Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Enables cross-space authentication when spaces live under the same base domain (subdomains), by sharing the session cookie across subdomains and ensuring OmniAuth/ORCID flows redirect users back to the originating space safely.
Changes:
- Configure session cookies for cross-subdomain sharing and add legacy-cookie cleanup on login/logout.
- Add “space-aware” redirects for OmniAuth and ORCID callbacks (only for allowed subdomain spaces).
- Introduce subdomain detection + helper gating to show OmniAuth/ORCID UI only where supported; expand test coverage accordingly.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| test/unit/config_test.rb | Adds coverage for parsing base_uri domain. |
| test/models/space_test.rb | Adds unit tests for Space#is_subdomain?. |
| test/integration/omniauth_test.rb | Verifies post-auth redirect behavior back to origin space (and safety on other domains). |
| test/integration/login_test.rb | Verifies legacy host-only cookie is cleared on login/logout. |
| test/controllers/users_controller_test.rb | Ensures ORCID button visibility respects subdomain support rules. |
| test/controllers/static_controller_test.rb | Ensures OmniAuth login options only show on supported (subdomain) spaces. |
| test/controllers/orcid_controller_test.rb | Verifies ORCID redirect URI + state handling + callback redirects per space rules. |
| config/routes.rb | Wires Devise sessions to a custom controller for legacy cookie cleanup. |
| config/initializers/session_store.rb | Sets cookie domain to enable cross-subdomain session sharing. |
| config/application.rb | Adds TeSS::Config.base_uri to derive a base domain from base_url. |
| app/views/users/show.html.erb | Gates ORCID authenticate/link button behind space_supports_omniauth?. |
| app/views/layouts/_login_menu.html.erb | Hides OmniAuth login options when the space doesn’t support cross-host auth. |
| app/models/space.rb | Adds Space#is_subdomain? helper for “under base domain” checks. |
| app/helpers/spaces_helper.rb | Adds space_supports_omniauth? helper used by views. |
| app/helpers/application_helper.rb | Adds space_id param to OmniAuth authorize requests for non-default spaces. |
| app/controllers/tess_devise/sessions_controller.rb | Clears legacy host-only session cookie on create/destroy. |
| app/controllers/orcid_controller.rb | Adds state-based space return handling and uses base host for redirect URI. |
| app/controllers/concerns/space_redirect.rb | Adds shared redirect helper to safely redirect to allowed subdomain spaces. |
| app/controllers/callbacks_controller.rb | Adds space-aware redirect after OmniAuth callback. |
| Gemfile.lock | Locks addressable dependency. |
| Gemfile | Adds addressable for base-domain parsing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+2
to
5
| opts = { | ||
| domain: :all | ||
| } | ||
|
|
There was a problem hiding this comment.
The session cookie is configured with domain: :all, which relies on Rails’ action_dispatch.tld_length to compute the parent domain correctly. This app doesn’t appear to set tld_length, so deployments on multi-part TLDs (e.g. example.co.uk) can result in an invalid Domain attribute (cookie rejected) and users being unexpectedly logged out across spaces. Consider setting an explicit cookie domain derived from TeSS::Config.base_uri.domain (when present) or configuring action_dispatch.tld_length accordingly.
Suggested change
| opts = { | |
| domain: :all | |
| } | |
| opts = {} | |
| if defined?(TeSS::Config) && TeSS::Config.respond_to?(:base_uri) && TeSS::Config.base_uri | |
| base_uri = TeSS::Config.base_uri | |
| cookie_domain = | |
| if base_uri.respond_to?(:domain) | |
| base_uri.domain | |
| elsif base_uri.respond_to?(:host) | |
| base_uri.host | |
| end | |
| opts[:domain] = cookie_domain if cookie_domain.present? | |
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of changes
Motivation and context
Checklist
to license it to the TeSS codebase under the
BSD license.