fix: add validation for callback URLs (#929)

frontend/src/lib/utils/zod-util.ts

@@ -1,3 +1,4 @@
+import { m } from '$lib/paraglide/messages';
 import z from 'zod/v4';
 
 export const emptyToUndefined = <T>(validation: z.ZodType<T>) =>
@@ -7,3 +8,21 @@ export const optionalUrl = z
 	.url()
 	.optional()
 	.or(z.literal('').transform(() => undefined));
+
+export const callbackUrlSchema = z
+	.string()
+	.nonempty()
+	.refine(
+		(val) => {
+			if (val === '*') return true;
+			try {
+				new URL(val.replace(/\*/g, 'x'));
+				return true;
+			} catch {
+				return false;
+			}
+		},
+		{
+			message: m.invalid_redirect_url()
+		}
+	);