Skip to content

fix: callback redirect_uri behind reverse proxies (#13)#46

Open
tusharpandey13 wants to merge 1 commit into
auth0:mainfrom
tusharpandey13:fix/redirect-uri-proxy
Open

fix: callback redirect_uri behind reverse proxies (#13)#46
tusharpandey13 wants to merge 1 commit into
auth0:mainfrom
tusharpandey13:fix/redirect-uri-proxy

Conversation

@tusharpandey13

Copy link
Copy Markdown
Contributor

Summary

Fixes #13 — login fails behind a reverse proxy / AWS ALB that terminates TLS.

The callback handler built the completion URL from c.req.url (absolute). new URL(absolute, base) ignores the base, so the proxy's wrong protocol (http) and host leaked into the computed redirect_uri, which then mismatched the one sent at login start and broke the token exchange.

Adds createCallbackUrl(requestUrl, baseURL): rebuilds the URL from baseURL's origin (protocol + host + port) plus the request's pathname + search, returning a URL to match completeInteractiveLogin(url: URL). toSafeRedirect open-redirect protection is unchanged.

Test plan

  • npm test — 349 passed (added util + callback proxy-scenario tests)
  • npm run build
  • npm run lint

🤖 Generated with Claude Code

…ies (auth0#13)

The callback handler built the completion URL from c.req.url, which is
absolute. new URL(absolute, base) ignores base, so a reverse proxy / ALB
that terminates TLS leaks the wrong protocol (http) and host into the URL.
The computed redirect_uri then differs from the one sent at login start,
breaking the token exchange.

Add createCallbackUrl(requestUrl, baseURL): rebuilds the URL from baseURL's
origin (protocol+host+port) plus the request's pathname+search, returning a
URL to match completeInteractiveLogin's signature. toSafeRedirect open-redirect
protection is unchanged. Adds util + callback tests covering proxy scenarios.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Redirect URI mismatch when attempting to complete login flow

1 participant