Avoid passing redirect_base parameters to URL

[celdrake]

These seem false positives from snyk, but it's best to get them solved.

Summary by CodeRabbit

• Refactor
  • Enhanced OAuth redirect URI validation and handling to improve robustness in authentication flows.

[coderabbitai]

Warning

Rate limit exceeded

@celdrake has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 54 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 567cf15c-ebd4-4a10-956e-09ebf0a3032c

📥 Commits

Reviewing files that changed from the base of the PR and between dd7bb62 and 4b92d0f.

📒 Files selected for processing (1)

• proxy/auth/redirect.go

Walkthrough

Refactored OAuth redirect URI construction in proxy/auth/redirect.go by replacing oauthCallbackFromOrigin with oauthCallbackURL, which normalizes scheme and host strings upfront. Added new validation helpers isSameSchemeAndHost and splitCanonicalOriginURL to improve origin parsing and matching logic. Removed the previous redirectBaseMatchesRequest helper.

Changes

Cohort / File(s)

Summary

OAuth Redirect URI Refactoring proxy/auth/redirect.go

Replaced oauthCallbackFromOrigin(origin *url.URL) with oauthCallbackURL(scheme, host) for normalized URI construction. Added isSameSchemeAndHost() for validating and comparing redirect base origins, and splitCanonicalOriginURL() to parse normalized origin strings. Removed redirectBaseMatchesRequest() helper. Updated ResolveOAuthRedirectURI() to use new functions for both legacy and custom redirect base handling.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Avoid passing redirect_base parameters to URL' is vague and does not clearly summarize the actual changes made to the codebase. The PR refactors redirect URI handling by replacing function signatures and improving validation logic, but the title suggests a simpler parameter-passing concern that doesn't capture the main work.	Consider a more descriptive title like 'Refactor OAuth redirect URI handling to normalize and validate scheme/host parameters' to better reflect the structural changes and improvements made in the code.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[celdrake]

@ori-amizur Could you please re-approve? For some reason the rebase affected the approval.

[coderabbitai]

🧹 Nitpick comments (1)

proxy/auth/redirect.go (1)

38-39: Consider using url.PathEscape directly.

Creating a url.URL object solely to call EscapedPath() works correctly but is slightly indirect. You could simplify to:

-	pathURL := &url.URL{Path: callbackPath}
-	return scheme + "://" + host + pathURL.EscapedPath(), nil
+	return scheme + "://" + host + url.PathEscape(callbackPath), nil

However, the current approach is more explicit about intent and equally correct.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@proxy/auth/redirect.go` around lines 38 - 39, Replace the indirect creation
of a url.URL just to call EscapedPath(): instead of constructing pathURL :=
&url.URL{Path: callbackPath} and returning pathURL.EscapedPath(), call
url.PathEscape(callbackPath) directly where the return builds the redirect (the
same expression that currently returns scheme + "://" + host +
pathURL.EscapedPath()); update that return to use url.PathEscape(callbackPath)
and remove the unnecessary pathURL variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@proxy/auth/redirect.go`:
- Around line 38-39: Replace the indirect creation of a url.URL just to call
EscapedPath(): instead of constructing pathURL := &url.URL{Path: callbackPath}
and returning pathURL.EscapedPath(), call url.PathEscape(callbackPath) directly
where the return builds the redirect (the same expression that currently returns
scheme + "://" + host + pathURL.EscapedPath()); update that return to use
url.PathEscape(callbackPath) and remove the unnecessary pathURL variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 34cf2990-e8c8-4be2-8802-23a8f7ebc299

📥 Commits

Reviewing files that changed from the base of the PR and between fc240a7 and dd7bb62.

📒 Files selected for processing (1)

• proxy/auth/redirect.go