fix(redirect): allow root cookie domain host redirects (#409)

Previously IsRedirectSafe rejected redirects to the exact cookie domain when AppURL had multiple subdomain levels, because it stripped the first label twice.
2025-10-28 12:45:47 +00:00 · 2025-10-13 21:55:43 +13:00
parent a9c1bf8865
commit f628d1f0b3
2 changed files with 42 additions and 7 deletions
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -100,17 +100,17 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
 		return false
 	}

-	cookieDomain, err := GetCookieDomain(redirectURL)
+	host := parsedURL.Hostname()
+	if host == domain {
+		return true
+	}

+	cookieDomain, err := GetCookieDomain(redirectURL)
 	if err != nil {
 		return false
 	}

-	if cookieDomain != domain {
-		return false
-	}
-
-	return true
+	return cookieDomain == domain
 }

 func GetLogLevel(level string) zerolog.Level {