fix: oidc redirect#1716
Conversation
- add redirect checks for logout - add `P_ALLOW_ORIGINS` env var to allow redirection to other origins
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
💤 Files with no reviewable changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds a new CLI option ChangesAllowed origins config and OIDC redirect validation
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant OIDCHandler
participant RedirectValidator
participant Config
Client->>OIDCHandler: login/logout request with redirect
OIDCHandler->>OIDCHandler: build base_url from scheme+host
OIDCHandler->>RedirectValidator: is_valid_redirect_url(redirect, base_url)
RedirectValidator->>Config: read allow_origins
Config-->>RedirectValidator: allowed origins
RedirectValidator-->>OIDCHandler: valid or invalid
OIDCHandler-->>Client: redirect response or BadRequest
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/handlers/http/oidc.rs (1)
656-664: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winIrrefutable
if letpattern and needless boolean returns.
if let allowed_origins = &PARSEABLE.options.allow_originsbinds an irrefutable pattern, which triggers theirrefutable_let_patternslint (a warning that fails CI under-D warnings) and also relies on the let-chains feature unnecessarily. Combined with thetrue/else { ... }branches, this can be collapsed into a single expression.♻️ Proposed simplification
fn is_valid_redirect_url(base_url: &str, redirect_url: &str) -> bool { - // check if redirect_url is part of allowed origins - if let allowed_origins = &PARSEABLE.options.allow_origins - && (allowed_origins - .iter() - .any(|url| url.as_str().eq(redirect_url))) - { - true - } - // if redirect_url is not part of allowed origins, then it must be equal to base url - else { - base_url == redirect_url - } + // allowed if redirect_url is an allowed origin, otherwise it must equal base_url + PARSEABLE + .options + .allow_origins + .iter() + .any(|url| url.as_str() == redirect_url) + || base_url == redirect_url }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/handlers/http/oidc.rs` around lines 656 - 664, In is_valid_redirect_url, remove the irrefutable if let let-chain around PARSEABLE.options.allow_origins and simplify the function to a direct boolean expression; use allow_origins.iter().any(...) to check the redirect_url against the allowed list, then return that result together with the existing base_url validation logic instead of branching on true/false.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/handlers/http/oidc.rs`:
- Around line 656-668: The redirect validation in is_valid_redirect_url is
matching full serialized URLs instead of origins, so allowlisted redirects with
paths or queries are incorrectly rejected. Parse redirect_url as a Url and
compare its origin() against the origins from PARSEABLE.options.allow_origins
rather than using as_str() equality. Apply the same origin-based check to the
base_url fallback so it accepts matching origins consistently. Keep the fix
localized to is_valid_redirect_url in oidc.rs.
---
Nitpick comments:
In `@src/handlers/http/oidc.rs`:
- Around line 656-664: In is_valid_redirect_url, remove the irrefutable if let
let-chain around PARSEABLE.options.allow_origins and simplify the function to a
direct boolean expression; use allow_origins.iter().any(...) to check the
redirect_url against the allowed list, then return that result together with the
existing base_url validation logic instead of branching on true/false.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 0578ff15-d544-4fc4-adbb-41148d83561b
📒 Files selected for processing (3)
src/cli.rssrc/handlers/http/oidc.rssrc/option.rs
P_ALLOW_ORIGINSenv var to allow redirection to other originsFixes #XXXX.
Description
This PR has:
Summary by CodeRabbit