From cbf0e3117de95b3f1913e282753938bf23cf98e8 Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Tue, 7 Oct 2025 08:18:53 +0200
Subject: [PATCH] fix: mark any callback url as valid if they contain a
 wildcard (#1006)

---
 backend/internal/dto/validations.go | 8 +++-----
 frontend/src/lib/utils/zod-util.ts  | 6 ++++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/backend/internal/dto/validations.go b/backend/internal/dto/validations.go
index 429a9dcf..8aca787a 100644
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -67,14 +67,12 @@ func ValidateClientID(clientID string) bool {
 
 // ValidateCallbackURL validates callback URLs with support for wildcards
 func ValidateCallbackURL(raw string) bool {
-	if raw == "*" {
+	// Don't validate if it contains a wildcard
+	if strings.Contains(raw, "*") {
 		return true
 	}
 
-	// Replace all '*' with 'x' to check if the rest is still a valid URI
-	test := strings.ReplaceAll(raw, "*", "x")
-
-	u, err := url.Parse(test)
+	u, err := url.Parse(raw)
 	if err != nil {
 		return false
 	}
diff --git a/frontend/src/lib/utils/zod-util.ts b/frontend/src/lib/utils/zod-util.ts
index a0813bb2..7bccb5ef 100644
--- a/frontend/src/lib/utils/zod-util.ts
+++ b/frontend/src/lib/utils/zod-util.ts
@@ -14,9 +14,11 @@ export const callbackUrlSchema = z
 	.nonempty()
 	.refine(
 		(val) => {
-			if (val === '*') return true;
+			if (val.includes('*')) {
+				return true;
+			}
 			try {
-				new URL(val.replace(/\*/g, 'x'));
+				new URL(val);
 				return true;
 			} catch {
 				return false;