From e62db0d62ebabbec39c767b953b92fb4b4d08a81 Mon Sep 17 00:00:00 2001
From: h44z <christoph.h@sprinternet.at>
Date: Thu, 29 Jan 2026 22:37:16 +0100
Subject: [PATCH] Merge commit from fork

* fix: prevent open redirect in OAuth return URL validation

* reformat check

---------

Co-authored-by: Arne Cools <arne.cools@intigriti.com>
---
 .../app/api/v0/handlers/endpoint_authentication.go  | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/internal/app/api/v0/handlers/endpoint_authentication.go b/internal/app/api/v0/handlers/endpoint_authentication.go
index 26532b0..b14648d 100644
--- a/internal/app/api/v0/handlers/endpoint_authentication.go
+++ b/internal/app/api/v0/handlers/endpoint_authentication.go
@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/go-pkgz/routegroup"
@@ -449,7 +448,17 @@ func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc {
 
 // isValidReturnUrl checks if the given return URL matches the configured external URL of the application.
 func (e AuthEndpoint) isValidReturnUrl(returnUrl string) bool {
-	if !strings.HasPrefix(returnUrl, e.cfg.Web.ExternalUrl) {
+	expectedUrl, err := url.Parse(e.cfg.Web.ExternalUrl)
+	if err != nil {
+		return false
+	}
+
+	returnUrlParsed, err := url.Parse(returnUrl)
+	if err != nil {
+		return false
+	}
+
+	if returnUrlParsed.Scheme != expectedUrl.Scheme || returnUrlParsed.Host != expectedUrl.Host {
 		return false
 	}