Merge pull request #6883 from psiinon/authhelper-testdomains

authhelper: add support for domains to tester

Author: thc202

addOns/authhelper/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Added
+- Domains to auth tester.
 
 ## [0.30.0] - 2025-11-04
 ### Added

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthTestDialog.java

@@ -33,6 +33,7 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
+import java.util.regex.Pattern;
 import javax.swing.BorderFactory;
 import javax.swing.Icon;
 import javax.swing.ImageIcon;
@@ -113,6 +114,7 @@ public class AuthTestDialog extends StandardFieldsDialog {
     private static final String RECORD_DIAGNOSTICS_LABEL =
             "authhelper.auth.test.dialog.label.recdiag";
     private static final String DIAGNOSTICS_LABEL = "authhelper.auth.test.dialog.label.diag";
+    private static final String DOMAINS_LABEL = "authhelper.auth.test.dialog.label.domains";
     private static final String COPY_LABEL = "authhelper.auth.test.dialog.label.copy";
 
     private static final String FOUND_STR =
@@ -163,6 +165,7 @@ public AuthTestDialog(ExtensionAuthhelper ext, Frame owner) {
                 DisplayUtils.getScaledDimension(600, 550),
                 new String[] {
                     "authhelper.auth.test.dialog.tab.test",
+                    "authhelper.auth.test.dialog.tab.domains",
                     "authhelper.auth.test.dialog.tab.steps",
                     "authhelper.auth.test.dialog.tab.diag"
                 });
@@ -251,6 +254,10 @@ public AuthTestDialog(ExtensionAuthhelper ext, Frame owner) {
         this.addPadding(0);
 
         int tab = 1;
+
+        addMultilineField(tab, DOMAINS_LABEL, params.getDomains());
+
+        tab++;
         stepsPanel = new StepsPanel(this, true);
         stepsPanel.setSteps(params.getSteps());
         setCustomTabPanel(tab, stepsPanel.getPanel());
@@ -468,6 +475,14 @@ private void authenticate() {
             context.addIncludeInContextRegex(
                     SessionStructure.getHostName(new URI(loginUrl, false)) + ".*");
 
+            for (String dom : getDomains()) {
+                if (dom.endsWith(".*")) {
+                    // Just in case the user has added this anyway
+                    dom = dom.substring(0, dom.length() - 2);
+                }
+                context.addIncludeInContextRegex(Pattern.quote(dom) + ".*");
+            }
+
             JComboBox<?> browserCombo = (JComboBox<?>) this.getField(BROWSER_LABEL);
             String browserId = ((BrowserUI) browserCombo.getSelectedItem()).getBrowser().getId();
 
@@ -692,6 +707,12 @@ public void counterInc(String site, String key) {
         }
     }
 
+    private List<String> getDomains() {
+        return List.of(this.getStringValue(DOMAINS_LABEL).split("\r?\n")).stream()
+                .filter(StringUtils::isNotBlank)
+                .toList();
+    }
+
     private static void setTotp(
             List<AuthenticationStep> steps, UsernamePasswordAuthenticationCredentials credentials) {
         if (!TotpSupport.isTotpInCore()) {
@@ -755,6 +776,7 @@ public JButton[] getExtraButtons() {
                                         Constant.messages.getString(
                                                 "authhelper.auth.test.dialog.default-context"));
                         setFieldValue(LOGIN_URL_LABEL, "");
+                        setFieldValue(DOMAINS_LABEL, "");
                         setFieldValue(USERNAME_LABEL, "");
                         setFieldValue(PASSWORD_LABEL, "");
                         setFieldValue(LOGIN_WAIT_LABEL, AuthhelperParam.DEFAULT_WAIT);
@@ -786,6 +808,7 @@ public void save() {
     private void saveDetails() {
         AuthhelperParam params = this.ext.getParam();
         params.setLoginUrl(this.getStringValue(LOGIN_URL_LABEL));
+        params.setDomains(this.getStringValue(DOMAINS_LABEL));
         params.setUsername(this.getStringValue(USERNAME_LABEL));
         JComboBox<?> browserCombo = (JComboBox<?>) this.getField(BROWSER_LABEL);
         params.setBrowser(((BrowserUI) browserCombo.getSelectedItem()).getBrowser().getId());
@@ -815,6 +838,17 @@ public String validateFields() {
                 return Constant.messages.getString("authhelper.auth.test.dialog.error.nopassword");
             }
         }
+        for (String dom : this.getDomains()) {
+            String domLc = dom.toLowerCase(Locale.ROOT);
+            if (!domLc.startsWith("http://") && !domLc.startsWith("https://")) {
+                return Constant.messages.getString("authhelper.auth.test.dialog.error.baddom", dom);
+            }
+            try {
+                new URI(dom, false);
+            } catch (Exception e) {
+                return Constant.messages.getString("authhelper.auth.test.dialog.error.baddom", dom);
+            }
+        }
         return null;
     }
 

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthhelperParam.java

@@ -32,6 +32,7 @@ public class AuthhelperParam extends AbstractParam {
     private static final String AUTO_KEY = "authhelper";
 
     private static final String LOGIN_URL_KEY = AUTO_KEY + ".loginurl";
+    private static final String DOMAINS_KEY = AUTO_KEY + ".domains";
     private static final String USERNAME_KEY = AUTO_KEY + ".username";
     private static final String BROWSER_KEY = AUTO_KEY + ".browser";
     private static final String WAIT_KEY = AUTO_KEY + ".wait";
@@ -44,6 +45,7 @@ public class AuthhelperParam extends AbstractParam {
     private String loginUrl;
     private String username;
     private String browser;
+    private String domains;
     private int wait = DEFAULT_WAIT;
     private int stepDelay;
     private boolean recordDiagnostics;
@@ -56,6 +58,7 @@ public AuthhelperParam() {}
     @Override
     protected void parse() {
         this.loginUrl = this.getString(LOGIN_URL_KEY, "");
+        this.domains = this.getString(DOMAINS_KEY, "");
         this.username = this.getString(USERNAME_KEY, null);
         this.browser = this.getString(BROWSER_KEY, DEFAULT_BROWSER.getId());
         this.wait = getInteger(WAIT_KEY, DEFAULT_WAIT);
@@ -85,6 +88,15 @@ public void setLoginUrl(String loginUrl) {
         getConfig().setProperty(LOGIN_URL_KEY, loginUrl);
     }
 
+    public String getDomains() {
+        return domains;
+    }
+
+    public void setDomains(String domains) {
+        this.domains = domains;
+        getConfig().setProperty(DOMAINS_KEY, domains);
+    }
+
     public String getBrowser() {
         return browser;
     }

addOns/authhelper/src/main/javahelp/org/zaproxy/addon/authhelper/resources/help/contents/auth-tester.html

@@ -68,11 +68,21 @@ <H3>Record Diagnostics</H3>
 <H3>Reset Button</H3>
 The reset button allows you to reset all the fields on the Test tab, and disable all Steps in the Steps tab (steps are only disabled not removed as recreating them might be tedious).
 
-<H2>Results Panel</H2>
+<H3>Results Panel</H3>
 
 The results panel show the progress and what has been identified. All elements need to be identified in order for 
 ZAP to be able to automatically handle authentication for this site.
 
+<H2>Domains Tab</H2>
+
+The domains tab allows you to supply any domains that should be included in the context.
+<p>
+The domains should be one per line, and in the format: 'https://www.example.com/'.
+<p>
+If the Session Handling or Verification URL fail then check to see if your app is accessing any other domains.
+<p>
+ZAP will not consider requests to any domains that are outside of the Login URL domain or the domains listed here.
+
 <H2>Diagnostics Tab</H2>
 
 The Diagnostics tab will contain a summary of the requests and responses sent and received as part of the 

addOns/authhelper/src/main/resources/org/zaproxy/addon/authhelper/resources/Messages.properties

@@ -93,6 +93,7 @@ authhelper.auth.test.dialog.button.reset = Reset
 authhelper.auth.test.dialog.button.save = Test
 
 authhelper.auth.test.dialog.default-context = Authentication Test
+authhelper.auth.test.dialog.error.baddom = Invalid domain: {0} - it must be a valid URL and start with "http://" or "https://"
 authhelper.auth.test.dialog.error.badurl = The Login URL must start with "http://" or "https://"
 authhelper.auth.test.dialog.error.nocontext = You must specify a Context
 authhelper.auth.test.dialog.error.nopassword = You must specify a Password
@@ -103,6 +104,7 @@ authhelper.auth.test.dialog.label.browser = Browser:
 authhelper.auth.test.dialog.label.context = Context:
 authhelper.auth.test.dialog.label.copy = 
 authhelper.auth.test.dialog.label.diag = Diagnostics:
+authhelper.auth.test.dialog.label.domains = Domains:
 authhelper.auth.test.dialog.label.loginurl = Login URL:
 authhelper.auth.test.dialog.label.method = Auth Method
 authhelper.auth.test.dialog.label.method.browser = Browser Based
@@ -124,6 +126,7 @@ authhelper.auth.test.dialog.status.launching = Launching Browser
 authhelper.auth.test.dialog.status.notstarted = Not Started
 authhelper.auth.test.dialog.status.passed = Passed
 authhelper.auth.test.dialog.tab.diag = Diagnostics
+authhelper.auth.test.dialog.tab.domains = Domains
 authhelper.auth.test.dialog.tab.steps = Steps
 authhelper.auth.test.dialog.tab.test = Test