fix: sanitize primary domain for orgs (#6125)

* fix: sanitize primary domain for orgs * fix: add @stebenz requested changes --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 19:07:30 +00:00 · 2023-07-18 14:42:57 +02:00
parent ebb7a90ca7
commit ffb587f9ee
3 changed files with 125 additions and 8 deletions
--- a/internal/domain/org_domain.go
+++ b/internal/domain/org_domain.go
@@ -1,6 +1,7 @@
 package domain

 import (
+	"regexp"
 	"strings"

 	http_util "github.com/zitadel/zitadel/internal/api/http"
@@ -32,7 +33,38 @@ func (domain *OrgDomain) GenerateVerificationCode(codeGenerator crypto.Generator
 }

 func NewIAMDomainName(orgName, iamDomain string) string {
-	return strings.ToLower(strings.ReplaceAll(strings.TrimSpace(orgName), " ", "-") + "." + iamDomain)
+	// Reference: label domain requirements https://www.nic.ad.jp/timeline/en/20th/appendix1.html
+
+	// Replaces spaces in org name with hyphens
+	label := strings.ReplaceAll(orgName, " ", "-")
+
+	// The label must only contains alphanumeric characters and hyphens
+	// Invalid characters are replaced with and empty space
+	label = string(regexp.MustCompile(`[^a-zA-Z0-9-]`).ReplaceAll([]byte(label), []byte("")))
+
+	// The label cannot exceed 63 characters
+	if len(label) > 63 {
+		label = label[:63]
+	}
+
+	// The total length of the resulting domain can't exceed 253 characters
+	domain := label + "." + iamDomain
+	if len(domain) > 253 {
+		truncateNChars := len(domain) - 253
+		label = label[:len(label)-truncateNChars]
+	}
+
+	// Label (maybe truncated) can't start with a hyphen
+	if len(label) > 0 && label[0:1] == "-" {
+		label = label[1:]
+	}
+
+	// Label (maybe truncated) can't end with a hyphen
+	if len(label) > 0 && label[len(label)-1:] == "-" {
+		label = label[:len(label)-1]
+	}
+
+	return strings.ToLower(label + "." + iamDomain)
 }

 type OrgDomainValidationType int32