From 2f9b7ce0f0d75b4cd81c76b8b40b0e80dcfdef43 Mon Sep 17 00:00:00 2001
From: Warren Parad <gpg@warrenparad.net>
Date: Mon, 5 Feb 2024 12:56:06 +0100
Subject: [PATCH] ensure authress sso login works with the latest version.

---
 src/index.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/index.js b/src/index.js
index 07e0096..ab48507 100644
--- a/src/index.js
+++ b/src/index.js
@@ -106,9 +106,14 @@ class LoginClient {
       return null;
     }
 
-    // We use startsWith because the issuer will be limited to only the authress custom domain FQDN subdomain, the hostUrl could be a specific subdomain subdomain for the tenant.
-    if (!this.hostUrl.startsWith(userData.iss)) {
-      this.logger && this.logger.log && this.logger.log({ title: 'Token saved in browser is for a different issuer, discarding', currentHostUrl: this.hostUrl, savedUserData: userData });
+    // We use endsWith because the issuer will be limited to only the authress custom domain FQDN subdomain, the hostUrl could be a specific subdomain subdomain for the tenant.
+    // * issuer = tenant.custom.domain, hostUrl = custom.domain => ✓
+    // * issuer = accountid.login.authress.io, hostUrl = login.authress.io => ✓
+
+    const issuerOrigin = new URL(userData.iss).hostname;
+    const hostUrlOrigin = new URL(this.hostUrl).hostname;
+    if (!issuerOrigin.endsWith(hostUrlOrigin) && !hostUrlOrigin.endsWith(issuerOrigin)) {
+      this.logger && this.logger.log && this.logger.log({ title: 'Token saved in browser is for a different issuer, discarding', issuerOrigin, hostUrlOrigin, savedUserData: userData });
       userIdentityTokenStorageManager.clear();
       return null;
     }