fix: use runtime trusted uris in oauth controller

2026-06-18 01:10:12 +00:00 · 2026-06-17 12:33:09 +03:00
parent a9face749d
commit e7d26f497d
5 changed files with 125 additions and 79 deletions
@@ -3,6 +3,7 @@ package controller
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"

@@ -80,9 +81,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}

 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
-
-		if !isRedirectSafe {
+		if !controller.isRedirectSafe(reqParams.RedirectURI) {
 			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
@@ -310,3 +309,39 @@ func (controller *OAuthController) getCookieDomain() string {
 	}
 	return controller.runtime.CookieDomain
 }
+
+func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
+	u, err := url.Parse(redirectURI)
+
+	if err != nil || u.Host == "" || u.Scheme == "" {
+		return false
+	}
+
+	for _, allowed := range controller.runtime.TrustedDomains {
+		tu, err := url.Parse(allowed)
+		if err != nil {
+			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
+			continue
+		}
+
+		if tu.Scheme != u.Scheme {
+			continue
+		}
+
+		// exact match
+		if u.Host == tu.Host {
+			return true
+		}
+
+		// subdomain match (trim the tinyauth part)
+		_, root, ok := strings.Cut(tu.Host, ".")
+		if !ok {
+			continue
+		}
+		if strings.HasSuffix(u.Host, "."+root) {
+			return true
+		}
+	}
+
+	return false
+}
@@ -0,0 +1,83 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestOAuthController(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, runtime := test.CreateTestConfigs(t)
+
+	type testCase struct {
+		description string
+		run         func(ctrl *OAuthController)
+	}
+
+	tests := []testCase{
+		{
+			description: "Test exact match of redirect URI",
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://tinyauth.example.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test subdomain match of redirect URI",
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://sub.example.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test different trusted domain",
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://app.foo.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test invalid redirect URI",
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://malicious.com"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test empty redirect URI",
+			run: func(ctrl *OAuthController) {
+				redirectUri := ""
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test redirect URI with different scheme",
+			run: func(ctrl *OAuthController) {
+				redirectUri := "http://tinyauth.example.com"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+	}
+
+	// TODO: add auth service
+	for _, tc := range tests {
+		t.Run(tc.description, func(t *testing.T) {
+			router := gin.Default()
+			group := router.Group("/api")
+			gin.SetMode(gin.TestMode)
+			ctrl := NewOAuthController(OAuthControllerInput{
+				Log:           log,
+				Config:        &cfg,
+				RuntimeConfig: &runtime,
+				RouterGroup:   group,
+			})
+			tc.run(ctrl)
+		})
+	}
+}