Create authentic_kate: user authentication for go HTTP applications

1 files changed, 64 insertions, 0 deletions

diff --git a/login_helpers.go b/login_helpers.go
new file mode 100644
index 0000000..d7cac41
--- /dev/null
+++ b/login_helpers.go
@@ -0,0 +1,64 @@
+package kate
+
+import (
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// Redirects configures redirect behavior for authentication handlers.
+type Redirects struct {
+	// Default is the default URL to redirect to after successful authentication
+	Default string
+
+	// AllowedPrefixes is a list of allowed redirect URL prefixes for security.
+	//
+	// If empty, any redirect target is allowed (not recommended for production)
+	AllowedPrefixes []string
+
+	// FieldName is the form/query field name for the redirect target
+	//
+	// If empty, Default will always be used as the target
+	FieldName string
+}
+
+func (r Redirects) isValid(target string) bool {
+	targetURL, err := url.Parse(target)
+	if err != nil {
+		return false
+	}
+	if targetURL.IsAbs() && targetURL.Host != "" {
+		return false
+	}
+
+	if len(r.AllowedPrefixes) == 0 {
+		return true
+	}
+
+	for _, prefix := range r.AllowedPrefixes {
+		if strings.HasPrefix(target, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r Redirects) target(req *http.Request) string {
+	d := r.Default
+	if d == "" {
+		d = "/"
+	}
+
+	if r.FieldName == "" {
+		return d
+	}
+	if err := req.ParseForm(); err != nil {
+		return d
+	}
+
+	target := req.Form.Get(r.FieldName)
+	if target != "" && r.isValid(target) {
+		return target
+	}
+	return d
+}