fix: Add redirect URL validation to OIDC flow

gandalf_automationrequested to merge
improve-oidc-redirect-handling into develop

Summary

  • Add defense-in-depth validation for redirect URLs in OIDC login/consent flow
  • Validates returnTo URLs are same-origin before redirecting
  • Logs rejected redirects for security monitoring

Details

While oidc-provider generates returnTo internally (not from user input), this validation provides protection against:

  • Potential library vulnerabilities
  • Future code changes that might introduce new redirect sources
  • Unforeseen manipulation vectors

Validation allows:

  • Relative URLs starting with the OIDC prefix (/oidc/...)
  • Absolute URLs with the same origin as the site

Test plan

  • Verify OIDC login flow works normally (returnTo should pass validation)
  • Verify OIDC consent flow works normally
  • Verify OpenHive.Chat OAuth integration still works
  • Check logs for any unexpected rejected redirects

Merge request reports