Merge branch 'fosrl:dev' into dev

2026-05-18 23:05:21 +00:00 · 2026-05-03 18:53:48 +02:00
parent 8e1905a695 70f619b726
commit b2c8311b26
634 changed files with 38068 additions and 10086 deletions
--- a/server/routers/badger/exchangeSession.ts
+++ b/server/routers/badger/exchangeSession.ts
@@ -6,7 +6,7 @@ import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { resourceAccessToken, resources, sessions } from "@server/db";
 import { db } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq, inArray, or, sql } from "drizzle-orm";
 import {
    createResourceSession,
    serializeResourceSessionCookie,
@@ -65,11 +65,31 @@ export async function exchangeSession(

        const clientIp = requestIp ? stripPortFromHost(requestIp) : undefined;

-        const [resource] = await db
+        const parts = cleanHost.split(".");
+        const wildcardCandidates: string[] = [];
+        for (let i = 1; i < parts.length; i++) {
+            wildcardCandidates.push(`*.${parts.slice(i).join(".")}`);
+        }
+
+        const potentialResources = await db
            .select()
            .from(resources)
-            .where(eq(resources.fullDomain, cleanHost))
-            .limit(1);
+            .where(
+                or(
+                    eq(resources.fullDomain, cleanHost),
+                    wildcardCandidates.length > 0
+                        ? and(
+                              eq(resources.wildcard, true),
+                              inArray(resources.fullDomain, wildcardCandidates)
+                          )
+                        : sql`false`
+                )
+            );
+
+        const exactMatch = potentialResources.find(
+            (r) => r.fullDomain === cleanHost
+        );
+        const resource = exactMatch ?? potentialResources[0];

        if (!resource) {
            return next(
@@ -178,7 +198,7 @@ export async function exchangeSession(
        const cookieName = `${config.getRawConfig().server.session_cookie_name}`;
        const cookie = serializeResourceSessionCookie(
            cookieName,
-            resource.fullDomain!,
+            cleanHost,
            token,
            !resource.ssl,
            expiresAt ? new Date(expiresAt) : undefined
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -18,6 +18,7 @@ Reasons:
 105 - Valid Password
 106 - Valid email
 107 - Valid SSO
+108 - Connected Client

 201 - Resource Not Found
 202 - Resource Blocked
@@ -38,6 +39,7 @@ const auditLogBuffer: Array<{
    metadata: any;
    action: boolean;
    resourceId?: number;
+    siteResourceId?: number;
    reason: number;
    location?: string;
    originalRequestURL: string;
@@ -186,6 +188,7 @@ export async function logRequestAudit(
        action: boolean;
        reason: number;
        resourceId?: number;
+        siteResourceId?: number;
        orgId?: string;
        location?: string;
        user?: { username: string; userId: string };
@@ -262,6 +265,7 @@ export async function logRequestAudit(
            metadata: sanitizeString(metadata),
            action: data.action,
            resourceId: data.resourceId,
+            siteResourceId: data.siteResourceId,
            reason: data.reason,
            location: sanitizeString(data.location),
            originalRequestURL: sanitizeString(body.originalRequestURL) ?? "",