Merge commit from fork

* fix(ui): Open Redirect through redirectTo parameter

Signed-off-by: Rafal Pelczar <rafal@akuity.io>

* fix oidc login redirection

Signed-off-by: Rafal Pelczar <rafal@akuity.io>

---------

Signed-off-by: Rafal Pelczar <rafal@akuity.io>
Co-authored-by: Rafal Pelczar <rafal@akuity.io>

Author: krancour

ui/src/config/auth.ts

@@ -2,3 +2,13 @@ export const authTokenKey = 'auth_token';
 export const refreshTokenKey = 'refresh_token';
 
 export const redirectToQueryParam = 'redirectTo';
+
+// Validate that a redirect path is a safe, same-origin relative path.
+export const isSafeRedirectPath = (path: string | null): path is string => {
+  if (!path || !path.startsWith('/')) return false;
+  try {
+    return new URL(path, window.location.origin).origin === window.location.origin;
+  } catch {
+    return false;
+  }
+};

ui/src/features/auth/oidc-login.tsx

@@ -16,6 +16,7 @@ import {
 import React from 'react';
 import { useLocation } from 'react-router-dom';
 
+import { isSafeRedirectPath } from '@ui/config/auth';
 import { OIDCConfig } from '@ui/gen/api/service/v1alpha1/service_pb';
 
 import { useAuthContext } from './context/use-auth-context';
@@ -151,7 +152,7 @@ export const OIDCLogin = ({ oidcConfig }: Props) => {
         if (platformRedirect) {
           const redirectTo = new URLSearchParams(platformRedirect).get('redirectTo');
 
-          if (redirectTo) {
+          if (isSafeRedirectPath(redirectTo)) {
             window.location.replace(window.location.origin + redirectTo);
           }
         }

ui/src/features/auth/token-renew.tsx

@@ -11,7 +11,7 @@ import {
 import React from 'react';
 import { useNavigate, useSearchParams } from 'react-router-dom';
 
-import { redirectToQueryParam, refreshTokenKey } from '@ui/config/auth';
+import { isSafeRedirectPath, redirectToQueryParam, refreshTokenKey } from '@ui/config/auth';
 import { paths } from '@ui/config/paths';
 import { getPublicConfig } from '@ui/gen/api/service/v1alpha1/service-KargoService_connectquery';
 
@@ -72,6 +72,7 @@ export const TokenRenew = () => {
 
     (async () => {
       const redirectQuery = searchParams.get(redirectToQueryParam);
+      const safeRedirectQuery = isSafeRedirectPath(redirectQuery) ? redirectQuery : null;
       try {
         const response = await refreshTokenGrantRequest(as, client, oidcClientAuth, refreshToken, {
           [allowInsecureRequests]: shouldAllowHttpRequest(),
@@ -93,7 +94,7 @@ export const TokenRenew = () => {
         }
 
         onLogin(result.id_token, result.refresh_token);
-        navigate(redirectQuery || paths.home);
+        navigate(safeRedirectQuery || paths.home);
       } catch (err) {
         logout();
         navigate(

ui/src/pages/login/login.tsx

@@ -2,7 +2,7 @@ import { useQuery } from '@connectrpc/connect-query';
 import { Divider, Typography } from 'antd';
 import { Navigate, generatePath, useSearchParams } from 'react-router-dom';
 
-import { redirectToQueryParam } from '@ui/config/auth';
+import { isSafeRedirectPath, redirectToQueryParam } from '@ui/config/auth';
 import { paths } from '@ui/config/paths';
 import { AdminLogin } from '@ui/features/auth/admin-login';
 import { useAuthContext } from '@ui/features/auth/context/use-auth-context';
@@ -18,13 +18,14 @@ export const Login = () => {
   const [params] = useSearchParams();
   const { isLoggedIn } = useAuthContext();
   const redirectTo = params.get(redirectToQueryParam);
+  const safeRedirectTo = isSafeRedirectPath(redirectTo) ? redirectTo : null;
 
   if (data?.skipAuth) {
     return <Navigate to={paths.home} replace />;
   }
 
   if (isLoggedIn) {
-    return <Navigate to={redirectTo ? generatePath(redirectTo) : paths.home} replace />;
+    return <Navigate to={safeRedirectTo ? generatePath(safeRedirectTo) : paths.home} replace />;
   }
 
   return (