Skip to content

feat: redirect validation#1669

Merged
emlimlf merged 10 commits intomainfrom
feat/redirect-validation
Feb 19, 2026
Merged

feat: redirect validation#1669
emlimlf merged 10 commits intomainfrom
feat/redirect-validation

Conversation

@emlimlf
Copy link
Collaborator

@emlimlf emlimlf commented Feb 11, 2026
edited by atlassian bot
Loading

In this PR

  • Added redirect URL validation on the authentication endpoints
  • Added error logging for these endpoints

Ticket

IN-973

emlimlf and others added 5 commits February 10, 2026 18:41
@emlimlf
fix: callback error message and code
7d88592 
Signed-off-by: Efren Lim <elim@linuxfoundation.org>
@emlimlf
Merge branch 'main' into fix/callback-error-code
e1904a7
@emlimlf
fix: pr comments
41847ce 
Signed-off-by: Efren Lim <elim@linuxfoundation.org>
@emlimlf
feat: added valid redirect url check
9f785c8 
Signed-off-by: Efren Lim <elim@linuxfoundation.org>
@emlimlf
feat: added error logging
0946ddc 
Signed-off-by: Efren Lim <elim@linuxfoundation.org>
Copilot AI review requested due to automatic review settings February 11, 2026 07:34
Copilot AI reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds redirect URL validation to authentication endpoints to mitigate open-redirect risks, and introduces persistent security audit logging for invalid redirect attempts.

Changes:

  • Introduces redirect validation/sanitization helpers (isValidRedirectUrl, getSafeRedirectUrl) with an allow-list for absolute redirects.
  • Adds a security_audit_logs table and a repository for writing security events.
  • Updates auth endpoints (login/callback/logout) and DB middleware to validate/log redirect attempts and ensure DB access is available on those routes.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
frontend/server/utils/redirect.ts New redirect validation + sanitization helpers and allow-list logic.
frontend/server/repo/securityAudit.repo.ts New repository for writing security audit events to Postgres.
frontend/server/middleware/database.ts Expands DB-pool attachment to auth routes (not just chat).
frontend/server/api/auth/logout.post.ts Adds optional returnTo handling with validation + audit logging.
frontend/server/api/auth/login.get.ts Validates redirectTo and logs invalid attempts before setting cookie.
frontend/server/api/auth/callback.ts Defense-in-depth validation of redirect cookie + logs possible tampering.
database/migrations/V1770789662__createSecurityAuditLogsTable.sql Adds security_audit_logs table + indexes + event-type check constraint.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@emlimlf
chore: address pr comments
9a6de0d 
Signed-off-by: Efren Lim <elim@linuxfoundation.org>
gaspergrom
gaspergrom requested changes Feb 12, 2026
View reviewed changes
emlimlf and others added 2 commits February 18, 2026 14:31
@emlimlf emlimlf requested a review from gaspergrom February 18, 2026 06:36
@emlimlf emlimlf merged commit b540530 into main Feb 19, 2026
9 checks passed
@emlimlf emlimlf deleted the feat/redirect-validation branch February 19, 2026 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gaspergrom gaspergrom gaspergrom approved these changes

@joanagmaia joanagmaia joanagmaia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@emlimlf @gaspergrom @joanagmaia

Comments