fix state cookie not getting set

Most of the logic contributed by avatus
gravitational · Oct 28, 2024 · 98494cd · 98494cd
1 parent 57bb89c
commit 98494cd
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 15 deletions.
diff --git a/web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx b/web/packages/teleport/src/AppLauncher/AppLauncher.test.tsx
@@ -36,42 +36,42 @@ const launcherPathTestCases: {
   {
     name: 'no state and no path',
     path: '?path=',
-    expectedPath: 'x-teleport-auth',
+    expectedPath: 'undefined/x-teleport-auth',
   },
   {
     name: 'no state with path',
     path: '?path=%2Ffoo%2Fbar',
-    expectedPath: 'x-teleport-auth?path=%2Ffoo%2Fbar',
+    expectedPath: 'undefined/x-teleport-auth?path=%2Ffoo%2Fbar',
   },
   {
     name: 'no state with other path params (clusterId, publicAddr, publicArn',
     path: '/some-cluster-id/some-public-addr/arn::123/name',
     expectedPath:
-      'x-teleport-auth?cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
+      'some-public-addr/x-teleport-auth?cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
   },
   {
     name: 'no state with path and with other path params',
     path: '/some-cluster-id/some-public-addr/arn::123/name?path=%2Ffoo%2Fbar',
     expectedPath:
-      'x-teleport-auth?path=%2Ffoo%2Fbar&cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
+      'some-public-addr/x-teleport-auth?path=%2Ffoo%2Fbar&cluster=some-cluster-id&addr=some-public-addr&arn=arn%3A%3A123',
   },
   {
     name: 'with state',
     path: '?state=ABC',
     expectedPath:
-      'x-teleport-auth?state=ABC&subject=subject-cookie-value#value=cookie-value',
+      'grafana.localhost/x-teleport-auth?state=ABC&subject=subject-cookie-value#value=cookie-value',
   },
   {
     name: 'with state and path',
     path: '?state=ABC&path=%2Ffoo%2Fbar',
     expectedPath:
-      'x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
+      'grafana.localhost/x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
   },
   {
     name: 'with state, path, and params',
     path: '?state=ABC&path=%2Ffoo%2Fbar',
     expectedPath:
-      'x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
+      'grafana.localhost/x-teleport-auth?state=ABC&subject=subject-cookie-value&path=%2Ffoo%2Fbar#value=cookie-value',
   },
 ];
 
@@ -116,7 +116,7 @@ describe('app launcher path is properly formed', () => {
 
       await waitFor(() =>
         expect(window.location.replace).toHaveBeenCalledWith(
-          `https://grafana.localhost/${expectedPath}`
+          `https://${expectedPath}`
         )
       );
       expect(screen.queryByText(/access denied/i)).not.toBeInTheDocument();

diff --git a/web/packages/teleport/src/AppLauncher/AppLauncher.tsx b/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
@@ -119,10 +119,11 @@ export function AppLauncher() {
       }
 
       // Let the target app know of a new auth exchange.
+      const publicAddr = resolvedApp.publicAddress;
       const stateToken = queryParams.get('state');
       if (!stateToken) {
         initiateNewAuthExchange({
-          fqdn,
+          publicAddr,
           port,
           path,
           params,
@@ -138,7 +139,10 @@ export function AppLauncher() {
       const session = await service.createAppSession(params);
 
       // Set all the fields expected by server to validate request.
-      const url = getXTeleportAuthUrl({ fqdn, port });
+      const url = getXTeleportAuthUrl({
+        publicAddr: publicAddr,
+        port,
+      });
       url.searchParams.set('state', stateToken);
       url.searchParams.set('subject', session.subjectCookieValue);
       if (requiredApps.length > 1) {
@@ -217,9 +221,15 @@ function prepareFqdn(fqdn: string) {
   }
 }
 
-function getXTeleportAuthUrl({ fqdn, port }: { fqdn: string; port: string }) {
+function getXTeleportAuthUrl({
+  port,
+  publicAddr,
+}: {
+  port: string;
+  publicAddr: string;
+}) {
   try {
-    return new URL(`https://${fqdn}${port}/x-teleport-auth`);
+    return new URL(`https://${publicAddr}${port}/x-teleport-auth`);
   } catch (err) {
     throwFailedToParseUrlError(err);
   }
@@ -235,13 +245,13 @@ function getXTeleportAuthUrl({ fqdn, port }: { fqdn: string; port: string }) {
 //      bookmarked URL), in which the server will redirect the user
 //      to this launcher.
 function initiateNewAuthExchange({
-  fqdn,
+  publicAddr,
   port,
   params,
   path,
   requiredApps,
 }: {
-  fqdn: string;
+  publicAddr: string;
   port: string;
   // params will only be defined if the user clicked our "launch"
   // app button from the web UI.
@@ -255,7 +265,7 @@ function initiateNewAuthExchange({
   path: string;
   requiredApps: string[];
 }) {
-  const url = getXTeleportAuthUrl({ fqdn, port });
+  const url = getXTeleportAuthUrl({ publicAddr: params.publicAddr, port });
 
   if (path) {
     url.searchParams.set('path', path);