mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 13:21:46 +00:00
jubnl
0ee53e7b38
The OIDC login route silently fell back to building the redirect URI from X-Forwarded-Host/X-Forwarded-Proto when APP_URL was not configured. An attacker could set X-Forwarded-Host: attacker.example.com to redirect the authorization code to their own server after the user authenticates. Remove the header-derived fallback entirely. If APP_URL is not set (via env or the app_url DB setting), the OIDC login endpoint now returns a 500 error rather than trusting attacker-controlled request headers. Document APP_URL in .env.example as required for OIDC use.