Skip to content

fix: allow all URL forms in redirects #711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hf merged 1 commit into from
Sep 30, 2022
Merged

fix: allow all URL forms in redirects #711

hf merged 1 commit into from
Sep 30, 2022

Conversation

@hf
Copy link
Contributor

@hf hf commented Sep 29, 2022

GoTrue limited wildcard redirect patterns only on http or https URLs. This presents a problem in mobile apps that have dynamic redirects back to their application.

See: #710.

@hf hf requested a review from a team as a code owner September 29, 2022 09:26
@hf hf mentioned this pull request Sep 29, 2022
Closed
@hf
Copy link
Contributor Author

hf commented Sep 30, 2022

There was some discussion here on this issue: #99

This does open up the space to introduce a wider attack surface for mobile apps, although this is not as significant as it appears. On Android at least, apps can also listen to https URLs too. It is up to the user of GoTrue to make sure their settings are secure when they add redirect patterns.

cc @kangmingtay @awalias

@hf hf force-pushed the hf/allow-list-all-schemes branch from d49dbcc to 1316be2 Compare September 30, 2022 08:30
@hf hf force-pushed the hf/allow-list-all-schemes branch from 1316be2 to 4a691df Compare September 30, 2022 08:42
@hf
Copy link
Contributor Author

hf commented Sep 30, 2022

Added to Security doc (yet unpublished). Excerpt:

Redirect URLs

Supabase Auth lets you redirect back to different URLs on susccessful
authentication. Your client app can specify the URL to redirect back to using
the redirectTo parameter.

Given that in sophisticated attacks this parameter may come from a malicious
source, Supabase Auth implements an allow list which will be consulted prior to
sending a redirect response. Should the redirect parameter not fall in the URL
allow list, the Site URL is used.

The allow list can be a simple list of exactly matching URLs, but it also
supports wildcard characters to match them as a pattern.

:::tip
You can configure the URL allow list in the Authentcation General Settings
page under Redirect URLs.
:::

Because wildcard patterns are also supported, you need to be careful when using
them, as you may be opening up your application to a larger attack surface.
Here are some examples of do's and don'ts.

Dont's.

  • **
    This pattern would match any redirect URL.
  • com.mobile.app.*://**
    This pattern would match any iOS application with a package name that starts
    with com.mobile.app.. An attacker can use this to call on those apps in a
    user's device.
  • https://*.com/**
    This pattern would match any URL on the .com domain name. An attacker can use
    this to redirect back to any website they control.

Dos.

  • https://app.example.com/**
    This is the recommended form for most project use cases on the web. Any
    redirects to the app.example.com domain will be allowed with any path. If
    your project needs to support multiple such domains, add multiple entries like
    this.
  • com.mobile.app://**
    This is the recommended form for most project use cases on iOS. Any redirects
    to the com.mobile.app application will be allowed with any path. If your
    project needs to support multiple applications, add multiple entries. Avoid
    using wildcards in the URL scheme!

:::tip
If you use exact or very specific URLs, make sure you always include a trailing
slash / as that is the proper valid form of URLs. Correct form:
https://app.example.com/*/sign-in/. Incorrect form:
https://app.example.com/*/sign-in.
:::

@hf hf merged commit 4ece9e3 into master Sep 30, 2022
@hf hf deleted the hf/allow-list-all-schemes branch September 30, 2022 09:05
@github-actions
Copy link
Contributor

github-actions bot commented Sep 30, 2022

🎉 This PR is included in version 2.17.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
@hf
fix: allow all URL forms in redirects (supabase#711)
3ffe20f
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
@hf @LashaJini
fix: allow all URL forms in redirects (supabase#711)
74a0aa5
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
@hf @LashaJini
fix: allow all URL forms in redirects (supabase#711)
ec29c54
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
@hf @cemalkilic
fix: allow all URL forms in redirects (#711)
80e6b87
xeladotbe pushed a commit to xeladotbe/supabase-auth that referenced this pull request Sep 27, 2025
@hf @xeladotbe
fix: allow all URL forms in redirects (supabase#711)
3e4278f
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@hf @issuedat
fix: allow all URL forms in redirects (#711)
1b431e0
@2DKot 2DKot mentioned this pull request Dec 8, 2025
Open
2 tasks
@ItsYash1421 ItsYash1421 mentioned this pull request Dec 9, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kangmingtay kangmingtay kangmingtay approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hf @kangmingtay