refactor(signIn): add strict validation for redirect values

[halvaradop]

Description

This pull request adds strict validation for redirect values accepted by the /signIn/:provider endpoint, which is used to redirect users after a successful OAuth sign-in.

The refactor introduces a secure validation mechanism that compares the redirectTo search parameter against the Referer and Origin request headers. This ensures that only legitimate and safe URLs are allowed, preventing open redirect vulnerabilities.

The new validation logic guarantees that redirect values:

• Contain only safe characters
• Follow a valid URL format
• Are consistent with the request origin

Validation Rules

The redirect target is considered valid only if it matches one of the following cases:

• Relative paths

  • Must contain only safe characters
  • Must not include protocol or domain information

• Absolute URLs

  • Must be a valid URL
  • Must share the same origin as the incoming request (origin check enforced)

This change significantly improves the security model of the OAuth sign-in flow by ensuring redirects cannot be abused for malicious navigation.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth-nextjs-demo	Ready	Preview, Comment	Feb 2, 2026 0:03am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
auth	Skipped		Feb 2, 2026 0:03am