feat: Implement cross domain validation (#32)

tacerus · web-flow · commit c825a3158774 · 2025-06-02T15:42:48.000+02:00
In environments where services run under multiple subdomains, it can be
desirable to not re-challenge a user if they already passed a challenge
on a different subdomain.

Signed-off-by: Georg Pfuetzenreuter &lt;mail@georg-pfuetzenreuter.net&gt;
diff --git a/berghain.go b/berghain.go
@@ -16,7 +16,8 @@ type LevelConfig struct {
 }
 
 type Berghain struct {
-	Levels []*LevelConfig
+	Levels         []*LevelConfig
+	TrustedDomains []string
 
 	secret []byte
 	hmac   sync.Pool
diff --git a/cmd/spop/config.go b/cmd/spop/config.go
@@ -33,13 +33,20 @@ func (s *Secret) UnmarshalYAML(b []byte) error {
 	return nil
 }
 
-type FrontendConfig []LevelConfig
+type FrontendConfig struct {
+	Levels         []LevelConfig `yaml:"levels"`
+	TrustedDomains []string      `yaml:"trusted_domains"`
+}
 
 func (fc FrontendConfig) AsBerghain(s []byte) *berghain.Berghain {
 	b := berghain.NewBerghain(s)
-	for _, c := range fc {
+
+	for _, c := range fc.Levels {
 		b.Levels = append(b.Levels, c.AsLevelConfig())
 	}
+
+	b.TrustedDomains = fc.TrustedDomains
+
 	return b
 }
 
diff --git a/cmd/spop/config.yaml b/cmd/spop/config.yaml
@@ -1,18 +1,24 @@
 secret: JMal0XJRROOMsMdPqggG2tR56CTkpgN3r47GgUN/WSQ=
 
 default:
-  - duration: 24h
-    type: none
-  - duration: 30m
-    type: pow
+  levels:
+    - duration: 24h
+      type: none
+    - duration: 30m
+      type: pow
 
 frontend:
   my_fancy_frontend:
-    - duration: 30s
-      type: none
-      countdown: 9  # default is 3 seconds, maximum is 9
-    - duration: 20s
-      type: pow
-    - duration: 10s
-      type: pow
-      countdown: 0
+    # normally, the exact host is stored and examined during cookie validation
+    # to allow a domain including all of its subdomains to share a validated session, list it here
+    trusted_domains:
+      - foo.example.com
+    levels:
+      - duration: 30s
+        type: none
+        countdown: 9  # default is 3 seconds, maximum is 9
+      - duration: 20s
+        type: pow
+      - duration: 10s
+        type: pow
+        countdown: 0
diff --git a/cmd/spop/frontend.go b/cmd/spop/frontend.go
@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"net/http"
 	"net/netip"
+	"strings"
 	"sync"
 
 	"github.com/dropmorepackets/haproxy-go/pkg/buffer"
@@ -55,6 +56,17 @@ func releaseHostBuf(b *buffer.SliceBuffer) {
 	hostBufPool.Put(b)
 }
 
+func getTrustedDomain(host []byte, td []string) []byte {
+	h := string(host)
+	for _, d := range td {
+		if strings.HasSuffix(h, d) {
+			return []byte(d)
+		}
+	}
+
+	return nil
+}
+
 func (f *frontend) HandleSPOEValidate(ctx context.Context, w *encoding.ActionWriter, m *encoding.Message) {
 	k := encoding.AcquireKVEntry()
 	defer encoding.ReleaseKVEntry(k)
@@ -93,9 +105,15 @@ func (f *frontend) HandleSPOEValidate(ctx context.Context, w *encoding.ActionWri
 		return
 	}
 
+	td := getTrustedDomain(host, f.bh.TrustedDomains)
+	if td != nil {
+		host = td
+	}
+
 	hostBuf := acquireHostBuf()
 	defer releaseHostBuf(hostBuf)
-	copy(hostBuf.WriteNBytes(len(k.ValueBytes())), k.ValueBytes())
+
+	copy(hostBuf.WriteNBytes(len(host)), host)
 	ri.Host = hostBuf.ReadBytes()
 
 	if err := readExpectedKVEntry(ctx, m, k, "cookie"); err != nil {
@@ -141,13 +159,22 @@ func (f *frontend) HandleSPOEChallenge(ctx context.Context, w *encoding.ActionWr
 	if err := readExpectedKVEntry(ctx, m, k, "host"); err != nil {
 		return
 	}
-	if len(k.ValueBytes()) > hostBufferLength {
+	host := k.ValueBytes()
+	if len(host) > hostBufferLength {
 		slog.ErrorContext(ctx, "host length too big")
 	}
 
+	td := getTrustedDomain(host, f.bh.TrustedDomains)
+	if td != nil {
+		host = td
+	}
+
+	_ = w.SetString(encoding.VarScopeTransaction, "domain", string(host))
+
 	hostBuf := acquireHostBuf()
 	defer releaseHostBuf(hostBuf)
-	copy(hostBuf.WriteNBytes(len(k.ValueBytes())), k.ValueBytes())
+
+	copy(hostBuf.WriteNBytes(len(host)), host)
 	ri.Host = hostBuf.ReadBytes()
 
 	req := berghain.AcquireValidatorRequest()
diff --git a/examples/haproxy/haproxy.cfg b/examples/haproxy/haproxy.cfg
@@ -58,7 +58,7 @@ backend berghain_http
 
     acl has_token var(txn.berghain.token) -m found
 
-    http-after-response add-header set-cookie "berghain=%[var(txn.berghain.token)]; path=/;" if has_token
+    http-after-response add-header set-cookie "berghain=%[var(txn.berghain.token)]; domain=%[var(txn.berghain.domain)]; path=/;" if has_token
     http-request return status 200 content-type "application/json" lf-string "%[var(txn.berghain.response)]" if is_challenge_path
 
     http-request return status 404

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,8 @@ type LevelConfig struct {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`type Berghain struct {`
`19`		`- Levels []*LevelConfig`
	`19`	`+ Levels []*LevelConfig`
	`20`	`+ TrustedDomains []string`
`20`	`21`
`21`	`22`	`secret []byte`
`22`	`23`	`hmac sync.Pool`