KeenAuth.Helpers.RedirectValidator (KeenAuth v1.0.1)

Copy Markdown View Source

Validates redirect URLs to prevent open redirect vulnerabilities.

By default, only relative URLs (starting with /) are allowed. You can configure a custom validator callback in your application config:

config :keen_auth,
  redirect_validator: &MyApp.Auth.validate_redirect/2

Callback Signature

The callback receives the redirect URL and the connection, and should return:

  • {:ok, url} - URL is valid, use this URL (allows transformation)
  • :error - URL is invalid, will fall back to "/"

Examples

Relative paths only (default)

config :keen_auth,
  redirect_validator: &KeenAuth.Helpers.RedirectValidator.relative_only/2

Database-backed allowlist

def validate_redirect(url, _conn) do
  uri = URI.parse(url)
  if AllowedDomains.exists?(uri.host) do
    {:ok, url}
  else
    :error
  end
end

Allow specific domains

def validate_redirect(url, _conn) do
  uri = URI.parse(url)
  allowed = ["myapp.com", "app.myapp.com", nil]  # nil = relative URL
  if uri.host in allowed, do: {:ok, url}, else: :error
end

Summary

Functions

relative_only(url, conn)

Default validator - only allows relative URLs starting with "/".

validate(url, conn)

Validates a redirect URL using the configured validator.

Functions

relative_only(url, conn)

@spec relative_only(binary(), Plug.Conn.t()) :: {:ok, binary()} | :error

Default validator - only allows relative URLs starting with "/".

Rejects URLs with:

  • Protocol-relative URLs (//example.com)
  • Absolute URLs (https://example.com)
  • URLs with encoded characters that could bypass validation

validate(url, conn)

@spec validate(binary() | nil, Plug.Conn.t()) :: binary()

Validates a redirect URL using the configured validator.

Returns the validated URL or "/" if validation fails or URL is nil.