Evil apps with cannot cheat with subdomains anymore

Author: jaxoncreed

lib/requests/consent-request.js

@@ -72,7 +72,7 @@ class ConsentRequest extends AuthRequest {
     // Check if is already registered or is data browser
     if (request.isUserLoggedIn()) {
       if (
-        (appUrl && appUrl.host.includes(serverUrl.host) && appUrl.protocol === serverUrl.protocol) ||
+        (appUrl && request.isSubdomain(serverUrl.host, appUrl.host) && appUrl.protocol === serverUrl.protocol) ||
         await request.isAppRegistered(req.app.locals.ldp, appOrigin, request.session.subject._id)
       ) {
         request.setUserConsent(appOrigin)
@@ -117,6 +117,17 @@ class ConsentRequest extends AuthRequest {
     }
   }
 
+  isSubdomain (domain, subdomain) {
+    const domainArr = domain.split('.')
+    const subdomainArr = subdomain.split('.')
+    for (let i = 1; i <= domainArr.length; i++) {
+      if (subdomainArr[subdomainArr.length - i] !== domainArr[domainArr.length - i]) {
+        return false
+      }
+    }
+    return true
+  }
+
   setUserConsent (appOrigin) {
     if (!this.session.consentedOrigins) {
       this.session.consentedOrigins = []