From d20c5d2dff1cc7142da825b3b1b3a8c36dad9af7 Mon Sep 17 00:00:00 2001 From: NamanMahor Date: Thu, 11 Jun 2026 20:37:38 +0530 Subject: [PATCH 1/2] fix for redirect validation in login flow --- admin/server/auth/handlers.go | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/admin/server/auth/handlers.go b/admin/server/auth/handlers.go index 486882f9ea8..f3031f30b3b 100644 --- a/admin/server/auth/handlers.go +++ b/admin/server/auth/handlers.go @@ -179,10 +179,8 @@ func (a *Authenticator) authStart(w http.ResponseWriter, r *http.Request, signup } // If this is part of the custom domain login flow, save that info in the cookie since we need that info when handling the auth callback. - customDomainFlow := false if b, err := strconv.ParseBool(r.URL.Query().Get("custom_domain_flow")); err == nil && b { sess.Values[cookieFieldCustomDomainFlow] = b - customDomainFlow = b } // Save cookie @@ -191,18 +189,19 @@ func (a *Authenticator) authStart(w http.ResponseWriter, r *http.Request, signup return } - // Redirect to /auth/login (custom domain flow) host := originalHost(r) - if a.admin.URLs.IsCustomDomain(host) { - customCallbackURL := a.admin.URLs.WithCustomDomain(host).AuthCustomDomainCallback(state) - canonicalLoginURL := a.admin.URLs.AuthLogin(customCallbackURL, true) - http.Redirect(w, r, canonicalLoginURL, http.StatusTemporaryRedirect) + isCustomDomain := a.admin.URLs.IsCustomDomain(host) + err := a.validateRedirectURL(r.Context(), redirect, isCustomDomain) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) return } - err := a.validateRedirectURL(r.Context(), redirect, customDomainFlow) - if err != nil { - http.Error(w, err.Error(), http.StatusBadRequest) + // Redirect to /auth/login (custom domain flow) + if isCustomDomain { + customCallbackURL := a.admin.URLs.WithCustomDomain(host).AuthCustomDomainCallback(state) + canonicalLoginURL := a.admin.URLs.AuthLogin(customCallbackURL, true) + http.Redirect(w, r, canonicalLoginURL, http.StatusTemporaryRedirect) return } From e72c1e1dcabe8fe591948b2f1088b9266bdfc18c Mon Sep 17 00:00:00 2001 From: NamanMahor Date: Thu, 11 Jun 2026 20:47:55 +0530 Subject: [PATCH 2/2] simplify --- admin/server/auth/handlers.go | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/admin/server/auth/handlers.go b/admin/server/auth/handlers.go index f3031f30b3b..ba8c736f34e 100644 --- a/admin/server/auth/handlers.go +++ b/admin/server/auth/handlers.go @@ -189,16 +189,15 @@ func (a *Authenticator) authStart(w http.ResponseWriter, r *http.Request, signup return } - host := originalHost(r) - isCustomDomain := a.admin.URLs.IsCustomDomain(host) - err := a.validateRedirectURL(r.Context(), redirect, isCustomDomain) + err := a.validateRedirectURL(r.Context(), redirect) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } // Redirect to /auth/login (custom domain flow) - if isCustomDomain { + host := originalHost(r) + if a.admin.URLs.IsCustomDomain(host) { customCallbackURL := a.admin.URLs.WithCustomDomain(host).AuthCustomDomainCallback(state) canonicalLoginURL := a.admin.URLs.AuthLogin(customCallbackURL, true) http.Redirect(w, r, canonicalLoginURL, http.StatusTemporaryRedirect) @@ -595,7 +594,7 @@ func (a *Authenticator) authLogoutProvider(w http.ResponseWriter, r *http.Reques // Validate and set custom redirect destination in cookie for when the logout flow is over (if any) redirect := r.URL.Query().Get("redirect") if redirect != "" { - err := a.validateRedirectURL(r.Context(), redirect, true) + err := a.validateRedirectURL(r.Context(), redirect) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return @@ -727,13 +726,10 @@ func (a *Authenticator) getAccessToken(w http.ResponseWriter, r *http.Request) { } } -func (a *Authenticator) validateRedirectURL(ctx context.Context, redirect string, allowCustomDomains bool) error { +func (a *Authenticator) validateRedirectURL(ctx context.Context, redirect string) error { if a.admin.URLs.IsSafeRedirectURL(redirect) { return nil } - if !allowCustomDomains { - return fmt.Errorf("redirect to %q is not allowed", redirect) - } parsed, err := url.Parse(redirect) if err != nil {