From 7c345010556f11a593948b2a1ae558b7a8003696 Mon Sep 17 00:00:00 2001 From: Elias Schneider Date: Sat, 3 Jan 2026 15:07:56 +0100 Subject: [PATCH] fix: localhost callback URLs with port don't match correctly --- backend/internal/utils/callback_url_util.go | 23 ++++++++++++------- .../internal/utils/callback_url_util_test.go | 7 ++++++ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/backend/internal/utils/callback_url_util.go b/backend/internal/utils/callback_url_util.go index 5cd1347b..4ce7e98b 100644 --- a/backend/internal/utils/callback_url_util.go +++ b/backend/internal/utils/callback_url_util.go @@ -17,31 +17,38 @@ func GetCallbackURLFromList(urls []string, inputCallbackURL string) (callbackURL // time of the request for loopback IP redirect URIs, to accommodate // clients that obtain an available ephemeral port from the operating // system at the time of the request. - loopbackRedirect := "" + loopbackCallbackURLWithoutPort := "" u, _ := url.Parse(inputCallbackURL) if u != nil && u.Scheme == "http" { host := u.Hostname() ip := net.ParseIP(host) if host == "localhost" || (ip != nil && ip.IsLoopback()) { - loopbackRedirect = u.String() u.Host = host - inputCallbackURL = u.String() + loopbackCallbackURLWithoutPort = u.String() } } for _, pattern := range urls { + // Try the original callback first matches, err := matchCallbackURL(pattern, inputCallbackURL) if err != nil { return "", err - } else if !matches { - continue + } + if matches { + return inputCallbackURL, nil } - if loopbackRedirect != "" { - return loopbackRedirect, nil + // If we have a loopback variant, try that too + if loopbackCallbackURLWithoutPort != "" { + matches, err = matchCallbackURL(pattern, loopbackCallbackURLWithoutPort) + if err != nil { + return "", err + } + if matches { + return inputCallbackURL, nil + } } - return inputCallbackURL, nil } return "", nil diff --git a/backend/internal/utils/callback_url_util_test.go b/backend/internal/utils/callback_url_util_test.go index 52c8f518..9691bdb4 100644 --- a/backend/internal/utils/callback_url_util_test.go +++ b/backend/internal/utils/callback_url_util_test.go @@ -392,6 +392,13 @@ func TestGetCallbackURLFromList_LoopbackSpecialHandling(t *testing.T) { expectedURL: "http://127.0.0.1:8080/callback", expectMatch: true, }, + { + name: "127.0.0.1 with same port - exact match", + urls: []string{"http://127.0.0.1:8080/callback"}, + inputCallbackURL: "http://127.0.0.1:8080/callback", + expectedURL: "http://127.0.0.1:8080/callback", + expectMatch: true, + }, { name: "127.0.0.1 with different port", urls: []string{"http://127.0.0.1/callback"},