Merge pull request #366 from supertokens/fix/aws-public-urls

fix: Fix same site parsing when using amazon public URLs

Author: rishabhpoddar

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+-   Handle AWS Public URLs (ending with `.amazonaws.com`) separately while extracting TLDs for SameSite attribute.
+
 ## [0.14.0] - 2023-09-11
 
 ### Added

recipe/session/config_test.go

@@ -1215,3 +1215,84 @@ func TestThatJWKSAndOpenIdEndpointsAreExposed(t *testing.T) {
 	assert.NotNil(t, openIdAPI)
 	assert.Equal(t, openIdAPI.PathWithoutAPIBasePath.GetAsStringDangerous(), "/.well-known/openid-configuration")
 }
+
+func TestCookieSameSiteWithEC2PublicURL(t *testing.T) {
+	apiBasePath := "/"
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			AppName:       "SuperTokens",
+			APIDomain:     "https://ec2-xx-yyy-zzz-0.compute-1.amazonaws.com:3001",
+			WebsiteDomain: "https://blog.supertokens.com",
+			APIBasePath:   &apiBasePath,
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(&sessmodels.TypeInput{
+				GetTokenTransferMethod: func(req *http.Request, forCreateNewSession bool, userContext supertokens.UserContext) sessmodels.TokenTransferMethod {
+					return sessmodels.CookieTransferMethod
+				},
+			}),
+		},
+	}
+
+	BeforeEach()
+
+	unittesting.StartUpST("localhost", "8080")
+
+	defer AfterEach()
+
+	err := supertokens.Init(configValue)
+
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	recipe, err := getRecipeInstanceOrThrowError()
+
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	assert.True(t, recipe.Config.CookieDomain == nil)
+	assert.Equal(t, recipe.Config.CookieSameSite, "none")
+	assert.True(t, recipe.Config.CookieSecure)
+
+	resetAll()
+
+	configValue = supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			AppName:       "SuperTokens",
+			APIDomain:     "http://ec2-xx-yyy-zzz-0.compute-1.amazonaws.com:3001",
+			WebsiteDomain: "http://ec2-xx-yyy-zzz-0.compute-1.amazonaws.com:3000",
+			APIBasePath:   &apiBasePath,
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(&sessmodels.TypeInput{
+				GetTokenTransferMethod: func(req *http.Request, forCreateNewSession bool, userContext supertokens.UserContext) sessmodels.TokenTransferMethod {
+					return sessmodels.CookieTransferMethod
+				},
+			}),
+		},
+	}
+
+	err = supertokens.Init(configValue)
+
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	recipe, err = getRecipeInstanceOrThrowError()
+
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	assert.True(t, recipe.Config.CookieDomain == nil)
+	assert.Equal(t, recipe.Config.CookieSameSite, "lax")
+	assert.False(t, recipe.Config.CookieSecure)
+}

supertokens/utils.go

@@ -318,6 +318,20 @@ func GetTopLevelDomainForSameSiteResolution(URL string) (string, error) {
 	if strings.HasPrefix(hostname, "localhost") || strings.HasPrefix(hostname, "localhost.org") || isAnIP {
 		return "localhost", nil
 	}
+
+	/**
+	EffectiveTLDPlusOne fails if the TLD and the input domain are the same which is true in the case of some aws URLS
+	which are listedhere: https://publicsuffix.org/list/public_suffix_list.dat
+
+	Instead, we use PublicSuffix to get the parsed suffix. EffectiveTLDPlusOne internally uses PublicSuffix
+	*/
+	_publicSuffix, _ := publicsuffix.PublicSuffix(hostname)
+
+	// This check is added because of this issue: https://github.com/supertokens/supertokens-python/issues/394
+	if strings.HasSuffix(hostname, ".amazonaws.com") && _publicSuffix == hostname {
+		return hostname, nil
+	}
+
 	parsedURL, err := publicsuffix.EffectiveTLDPlusOne(hostname)
 	if err != nil {
 		return "", errors.New("Please make sure that the apiDomain and websiteDomain have correct values")