From 5f33f96ca8c4b888df128d0d4ebb92397a846959 Mon Sep 17 00:00:00 2001
From: amontenegro <a.montenegro@orcid.org>
Date: Tue, 19 Dec 2023 08:57:24 -0600
Subject: [PATCH] Sub domains should not match

---
 .../oauth/security/OrcidOauthRedirectResolver.java |  2 +-
 .../security/OrcidOauthRedirectResolverTest.java   | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/orcid-core/src/main/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolver.java b/orcid-core/src/main/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolver.java
index 63b4fbcc378..4c790a3ad92 100644
--- a/orcid-core/src/main/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolver.java
+++ b/orcid-core/src/main/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolver.java
@@ -91,6 +91,6 @@ private boolean isEqual(String str1, String str2) {
     
     @Override
     protected boolean hostMatches(String registered, String requested) {
-        return isEqual(registered, requested) || (requested != null && requested.endsWith("." + registered));        
+        return isEqual(registered, requested);
     }
 }
diff --git a/orcid-core/src/test/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolverTest.java b/orcid-core/src/test/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolverTest.java
index d11533c2b9b..3684a5643f4 100644
--- a/orcid-core/src/test/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolverTest.java
+++ b/orcid-core/src/test/java/org/orcid/core/oauth/security/OrcidOauthRedirectResolverTest.java
@@ -218,14 +218,14 @@ private void redirectUriGeneralTest() {
     
     @Test
     public void redirectMatches_AllowMatchingSubdomainsTest() {
-        // Temp: Subdomain should match if the togglz is OFF
-        assertTrue(resolver.redirectMatches("https://www.orcid.org", "https://orcid.org"));
-        assertTrue(resolver.redirectMatches("https://qa.orcid.org", "https://orcid.org"));        
+        // Subdomain should not match
+        assertFalse(resolver.redirectMatches("https://www.orcid.org", "https://orcid.org"));
+        assertFalse(resolver.redirectMatches("https://qa.orcid.org", "https://orcid.org"));    
         
-        // Acceptance criteria checks: These should pass when the togglz is OFF
-        assertTrue(resolver.redirectMatches("https://subdomain.example.com/", "https://example.com"));
-        assertTrue(resolver.redirectMatches("https://subdomain.example.com/subdirectory", "https://example.com"));
-        assertTrue(resolver.redirectMatches("https://www.example.com", "https://example.com"));
+        // Acceptance criteria checks: subdomains should be rejected
+        assertFalse(resolver.redirectMatches("https://subdomain.example.com/", "https://example.com"));
+        assertFalse(resolver.redirectMatches("https://subdomain.example.com/subdirectory", "https://example.com"));
+        assertFalse(resolver.redirectMatches("https://www.example.com", "https://example.com"));
     }
     
 }