From 29e8516de96f66ea61954cdd37953af1bd37a965 Mon Sep 17 00:00:00 2001
From: aldo <141215967+AMDoellal@users.noreply.github.com>
Date: Tue, 23 Sep 2025 11:35:41 +0000
Subject: [PATCH] fix: prevent redirects to callback or login page in OIDC flow

Signed-off-by: aldo <141215967+AMDoellal@users.noreply.github.com>
---
 public/static/oidc-callback.html | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/public/static/oidc-callback.html b/public/static/oidc-callback.html
index 80a502c1c..46a7e413f 100644
--- a/public/static/oidc-callback.html
+++ b/public/static/oidc-callback.html
@@ -47,8 +47,19 @@
                 return oidcUserManager.signinRedirectCallback();
             })
             .then((user) => {
-                const redirectTo = user.state;
-                window.location.href = redirectTo && isUrlSaveForRedirect(redirectTo) ? redirectTo : "../";
+                    const redirectTo = user.state;
+                    // Verhindere Redirect auf Callback- oder Login-Seite
+                    const forbiddenRedirects = [window.location.pathname, '/login', 'oidc-callback.html'];
+                    function isRedirectAllowed(url) {
+                        if (!url) return false;
+                        try {
+                            const parsedUrl = new URL(url, window.location.origin);
+                            return !forbiddenRedirects.some(f => parsedUrl.pathname.endsWith(f));
+                        } catch (e) {
+                            return false;
+                        }
+                    }
+                    window.location.href = redirectTo && isUrlSaveForRedirect(redirectTo) && isRedirectAllowed(redirectTo) ? redirectTo : "../";
             })
             .catch((err) => {
                 console.log(err);