From 8629517cd4ff79b2e1825b928c4c5b08bde3507a Mon Sep 17 00:00:00 2001
From: Andrew LeFevre <andrew.lefevre@goteleport.com>
Date: Mon, 28 Oct 2024 18:37:49 -0400
Subject: [PATCH] fix state cookie not getting set

Most of the logic contributed by avatus
---
 .../src/AppLauncher/AppLauncher.test.tsx      | 16 +++++++-------
 .../teleport/src/AppLauncher/AppLauncher.tsx  | 21 ++++++++++++-------
 2 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx b/web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx
index 7059de6852a2e..ce22b7be3c833 100644
--- a/web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx
+++ b/web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx
@@ -36,42 +36,42 @@ const launcherPathTestCases: {
   {
     name: 'no state and no path',
     path: '?path=',
-    expectedPath: 'x-teleport-auth',
+    expectedPath: 'undefined/x-teleport-auth',
   },
   {
     name: 'no state with path',
     path: '?path=%2Ffoo%2Fbar',
-    expectedPath: 'x-teleport-auth?path=%2Ffoo%2Fbar',
+    expectedPath: 'undefined/x-teleport-auth?path=%2Ffoo%2Fbar',
   },
   {
     name: 'no state with other path params (clusterId, publicAddr, publicArn',
     path: '/some-cluster-id/some-public-addr/arn::123/name',
     expectedPath:
-      'x-teleport-auth?cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
+      'some-public-addr/x-teleport-auth?cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
   },
   {
     name: 'no state with path and with other path params',
     path: '/some-cluster-id/some-public-addr/arn::123/name?path=%2Ffoo%2Fbar',
     expectedPath:
-      'x-teleport-auth?path=%2Ffoo%2Fbar&cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
+      'some-public-addr/x-teleport-auth?path=%2Ffoo%2Fbar&cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
   },
   {
     name: 'with state',
     path: '?state=ABC',
     expectedPath:
-      'x-teleport-auth?state=ABC&subject=subject-cookie-value#value=cookie-value',
+      'grafana.localhost/x-teleport-auth?state=ABC&subject=subject-cookie-value#value=cookie-value',
   },
   {
     name: 'with state and path',
     path: '?state=ABC&path=%2Ffoo%2Fbar',
     expectedPath:
-      'x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
+      'grafana.localhost/x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
   },
   {
     name: 'with state, path, and params',
     path: '?state=ABC&path=%2Ffoo%2Fbar',
     expectedPath:
-      'x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
+      'grafana.localhost/x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
   },
 ];
 
@@ -116,7 +116,7 @@ describe('app launcher path is properly formed', () => {
 
       await waitFor(() =>
         expect(window.location.replace).toHaveBeenCalledWith(
-          `https://grafana.localhost/${expectedPath}`
+          `https://${expectedPath}`
         )
       );
       expect(screen.queryByText(/access denied/i)).not.toBeInTheDocument();
diff --git a/web/packages/teleport/src/AppLauncher/AppLauncher.tsx b/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
index 58420124e08f3..79b5e67ba1bbb 100644
--- a/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
+++ b/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
@@ -119,10 +119,10 @@ export function AppLauncher() {
       }
 
       // Let the target app know of a new auth exchange.
+      const publicAddr = resolvedApp.publicAddress;
       const stateToken = queryParams.get('state');
       if (!stateToken) {
         initiateNewAuthExchange({
-          fqdn,
           port,
           path,
           params,
@@ -138,7 +138,10 @@ export function AppLauncher() {
       const session = await service.createAppSession(params);
 
       // Set all the fields expected by server to validate request.
-      const url = getXTeleportAuthUrl({ fqdn, port });
+      const url = getXTeleportAuthUrl({
+        publicAddr: publicAddr,
+        port,
+      });
       url.searchParams.set('state', stateToken);
       url.searchParams.set('subject', session.subjectCookieValue);
       if (requiredApps.length > 1) {
@@ -217,9 +220,15 @@ function prepareFqdn(fqdn: string) {
   }
 }
 
-function getXTeleportAuthUrl({ fqdn, port }: { fqdn: string; port: string }) {
+function getXTeleportAuthUrl({
+  port,
+  publicAddr,
+}: {
+  port: string;
+  publicAddr: string;
+}) {
   try {
-    return new URL(`https://${fqdn}${port}/x-teleport-auth`);
+    return new URL(`https://${publicAddr}${port}/x-teleport-auth`);
   } catch (err) {
     throwFailedToParseUrlError(err);
   }
@@ -235,13 +244,11 @@ function getXTeleportAuthUrl({ fqdn, port }: { fqdn: string; port: string }) {
 //      bookmarked URL), in which the server will redirect the user
 //      to this launcher.
 function initiateNewAuthExchange({
-  fqdn,
   port,
   params,
   path,
   requiredApps,
 }: {
-  fqdn: string;
   port: string;
   // params will only be defined if the user clicked our "launch"
   // app button from the web UI.
@@ -255,7 +262,7 @@ function initiateNewAuthExchange({
   path: string;
   requiredApps: string[];
 }) {
-  const url = getXTeleportAuthUrl({ fqdn, port });
+  const url = getXTeleportAuthUrl({ publicAddr: params.publicAddr, port });
 
   if (path) {
     url.searchParams.set('path', path);