From 60a39890f0b6f1b0464ff28f6951cc99a64310a3 Mon Sep 17 00:00:00 2001
From: Calvin Montgomery <calzoneman@gmail.com>
Date: Sun, 11 Nov 2018 16:11:51 -0800
Subject: [PATCH] Fix hostname comparison in /login

---
 src/web/auth.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/web/auth.js b/src/web/auth.js
index 0fa4795c..094ca1ca 100644
--- a/src/web/auth.js
+++ b/src/web/auth.js
@@ -53,7 +53,9 @@ function handleLogin(req, res) {
 
     var host = req.hostname;
     // TODO: remove this check from /login, make it generic middleware
-    if (host.indexOf(Config.get("http.root-domain")) === -1 &&
+    // TODO: separate root-domain and "login domain", e.g. accounts.example.com
+    if (host !== Config.get("http.root-domain") &&
+            !host.endsWith("." + Config.get("http.root-domain")) &&
             Config.get("http.alt-domains").indexOf(host) === -1) {
         LOGGER.warn("Attempted login from non-approved domain " + host);
         return res.sendStatus(403);