summaryrefslogtreecommitdiff
path: root/login_helpers.go
diff options
context:
space:
mode:
Diffstat (limited to 'login_helpers.go')
-rw-r--r--login_helpers.go64
1 files changed, 64 insertions, 0 deletions
diff --git a/login_helpers.go b/login_helpers.go
new file mode 100644
index 0000000..d7cac41
--- /dev/null
+++ b/login_helpers.go
@@ -0,0 +1,64 @@
+package kate
+
+import (
+ "net/http"
+ "net/url"
+ "strings"
+)
+
+// Redirects configures redirect behavior for authentication handlers.
+type Redirects struct {
+ // Default is the default URL to redirect to after successful authentication
+ Default string
+
+ // AllowedPrefixes is a list of allowed redirect URL prefixes for security.
+ //
+ // If empty, any redirect target is allowed (not recommended for production)
+ AllowedPrefixes []string
+
+ // FieldName is the form/query field name for the redirect target
+ //
+ // If empty, Default will always be used as the target
+ FieldName string
+}
+
+func (r Redirects) isValid(target string) bool {
+ targetURL, err := url.Parse(target)
+ if err != nil {
+ return false
+ }
+ if targetURL.IsAbs() && targetURL.Host != "" {
+ return false
+ }
+
+ if len(r.AllowedPrefixes) == 0 {
+ return true
+ }
+
+ for _, prefix := range r.AllowedPrefixes {
+ if strings.HasPrefix(target, prefix) {
+ return true
+ }
+ }
+ return false
+}
+
+func (r Redirects) target(req *http.Request) string {
+ d := r.Default
+ if d == "" {
+ d = "/"
+ }
+
+ if r.FieldName == "" {
+ return d
+ }
+ if err := req.ParseForm(); err != nil {
+ return d
+ }
+
+ target := req.Form.Get(r.FieldName)
+ if target != "" && r.isValid(target) {
+ return target
+ }
+ return d
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-13 01:25:17 +0000