blob: d7cac419a57219e2e37448511440ef984100dd40 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
package kate
import (
"net/http"
"net/url"
"strings"
)
// Redirects configures redirect behavior for authentication handlers.
type Redirects struct {
// Default is the default URL to redirect to after successful authentication
Default string
// AllowedPrefixes is a list of allowed redirect URL prefixes for security.
//
// If empty, any redirect target is allowed (not recommended for production)
AllowedPrefixes []string
// FieldName is the form/query field name for the redirect target
//
// If empty, Default will always be used as the target
FieldName string
}
func (r Redirects) isValid(target string) bool {
targetURL, err := url.Parse(target)
if err != nil {
return false
}
if targetURL.IsAbs() && targetURL.Host != "" {
return false
}
if len(r.AllowedPrefixes) == 0 {
return true
}
for _, prefix := range r.AllowedPrefixes {
if strings.HasPrefix(target, prefix) {
return true
}
}
return false
}
func (r Redirects) target(req *http.Request) string {
d := r.Default
if d == "" {
d = "/"
}
if r.FieldName == "" {
return d
}
if err := req.ParseForm(); err != nil {
return d
}
target := req.Form.Get(r.FieldName)
if target != "" && r.isValid(target) {
return target
}
return d
}
|
