fix: callback redirect_uri behind reverse proxies (#13)#46
Open
tusharpandey13 wants to merge 1 commit into
Open
fix: callback redirect_uri behind reverse proxies (#13)#46tusharpandey13 wants to merge 1 commit into
tusharpandey13 wants to merge 1 commit into
Conversation
…ies (auth0#13) The callback handler built the completion URL from c.req.url, which is absolute. new URL(absolute, base) ignores base, so a reverse proxy / ALB that terminates TLS leaks the wrong protocol (http) and host into the URL. The computed redirect_uri then differs from the one sent at login start, breaking the token exchange. Add createCallbackUrl(requestUrl, baseURL): rebuilds the URL from baseURL's origin (protocol+host+port) plus the request's pathname+search, returning a URL to match completeInteractiveLogin's signature. toSafeRedirect open-redirect protection is unchanged. Adds util + callback tests covering proxy scenarios. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #13 — login fails behind a reverse proxy / AWS ALB that terminates TLS.
The callback handler built the completion URL from
c.req.url(absolute).new URL(absolute, base)ignores the base, so the proxy's wrong protocol (http) and host leaked into the computedredirect_uri, which then mismatched the one sent at login start and broke the token exchange.Adds
createCallbackUrl(requestUrl, baseURL): rebuilds the URL frombaseURL's origin (protocol + host + port) plus the request's pathname + search, returning aURLto matchcompleteInteractiveLogin(url: URL).toSafeRedirectopen-redirect protection is unchanged.Test plan
npm test— 349 passed (added util + callback proxy-scenario tests)npm run buildnpm run lint🤖 Generated with Claude Code