feat: add OAuth redirect URL validation for security

- Add validateOAuthRedirectURL utility function with domain allowlist
- Enforce HTTPS requirement for all OAuth redirect URLs
- Validate OAuth provider domains against security allowlist
- Integrate URL validation into login component OAuth flow
- Add comprehensive logging for security validation events

Security improvements:
- Prevent open redirect vulnerabilities
- Restrict OAuth flows to trusted provider domains
- Add runtime validation with detailed error logging

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: RonenMars

src/components/pages/login.tsx

@@ -7,6 +7,7 @@ import { useSearchParams } from "react-router-dom";
 import { isDevelopment } from "@constants/global.constants";
 import { LoggerService } from "@services";
 import { LoginPageProps } from "@src/interfaces/components";
+import { validateOAuthRedirectURL } from "@utilities/validateUrl.utils";
 
 import { AHref, IconSvg, Loader } from "@components/atoms";
 import { OAuthProviderButton } from "@components/molecules";
@@ -75,8 +76,15 @@ const Login = ({ handleSuccess, isLoggingIn }: LoginPageProps) => {
 				LoggerService.debug("auth.oauth.login", `OAuth start successful, redirecting to: ${resp?.data?.url}`);
 			}
 
-			// TODO: Add URL validation before redirect
-			window.location.href = resp?.data?.url;
+			// Validate OAuth redirect URL for security
+			const redirectUrl = resp?.data?.url;
+			if (!redirectUrl || !validateOAuthRedirectURL(redirectUrl)) {
+				LoggerService.error("auth.oauth.login", `Invalid OAuth redirect URL received: ${redirectUrl}`, true);
+				// TODO: Show user-friendly error notification
+				return;
+			}
+
+			window.location.href = redirectUrl;
 		} catch (error) {
 			LoggerService.error("auth.oauth.login", `Error initiating OAuth: ${error}`, true);
 			// TODO: Show user-friendly error notification

src/utilities/validateUrl.utils.ts

@@ -36,3 +36,41 @@ export const compareUrlParams = (oldUrl: string, newUrl: string): boolean => {
 		return oldUrl !== newUrl;
 	}
 };
+
+// Allowed OAuth provider domains for security
+const allowedOAuthDomains = [
+	"github.com",
+	"api.github.com",
+	"accounts.google.com",
+	"login.microsoftonline.com",
+	"oauth.descope.com",
+	"api.descope.com",
+] as const;
+
+export const validateOAuthRedirectURL = (url: string): boolean => {
+	try {
+		// First check if it's a valid URL
+		const parsedUrl = new URL(url);
+
+		// Must be HTTPS for security
+		if (parsedUrl.protocol !== "https:") {
+			LoggerService.warn("auth.oauth.validation", `OAuth redirect URL must use HTTPS: ${url}`);
+			return false;
+		}
+
+		// Check if the domain is in our allowlist
+		const isAllowedDomain = allowedOAuthDomains.some(
+			(domain) => parsedUrl.hostname === domain || parsedUrl.hostname.endsWith(`.${domain}`)
+		);
+
+		if (!isAllowedDomain) {
+			LoggerService.warn("auth.oauth.validation", `OAuth redirect URL domain not allowed: ${parsedUrl.hostname}`);
+			return false;
+		}
+
+		return true;
+	} catch (error) {
+		LoggerService.error("auth.oauth.validation", `Invalid OAuth redirect URL: ${url}, Error: ${error}`);
+		return false;
+	}
+};