# `KeenAuth.Helpers.RedirectValidator`
[🔗](https://github.com/KeenMate/keen_auth/blob/main/lib/helpers/redirect_validator.ex#L1)

Validates redirect URLs to prevent open redirect vulnerabilities.

By default, only relative URLs (starting with `/`) are allowed. You can configure
a custom validator callback in your application config:

    config :keen_auth,
      redirect_validator: &MyApp.Auth.validate_redirect/2

## Callback Signature

The callback receives the redirect URL and the connection, and should return:
- `{:ok, url}` - URL is valid, use this URL (allows transformation)
- `:error` - URL is invalid, will fall back to "/"

## Examples

### Relative paths only (default)

    config :keen_auth,
      redirect_validator: &KeenAuth.Helpers.RedirectValidator.relative_only/2

### Database-backed allowlist

    def validate_redirect(url, _conn) do
      uri = URI.parse(url)
      if AllowedDomains.exists?(uri.host) do
        {:ok, url}
      else
        :error
      end
    end

### Allow specific domains

    def validate_redirect(url, _conn) do
      uri = URI.parse(url)
      allowed = ["myapp.com", "app.myapp.com", nil]  # nil = relative URL
      if uri.host in allowed, do: {:ok, url}, else: :error
    end

# `relative_only`

```elixir
@spec relative_only(binary(), Plug.Conn.t()) :: {:ok, binary()} | :error
```

Default validator - only allows relative URLs starting with "/".

Rejects URLs with:
- Protocol-relative URLs (//example.com)
- Absolute URLs (https://example.com)
- URLs with encoded characters that could bypass validation

# `validate`

```elixir
@spec validate(binary() | nil, Plug.Conn.t()) :: binary()
```

Validates a redirect URL using the configured validator.

Returns the validated URL or "/" if validation fails or URL is nil.

---

*Consult [api-reference.md](api-reference.md) for complete listing*