fix: localhost callback URLs with port don't match correctly

2026-02-04 15:04:43 +00:00 · 2026-01-03 15:07:56 +01:00
parent ba00f40bd4
commit 7c34501055
2 changed files with 22 additions and 8 deletions
--- a/backend/internal/utils/callback_url_util.go
+++ b/backend/internal/utils/callback_url_util.go
@@ -17,31 +17,38 @@ func GetCallbackURLFromList(urls []string, inputCallbackURL string) (callbackURL
 	//   time of the request for loopback IP redirect URIs, to accommodate
 	//   clients that obtain an available ephemeral port from the operating
 	//   system at the time of the request.
-	loopbackRedirect := ""
+	loopbackCallbackURLWithoutPort := ""
 	u, _ := url.Parse(inputCallbackURL)

 	if u != nil && u.Scheme == "http" {
 		host := u.Hostname()
 		ip := net.ParseIP(host)
 		if host == "localhost" || (ip != nil && ip.IsLoopback()) {
-			loopbackRedirect = u.String()
 			u.Host = host
-			inputCallbackURL = u.String()
+			loopbackCallbackURLWithoutPort = u.String()
 		}
 	}

 	for _, pattern := range urls {
+		// Try the original callback first
 		matches, err := matchCallbackURL(pattern, inputCallbackURL)
 		if err != nil {
 			return "", err
-		} else if !matches {
-			continue
+		}
+		if matches {
+			return inputCallbackURL, nil
 		}

-		if loopbackRedirect != "" {
-			return loopbackRedirect, nil
+		// If we have a loopback variant, try that too
+		if loopbackCallbackURLWithoutPort != "" {
+			matches, err = matchCallbackURL(pattern, loopbackCallbackURLWithoutPort)
+			if err != nil {
+				return "", err
+			}
+			if matches {
+				return inputCallbackURL, nil
+			}
 		}
-		return inputCallbackURL, nil
 	}

 	return "", nil
--- a/backend/internal/utils/callback_url_util_test.go
+++ b/backend/internal/utils/callback_url_util_test.go
@@ -392,6 +392,13 @@ func TestGetCallbackURLFromList_LoopbackSpecialHandling(t *testing.T) {
 			expectedURL:      "http://127.0.0.1:8080/callback",
 			expectMatch:      true,
 		},
+		{
+			name:             "127.0.0.1 with same port - exact match",
+			urls:             []string{"http://127.0.0.1:8080/callback"},
+			inputCallbackURL: "http://127.0.0.1:8080/callback",
+			expectedURL:      "http://127.0.0.1:8080/callback",
+			expectMatch:      true,
+		},
 		{
 			name:             "127.0.0.1 with different port",
 			urls:             []string{"http://127.0.0.1/callback"},