01f09fa7

By: Michael Lynch <git@mtlynch.io>

Reject unsafe login redirect targets

Validate the next path without sanitizing caller input, so malformed URLs and paths without a leading slash fail instead of falling back to the home page.

Add table-driven login coverage for protocol-relative URLs, external HTTP and HTTPS URLs, malformed URLs, non-HTTP absolute URLs, and valid app-relative paths.

Codeberg

Dependencies Timing

Agent Instructions

Each run corresponds to one flake attribute. Click a run for its logs and status.

Example: https://nix-ci.com/cb:mtlynch:little-moments/shared-secret-auth/01f09fa73a7505cfaa0b8736caa044b149dd0a26/463cc133-1c82-4da1-acf9-cb72a5aff4b2

Wait for suite to complete:

curl --netrc -N https://nix-ci.com/cb:mtlynch:little-moments/shared-secret-auth/01f09fa73a7505cfaa0b8736caa044b149dd0a26/wait

For more instructions, fetch https://nix-ci.com/instructions .