New: Use instance name in forms authentication cookie name (#3761)

(cherry picked from commit 97ebaf279650082c6baee9563ef179921c5ed25a) (cherry picked from commit faf9173b3b4a298e3afa9a186e66ba6764ac055e) (cherry picked from commit 75fae9262c6ca003d24df9fcf035d75b1e90f994) --------- Co-authored-by: Mark McDowall <mark@mcdowall.ca>
5 months ago · 6913789adc
parent 09e0c40792
commit 6913789adc
1 changed files with 21 additions and 7 deletions
--- a/src/Readarr.Http/Authentication/AuthenticationBuilderExtensions.cs
+++ b/src/Readarr.Http/Authentication/AuthenticationBuilderExtensions.cs
@ -1,12 +1,18 @@
 using System;
+using System.Text.RegularExpressions;
+using Diacritical;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.Extensions.DependencyInjection;
 using NzbDrone.Core.Authentication;
+using NzbDrone.Core.Configuration;

 namespace Readarr.Http.Authentication
 {
    public static class AuthenticationBuilderExtensions
    {
+        private static readonly Regex CookieNameRegex = new Regex(@"[^a-z0-9]+", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
        public static AuthenticationBuilder AddApiKey(this AuthenticationBuilder authenticationBuilder, string name, Action<ApiKeyAuthenticationOptions> options)
        {
            return authenticationBuilder.AddScheme<ApiKeyAuthenticationOptions, ApiKeyAuthenticationHandler>(name, options);
@ -29,19 +35,27 @@ namespace Readarr.Http.Authentication

        public static AuthenticationBuilder AddAppAuthentication(this IServiceCollection services)
        {
-            return services.AddAuthentication()
-                .AddNone(AuthenticationType.None.ToString())
-                .AddExternal(AuthenticationType.External.ToString())
-                .AddBasic(AuthenticationType.Basic.ToString())
-                .AddCookie(AuthenticationType.Forms.ToString(), options =>
+            services.AddOptions<CookieAuthenticationOptions>(AuthenticationType.Forms.ToString())
+                .Configure<IConfigFileProvider>((options, configFileProvider) =>
                {
-                    options.Cookie.Name = "ReadarrAuth";
+                    // Replace diacritics and replace non-word characters to ensure cookie name doesn't contain any valid URL characters not allowed in cookie names
+                    var instanceName = configFileProvider.InstanceName;
+                    instanceName = instanceName.RemoveDiacritics();
+                    instanceName = CookieNameRegex.Replace(instanceName, string.Empty);
+
+                    options.Cookie.Name = $"{instanceName}Auth";
                    options.AccessDeniedPath = "/login?loginFailed=true";
                    options.LoginPath = "/login";
                    options.ExpireTimeSpan = TimeSpan.FromDays(7);
                    options.SlidingExpiration = true;
                    options.ReturnUrlParameter = "returnUrl";
-                })
+                });
+
+            return services.AddAuthentication()
+                .AddNone(AuthenticationType.None.ToString())
+                .AddExternal(AuthenticationType.External.ToString())
+                .AddBasic(AuthenticationType.Basic.ToString())
+                .AddCookie(AuthenticationType.Forms.ToString())
                .AddApiKey("API", options =>
                {
                    options.HeaderName = "X-Api-Key";