fix: parity of Base64/URL encoding between frontend and backend (#611 )

Signed-off-by: Arnaud Rocher <arnaud.roche3@gmail.com> (cherry picked from commit 5d58df8a19)
Merge commit from fork
2026-02-23 02:46:23 +00:00 · 2026-01-29 22:39:33 +01:00 · 2026-01-29 22:38:42 +01:00
2 changed files with 14 additions and 5 deletions
--- a/frontend/src/helpers/encoding.js
+++ b/frontend/src/helpers/encoding.js
@@ -1,7 +1,7 @@
 export function base64_url_encode(input) {
  let output = btoa(input)
-  output = output.replace('+', '.')
-  output = output.replace('/', '_')
-  output = output.replace('=', '-')
+  output = output.replaceAll('+', '.')
+  output = output.replaceAll('/', '_')
+  output = output.replaceAll('=', '-')
  return output
 }
--- a/internal/app/api/v0/handlers/endpoint_authentication.go
+++ b/internal/app/api/v0/handlers/endpoint_authentication.go
@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/go-pkgz/routegroup"
@@ -449,7 +448,17 @@ func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc {

 // isValidReturnUrl checks if the given return URL matches the configured external URL of the application.
 func (e AuthEndpoint) isValidReturnUrl(returnUrl string) bool {
-	if !strings.HasPrefix(returnUrl, e.cfg.Web.ExternalUrl) {
+	expectedUrl, err := url.Parse(e.cfg.Web.ExternalUrl)
+	if err != nil {
+		return false
+	}
+
+	returnUrlParsed, err := url.Parse(returnUrl)
+	if err != nil {
+		return false
+	}
+
+	if returnUrlParsed.Scheme != expectedUrl.Scheme || returnUrlParsed.Host != expectedUrl.Host {
 		return false
 	}