chore: Refactor authentication pass between subdomains (#1619)

* fix: Use get request instead of cookie to transfer token between domains

* Add domain to database
Add redirects to team domain when present

* 30s -> 1m

* fix: Avoid redirect loop if subdomain and domain set

* fix: Create a transfer specific token to prevent replay requests

* refactor: Move isCustomDomain out of shared as it won't work on the client

server/auth/index.js

@@ -3,10 +3,10 @@ import addMonths from "date-fns/add_months";
 import Koa from "koa";
 import bodyParser from "koa-body";
 import Router from "koa-router";
+import { AuthenticationError } from "../errors";
 import auth from "../middlewares/authentication";
 import validation from "../middlewares/validation";
 import { Team } from "../models";
-import { getCookieDomain } from "../utils/domains";
 
 import email from "./email";
 import google from "./google";
@@ -21,23 +21,20 @@ router.use("/", email.routes());
 
 router.get("/redirect", auth(), async (ctx) => {
   const user = ctx.state.user;
-
-  // transfer access token cookie from root to subdomain
-  const rootToken = ctx.cookies.get("accessToken");
   const jwtToken = user.getJwtToken();
 
-  if (rootToken === jwtToken) {
-    ctx.cookies.set("accessToken", undefined, {
-      httpOnly: true,
-      domain: getCookieDomain(ctx.request.hostname),
-    });
-
-    ctx.cookies.set("accessToken", jwtToken, {
-      httpOnly: false,
-      expires: addMonths(new Date(), 3),
-    });
+  if (jwtToken === ctx.params.token) {
+    throw new AuthenticationError("Cannot extend token");
   }
 
+  // ensure that the lastActiveAt on user is updated to prevent replay requests
+  await user.updateActiveAt(ctx.request.ip, true);
+
+  ctx.cookies.set("accessToken", jwtToken, {
+    httpOnly: false,
+    expires: addMonths(new Date(), 3),
+  });
+
   const team = await Team.findByPk(user.teamId);
   ctx.redirect(`${team.url}/home`);
 });