Bruce MacDonald 7601f0e93e server: reject unexpected auth hosts (#13738) ...

Added validation to ensure auth redirects stay on the same host as the original request. The fix is a single check in getAuthorizationToken comparing the realm URL's host against the request host. Added tests for the auth flow.

Co-Authored-By: Gecko Security <188164982+geckosecurity@users.noreply.github.com>

* gofmt

---------

Co-authored-by: Gecko Security <188164982+geckosecurity@users.noreply.github.com>

2026-01-16 14:10:36 -05:00

2.2 KiB

Raw Blame History

View Raw