fix: add validation for callback URLs (#929)

frontend/src/lib/utils/zod-util.ts

@@ -1,3 +1,4 @@
+import { m } from '$lib/paraglide/messages';
 import z from 'zod/v4';
 
 export const emptyToUndefined = <T>(validation: z.ZodType<T>) =>
@@ -7,3 +8,21 @@ export const optionalUrl = z
 	.url()
 	.optional()
 	.or(z.literal('').transform(() => undefined));
+
+export const callbackUrlSchema = z
+	.string()
+	.nonempty()
+	.refine(
+		(val) => {
+			if (val === '*') return true;
+			try {
+				new URL(val.replace(/\*/g, 'x'));
+				return true;
+			} catch {
+				return false;
+			}
+		},
+		{
+			message: m.invalid_redirect_url()
+		}
+	);

frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte

@@ -15,7 +15,7 @@
 	import { preventDefault } from '$lib/utils/event-util';
 	import { createForm } from '$lib/utils/form-util';
 	import { cn } from '$lib/utils/style';
-	import { emptyToUndefined, optionalUrl } from '$lib/utils/zod-util';
+	import { callbackUrlSchema, emptyToUndefined, optionalUrl } from '$lib/utils/zod-util';
 	import { LucideChevronDown } from '@lucide/svelte';
 	import { slide } from 'svelte/transition';
 	import { z } from 'zod/v4';
@@ -65,8 +65,8 @@
 				.optional()
 		),
 		name: z.string().min(2).max(50),
-		callbackURLs: z.array(z.string().nonempty()).default([]),
-		logoutCallbackURLs: z.array(z.string().nonempty()),
+		callbackURLs: z.array(callbackUrlSchema).default([]),
+		logoutCallbackURLs: z.array(callbackUrlSchema).default([]),
 		isPublic: z.boolean(),
 		pkceEnabled: z.boolean(),
 		requiresReauthentication: z.boolean(),