Module: Supabase::Rails::Web::RedirectValidator

Defined in:
lib/supabase/rails/web/redirect_validator.rb

Overview

Validates a ‘redirect_to` target against an origin allowlist (FR-W11, US-015). Prevents open-redirect vulnerabilities introduced via attacker-controlled `?redirect_to=` query params on OAuth start and callback URLs.

A target is accepted when it is either:

* a path (no scheme/host), e.g. `/dashboard` or `/foo?a=1`, OR
* an absolute URL whose origin (`scheme://host[:port]`) matches an
  entry in `allowed_origins`.

Anything else raises ‘Supabase::Rails::AuthError(code: “INVALID_REDIRECT”)`. Origin matching is case-insensitive on scheme + host; the port must match exactly (or be the scheme default on both sides).

Class Method Summary collapse

Class Method Details

.validate(uri, allowed_origins:) ⇒ String

Returns the input target, unchanged, when valid.

Parameters:

  • uri (String, URI::Generic, nil)

    the candidate redirect target.

  • allowed_origins (Array<String>)

    list of allowed origins (‘“myapp.com”` style) — typically `config.supabase.allowed_redirect_origins`, falling back to `[request.host]` at the call site.

Returns:

  • (String)

    the input target, unchanged, when valid.

Raises:

  • (Supabase::Rails::AuthError)

    when the target is off-allowlist or malformed (‘code: “INVALID_REDIRECT”`, `status: 400`).



34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/supabase/rails/web/redirect_validator.rb', line 34

def validate(uri, allowed_origins:)
  raise AuthError.invalid_redirect(uri) if uri.nil?

  raw = uri.to_s
  raise AuthError.invalid_redirect(raw) if raw.empty?

  parsed = parse(raw)
  raise AuthError.invalid_redirect(raw) if parsed.nil?

  return raw if path_only?(parsed)
  return raw if origin_allowed?(parsed, allowed_origins)

  raise AuthError.invalid_redirect(raw)
end