From 76aebc57283558f0d543205e611efda651655a75 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Sun, 21 Jun 2026 20:54:53 +0300
Subject: [PATCH] fix: cleanup oauth provider redirect url

---
 internal/bootstrap/app_bootstrap.go     | 24 +++++++++++++++++++++++-
 internal/controller/oauth_controller.go |  2 +-
 internal/service/auth_service.go        | 13 +------------
 3 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/internal/bootstrap/app_bootstrap.go b/internal/bootstrap/app_bootstrap.go
index 0914282c..c24638f5 100644
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -273,12 +273,16 @@ func (app *BootstrapApp) Setup() error {
 
 	app.runtime.ConfiguredProviders = configuredProviders
 
-	// force tailscale app url if listening on a tailscale address
+	// if tailscale is enabled and listening, replace the app url with the tailscale hostname
 	if app.services.tailscaleService != nil && app.config.Tailscale.Listen {
 		tailscaleUrl := "https://" + app.services.tailscaleService.GetHostname()
+
+		// if the tailscale url is different from the app url, replace it
 		if tailscaleUrl != app.runtime.AppURL {
 			app.log.App.Info().Msg("Listening on tailscale, replacing app url with tailscale hostname")
+
 			app.runtime.AppURL = tailscaleUrl
+
 			// also update cookie domain
 			cookieDomain, err := utils.GetCookieDomain(tailscaleUrl, app.config.Auth.SubdomainsEnabled)
 
@@ -290,6 +294,24 @@ func (app *BootstrapApp) Setup() error {
 		}
 	}
 
+	// force an update of the redirect urls for all oauth providers, if they are empty
+	services := app.services.oauthBrokerService.GetConfiguredServices()
+
+	for _, service := range services {
+		oauthService, ok := app.services.oauthBrokerService.GetService(service)
+
+		if !ok {
+			return fmt.Errorf("failed to get oauth service for provider %s", service)
+		}
+
+		providerConfig := oauthService.GetConfig()
+
+		if providerConfig.RedirectURL == "" {
+			providerConfig.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + service
+			oauthService.UpdateConfig(providerConfig)
+		}
+	}
+
 	// setup router
 	err = app.setupRouter()
 
diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go
index 29663872..27fca206 100644
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -350,7 +350,7 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 		return false
 	}
 
-	if strings.EqualFold(u.Host, au.Host) {
+	if strings.EqualFold(u.Hostname(), au.Hostname()) {
 		return true
 	}
 
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
index 627dd127..eeb5c8e1 100644
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -544,18 +544,7 @@ func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
 		return "", err
 	}
 
-	svc := session.Service
-
-	cfg := svc.GetConfig()
-
-	// If the redirect URL is not set in the service config, we set it ourselves
-	if cfg.RedirectURL == "" {
-		cfg.RedirectURL = auth.runtime.AppURL + "/api/oauth/callback/" + svc.ID()
-	}
-
-	svc.UpdateConfig(cfg)
-
-	return svc.GetAuthURL(session.State, session.Verifier), nil
+	return session.Service.GetAuthURL(session.State, session.Verifier), nil
 }
 
 func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {