fix(security): harden oauth popup messaging and prevent open redirect

[eloo075]

Security Report + Fix: OAuth popup message hardening + Open Redirect prevention

1) OAuth authorization code leakage / message spoofing risk

The /redirect route posted the OAuth authorization code to window.opener using postMessage with targetOrigin='*'.

Additionally, the opener-side listener in oauth2-utils.ts did not strictly bind the message to:

• the expected popup window (event.source)
• an expected state value (CSRF protection)
• a robust origin check (it previously used startsWith against the redirect URL string)

This can allow interception/spoofing of OAuth authorization codes in popup-based OAuth flows.

Fix in this PR:

• Restrict postMessage targetOrigin to window.location.origin
• Send a structured message including type: 'oauth2:code' and state
• Validate event.origin using URL parsing
• Validate event.source === popupWindow
• Validate state when present

2) Open redirect after third-party login

third-party-logins.tsx used the redirect query param directly (window.location.href = redirect), enabling open redirects.

Fix in this PR:

• Allow only relative redirects starting with /
• Or absolute redirects where url.origin === window.location.origin
• Otherwise ignore and fall back to the safe default route

Affected files

• workflow/packages/frontend/src/app/routes/redirect.tsx
• workflow/packages/frontend/src/lib/oauth2-utils.ts
• workflow/packages/frontend/src/features/authentication/components/third-party-logins.tsx

Notes

Issues are disabled on this repository, so this PR description serves as the public vulnerability report and patch submission.

[eloo075]

Evidence screenshots (diff + fix confirmation):

1. /redirect postMessage hardening (no wildcard origin, include type/state)
2. oauth2-utils message validation (origin/source/state checks)
3. Open redirect prevention (sanitize redirect param)

See attached images.