feat: Allow multiple auth-hosts

Author: motoki317

Dockerfile

@@ -1,8 +1,8 @@
 # Start by building the application.
-FROM --platform=$BUILDPLATFORM golang:1.25 as build
+FROM --platform=$BUILDPLATFORM golang:1.25 AS build
 
 WORKDIR /usr/src/traefik-forward-auth
-ENV CGO_ENABLED 0
+ENV CGO_ENABLED=0
 
 COPY ./go.* ./
 RUN --mount=type=cache,target=/go/pkg/mod \

cmd/main.go

@@ -4,14 +4,15 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"github.com/samber/lo"
-	"github.com/sirupsen/logrus"
-	tfa "github.com/traPtitech/traefik-forward-auth/internal"
-	"github.com/traPtitech/traefik-forward-auth/internal/token"
 	"net/http"
 	"os"
 	"strconv"
 	"time"
+
+	"github.com/samber/lo"
+	"github.com/sirupsen/logrus"
+	tfa "github.com/traPtitech/traefik-forward-auth/internal"
+	"github.com/traPtitech/traefik-forward-auth/internal/token"
 )
 
 func initConfigs(args []string) (*tfa.Config, *logrus.Logger) {

internal/auth.go

@@ -4,13 +4,13 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"github.com/traPtitech/traefik-forward-auth/internal/token"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 
 	"github.com/traPtitech/traefik-forward-auth/internal/provider"
+	"github.com/traPtitech/traefik-forward-auth/internal/token"
 )
 
 // Request Validation
@@ -67,7 +67,7 @@ func ValidateRedirect(r *http.Request, redirect string) (*url.URL, error) {
 	}
 
 	// If we're using an auth domain?
-	if use, base := useAuthDomain(r); use {
+	if use, base, _ := useAuthDomain(r); use {
 		// If we are using an auth domain, they redirect must share a common
 		// suffix with the requested redirect
 		if !strings.HasSuffix(redirectURL.Host, base) {
@@ -97,28 +97,35 @@ func currentUrl(r *http.Request) string {
 
 // Get oauth redirect uri
 func redirectUri(r *http.Request) string {
-	if use, _ := useAuthDomain(r); use {
+	if use, _, authHost := useAuthDomain(r); use {
 		p := r.Header.Get("X-Forwarded-Proto")
-		return fmt.Sprintf("%s://%s%s", p, config.AuthHost, config.CallbackPath)
+		return fmt.Sprintf("%s://%s%s", p, authHost, config.CallbackPath)
 	}
 
 	return fmt.Sprintf("%s%s", redirectBase(r), config.CallbackPath)
 }
 
 // Should we use auth host + what it is
-func useAuthDomain(r *http.Request) (bool, string) {
-	if config.AuthHost == "" {
-		return false, ""
+func useAuthDomain(r *http.Request) (use bool, cookieHost string, authHost string) {
+	if len(config.AuthHost) == 0 {
+		return
 	}
 
 	// Does the request match a given cookie domain?
-	reqMatch, reqHost := config.matchCookieDomains(r.Host)
+	reqMatch, reqCookieHost := config.matchCookieDomains(r.Host)
+	if !reqMatch {
+		return
+	}
 
 	// Do any of the auth hosts match a cookie domain?
-	authMatch, authHost := config.matchCookieDomains(config.AuthHost)
+	for _, authHost := range config.AuthHost {
+		authMatch, authCookieHost := config.matchCookieDomains(authHost)
+		if authMatch && reqCookieHost == authCookieHost {
+			return true, authCookieHost, authHost
+		}
+	}
 
-	// We need both to match the same domain
-	return reqMatch && authMatch && reqHost == authHost, reqHost
+	return
 }
 
 // Cookie methods
@@ -250,7 +257,7 @@ func cookieDomain(requestHost string) string {
 // Cookie domain
 func csrfCookieDomain(r *http.Request) string {
 	var host string
-	if use, domain := useAuthDomain(r); use {
+	if use, domain, _ := useAuthDomain(r); use {
 		host = domain
 	} else {
 		host = r.Host

internal/auth_test.go

@@ -1,14 +1,15 @@
 package tfa
 
 import (
-	"github.com/traPtitech/traefik-forward-auth/internal/token"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/traPtitech/traefik-forward-auth/internal/token"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -109,7 +110,7 @@ func TestAuthValidateRedirect(t *testing.T) {
 	//
 	// With Auth Host
 	//
-	config.AuthHost = "auth.example.com"
+	config.AuthHost = []string{"auth.example.com"}
 	config.CookieDomains = []CookieDomain{"example.com"}
 	errStr = "redirect host does not match any expected hosts (should match cookie domain when using auth host)"
 
@@ -168,7 +169,7 @@ func TestRedirectUri(t *testing.T) {
 	// With Auth URL but no matching cookie domain
 	// - will not use auth host
 	//
-	config.AuthHost = "auth.example.com"
+	config.AuthHost = []string{"auth.example.com"}
 
 	uri, err = url.Parse(redirectUri(r))
 	assert.Nil(err)
@@ -179,7 +180,7 @@ func TestRedirectUri(t *testing.T) {
 	//
 	// With correct Auth URL + cookie domain
 	//
-	config.AuthHost = "auth.example.com"
+	config.AuthHost = []string{"auth.example.com"}
 	config.CookieDomains = []CookieDomain{"example.com"}
 
 	// Check url
@@ -196,7 +197,7 @@ func TestRedirectUri(t *testing.T) {
 	r = httptest.NewRequest("GET", "https://another.com/hello", nil)
 	r.Header.Add("X-Forwarded-Proto", "https")
 
-	config.AuthHost = "auth.example.com"
+	config.AuthHost = []string{"auth.example.com"}
 	config.CookieDomains = []CookieDomain{"example.com"}
 
 	// Check url
@@ -255,7 +256,7 @@ func TestAuthMakeCSRFCookie(t *testing.T) {
 	assert.Equal("app.example.com", c.Domain)
 
 	// With cookie domain and auth url
-	config.AuthHost = "auth.example.com"
+	config.AuthHost = []string{"auth.example.com"}
 	config.CookieDomains = []CookieDomain{"example.com"}
 	c = MakeCSRFCookie(r, "12333378901234567890123456789012")
 	assert.Equal("_forward_auth_csrf_123333", c.Name)

internal/config.go

@@ -25,8 +25,8 @@ type Config struct {
 	// 	Allowed values: "text", "json", "pretty"
 	LogFormat string `mapstructure:"log-format"`
 
-	// AuthHost defines a single host to use when returning from 3rd party auth.
-	AuthHost string `mapstructure:"auth-host"`
+	// AuthHost defines hosts to use when returning from 3rd party auth. Comma separated.
+	AuthHost []string `mapstructure:"auth-host"`
 	// CookieDomains defines domains to set auth cookie on. Comma separated.
 	CookieDomains []CookieDomain `mapstructure:"cookie-domains"`
 	// InsecureCookie specifies to use insecure cookies.
@@ -189,8 +189,8 @@ func (c *Config) setup() error {
 	}
 
 	// Auth host check
-	if c.AuthHost != "" {
-		match, _ := c.matchCookieDomains(c.AuthHost)
+	for _, authHost := range c.AuthHost {
+		match, _ := c.matchCookieDomains(authHost)
 		if !match {
 			return errors.New("\"auth-host\" option must match one of \"cookie-domains\"")
 		}

internal/config_test.go

@@ -1,14 +1,14 @@
 package tfa
 
 import (
-	"github.com/samber/lo"
-	"strings"
-
 	// "fmt"
 	"os"
+	"strings"
 	"testing"
 	"time"
 
+	"github.com/samber/lo"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -40,7 +40,7 @@ providers:
 	assert.Equal("warn", c.LogLevel)
 	assert.Equal("text", c.LogFormat)
 
-	assert.Equal("", c.AuthHost)
+	assert.Len(c.AuthHost, 0)
 	assert.Len(c.CookieDomains, 0)
 	assert.False(c.InsecureCookie)
 	assert.Equal("_forward_auth", c.CookieName)

internal/server.go

@@ -2,18 +2,17 @@ package tfa
 
 import (
 	"fmt"
-	"github.com/traPtitech/traefik-forward-auth/internal/authrule"
-	"github.com/traPtitech/traefik-forward-auth/internal/token"
-	"github.com/traefik/traefik/v3/pkg/middlewares/requestdecorator"
 	"net/http"
 	"net/url"
 	"strings"
 
 	"github.com/samber/lo"
 	"github.com/sirupsen/logrus"
-	mux "github.com/traefik/traefik/v3/pkg/muxer/http"
-
+	"github.com/traPtitech/traefik-forward-auth/internal/authrule"
 	"github.com/traPtitech/traefik-forward-auth/internal/provider"
+	"github.com/traPtitech/traefik-forward-auth/internal/token"
+	"github.com/traefik/traefik/v3/pkg/middlewares/requestdecorator"
+	mux "github.com/traefik/traefik/v3/pkg/muxer/http"
 )
 
 // Server contains router and handler methods
@@ -259,7 +258,7 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 
 		// Check error
 		authError := r.URL.Query().Get("error")
-		if authError == "login_required" || authError == "consent_required" {
+		if authError == "login_required" || authError == "consent_required" || authError == "interaction_required" {
 			// Retry without the 'prompt' parameter (which was possibly 'none' or some other value)
 			s.authRedirect(logger, w, r, p, redirect, false)
 			return