	} else {
 		host = r.Host