auth: Fix bug with subdomains and GitHub auth causing apparent logouts.

This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2025-10-26 09:34:02 +00:00 · 2018-07-10 11:37:23 +05:30
parent 4bbccd8287
commit 9b485f3ef4
8 changed files with 65 additions and 6 deletions
--- a/zerver/lib/name_restrictions.py
+++ b/zerver/lib/name_restrictions.py
@@ -34,6 +34,8 @@ ZULIP_RESERVED_SUBDOMAINS = frozenset([
    'contribute', 'floss', 'foss', 'free', 'opensource', 'open', 'code', 'license',
    # intership programs
    'intern', 'outreachy', 'gsoc', 'gci', 'externship',
+    # Things that sound like security
+    'auth', 'authentication', 'security',
    # tech blogs
    'engineering', 'infrastructure', 'tooling', 'tools', 'javascript', 'python'])