fix(auth): validate mobile OAuth redirect targets

[Ridanshi]

Closes #299

Summary

Adds strict allowlist validation for OAuth mobile_redirect_uri targets used during the mobile authentication flow.

Previously, mobile redirect targets were not strictly validated against a configured allowlist, allowing attacker-controlled redirect destinations to potentially be introduced into the OAuth flow.

This PR hardens redirect-target handling while preserving the existing OAuth architecture, state validation, cookie validation, and normal web/mobile authentication behavior.

---

Security Issue

Without strict validation, malicious or malformed redirect targets could potentially:

• redirect OAuth flows to attacker-controlled destinations
• abuse custom schemes
• bypass intended mobile redirect constraints
• create unsafe callback behavior

The issue specifically affected mobile OAuth redirect handling.

---

Implementation

Added strict validation for mobile_redirect_uri against the configured:

MOBILE_REDIRECT_URI

Validation now occurs:

• before encoding redirect targets into OAuth state
• before callback redirect execution

The implementation now rejects:

• arbitrary HTTPS redirect targets
• malformed redirect values
• unknown/custom schemes not explicitly allowlisted

Existing OAuth state and cookie validation logic remains unchanged.

---

Files Changed

• apps/backend/src/routes/auth.ts
• apps/backend/src/__tests__/auth.test.ts

---

Tests

Focused regression coverage added for:

• allowlisted mobile redirect is accepted
• arbitrary HTTPS redirect is rejected
• malformed redirect is rejected
• unknown scheme is rejected
• existing web OAuth redirect flow still succeeds
• invalid mobile redirect fails safely before token exchange

Verification

node_modules\.bin\vitest.CMD run src\__tests__\auth.test.ts src\__tests__\connect.test.ts

Result:

✓ src/__tests__/connect.test.ts (2 tests)
✓ src/__tests__/auth.test.ts (5 tests)

Test Files  2 passed (2)
Tests       7 passed (7)

---

Notes

This PR intentionally keeps scope limited to redirect-target validation for mobile OAuth flows.

No Firebase/auth middleware refactors, token generation changes, OAuth architecture rewrites, or unrelated cleanup were introduced.

[Harxhit]

Please fix merge conflicts.

[vercel]

@Ridanshi is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

CI — All Checks Passed

Backend — PASS

Check	Result
Lint	PASS
Test	PASS
Typecheck	PASS

Mobile — SKIP

Check	Result
Lint	-
Test	-

Web — SKIP

Check	Result
Check	-
Build	-

---

Last updated: Mon, 08 Jun 2026 19:16:47 GMT