Restrict redirect hosts in login flow

[Copilot]

The redirect parameter in the auth callback was never validated, allowing redirects to arbitrary external hosts (open redirect).

Changes

Config

• Added AllowedRedirectHosts []string to config.Auth, sourced from AUTH_ALLOWED_REDIRECT_HOSTS (comma-separated hostnames)

Auth Controller

• AuthCallback now reads the request body, validates redirect before delegating to the provider, then restores the body for the provider to consume
• New validateRedirect method enforces:
  • Relative paths (/foo) → always allowed
  • Protocol-relative URLs (//evil.com) → always rejected
  • Absolute URLs → allowed only if hostname is in AllowedRedirectHosts; when the list is empty, all absolute redirects are rejected

// AUTH_ALLOWED_REDIRECT_HOSTS=app.example.com,staging.example.com
type Auth struct {
    AllowedRedirectHosts []string `env:"ALLOWED_REDIRECT_HOSTS" envSeparator:","`
    // ...
}

Tests

• TestValidateRedirect — unit tests covering relative, protocol-relative, allowed, and disallowed URL cases
• TestAuthCallbackRejectsDisallowedRedirect — handler-level tests confirming disallowed absolute redirects return HTTP 400 while valid ones proceed to auth

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Restrict redirect hosts in login flow</issue_title>
<issue_description>The redirect url right now is not validated against a list of restricted host names. A configuration has to be introduced restricting the hosts the user could be redirected to.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Restrict redirect hosts in login flow #198

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[jeroenrinzema]

please use internal/http/json instead.

[Copilot]

Done in c86e4df — replaced encoding/json with internal/http/json.