Skip to content

web: relax OAuth consent page redirect URI validation#13926

Merged
rickyrombo merged 3 commits intomainfrom
mjp-oauth-consent-web
Mar 15, 2026
Merged

web: relax OAuth consent page redirect URI validation#13926
rickyrombo merged 3 commits intomainfrom
mjp-oauth-consent-web

Conversation

@rickyrombo
Copy link
Contributor

@rickyrombo rickyrombo commented Mar 14, 2026
edited
Loading

Summary

  • Relaxes getIsRedirectValid to only block dangerous schemes (javascript:, data:, vbscript:). All other validation is enforced server-side against the registered redirect URI list.
  • This removes redundant client-side checks (IP allowlisting, path traversal, http/https-only) that were blocking custom URI scheme redirects (e.g. myapp://oauth/callback) required for native app OAuth flows.
  • Minor CSS layout fix in OAuthLoginPage.module.css to vertically center the consent card.

Test plan

  • OAuth consent page renders correctly in web
  • Custom scheme redirect URIs (e.g. myapp://) are no longer blocked by the consent page
  • javascript:, data:, vbscript: URIs are still rejected
  • Normal https:// redirect URIs still work

🤖 Generated with Claude Code

@rickyrombo @claude
web: relax OAuth consent page redirect URI validation
3610f2b 
Only block dangerous schemes (javascript:, data:, vbscript:) on the
client. All other validation (allowed domains, path, etc.) is enforced
server-side via the registered redirect URI list, making the redundant
client-side checks an obstacle for custom URI scheme redirects required
by native apps (e.g. myapp://oauth/callback).

Minor CSS layout fix in OAuthLoginPage.module.css.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@changeset-bot
Copy link

changeset-bot bot commented Mar 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 792ce74

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@rickyrombo rickyrombo requested a review from Copilot March 14, 2026 21:32
@rickyrombo @claude
Add tests for getIsRedirectValid
6ae4c22 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pull-request-size pull-request-size bot added size/L and removed size/M labels Mar 14, 2026
Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the web OAuth consent flow to allow additional redirect URI schemes (to support native app OAuth callbacks) while keeping basic client-side protection against script-executing URI schemes, and adjusts consent page layout styling.

Changes:

  • Relax getIsRedirectValid to only reject javascript:, data:, and vbscript: redirect schemes.
  • Remove other client-side redirect URI constraints (http/https-only, IP checks, path traversal checks).
  • Adjust consent wrapper styling to vertically center content and use overflow: auto.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
packages/web/src/pages/oauth-login-page/utils.ts Relaxes redirect URI validation logic used by OAuth login/pay flows.
packages/web/src/pages/oauth-login-page/OAuthLoginPage.module.css Tweaks wrapper flex/overflow and adds auto block margins for vertical centering.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rickyrombo
Potential fix for pull request finding
792ce74 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Mar 14, 2026
edited
Loading

🌐 Web preview ready

Preview URL: https://audius-web-preview-pr-13926.audius.workers.dev

Unique preview for this PR (deployed from this branch).
Workflow run

@rickyrombo
Copy link
Contributor Author

rickyrombo commented Mar 15, 2026

Stricter validation was moved to the server: AudiusProject/api#721

@rickyrombo rickyrombo merged commit fe8e114 into main Mar 15, 2026
14 checks passed
@rickyrombo rickyrombo deleted the mjp-oauth-consent-web branch March 15, 2026 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@raymondjacobson raymondjacobson Awaiting requested review from raymondjacobson

@dylanjeffers dylanjeffers Awaiting requested review from dylanjeffers

Assignees

No one assigned

Labels

size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rickyrombo