chore: add localhost exception

staaldraad · staaldraad · commit 396f007b9a44 · 2026-04-13T13:16:51.000+02:00
diff --git a/internal/utilities/request.go b/internal/utilities/request.go
@@ -101,10 +101,14 @@ func IsRedirectURLValid(config *conf.GlobalConfiguration, redirectURL string) bo
 
 	// As long as the referrer came from the site, we will redirect back there
 	if berr == nil && rerr == nil && base.Hostname() == refurl.Hostname() {
-		// ensure schema and port haven't changed
-		// most browsers should be checking insecure protocol switching but be double check
-		if base.Scheme == refurl.Scheme && base.Port() == refurl.Port() {
-			return true
+		// ensure scheme hasn't changed; most browsers also check this but double check here
+		if base.Scheme == refurl.Scheme {
+			// Per RFC 8252 Section 7.3, native apps using a localhost redirect URI
+			// MUST be allowed to use variable port numbers, so skip the port check
+			// for loopback addresses.
+			if base.Port() == refurl.Port() || isLocalhost(refurl.Hostname()) {
+				return true
+			}
 		}
 	}
 
diff --git a/internal/utilities/request_test.go b/internal/utilities/request_test.go
@@ -59,6 +59,37 @@ func TestIsRedirectURLValidSameOrigin(t *tst.T) {
 			redirectURL: "https://example.com:9001/path",
 			want:        false,
 		},
+		// RFC 8252 Section 7.3: variable ports must be allowed for localhost
+		{
+			desc:        "localhost with different port allowed (RFC 8252 Section 7.3)",
+			siteURL:     "http://localhost:3000",
+			redirectURL: "http://localhost:8080/callback",
+			want:        true,
+		},
+		{
+			desc:        "127.0.0.1 with different port allowed (RFC 8252 Section 7.3)",
+			siteURL:     "http://127.0.0.1:3000",
+			redirectURL: "http://127.0.0.1:8080/callback",
+			want:        true,
+		},
+		{
+			desc:        "localhost without port in redirect allowed (RFC 8252 Section 7.3)",
+			siteURL:     "http://localhost:3000",
+			redirectURL: "http://localhost/callback",
+			want:        true,
+		},
+		{
+			desc:        "localhost scheme downgrade still rejected despite RFC 8252",
+			siteURL:     "https://localhost:3000",
+			redirectURL: "http://localhost:8080/callback",
+			want:        false,
+		},
+		{
+			desc:        "non-localhost variable port still rejected",
+			siteURL:     "https://example.com:9000",
+			redirectURL: "https://example.com:9001/path",
+			want:        false,
+		},
 	}
 
 	for _, c := range cases {
