Skip to content

fix(payments-next): [f010] prompt=none failure redirects to unvalidated callback-url cookie#20879

Open
elizabeth-ilina wants to merge 1 commit into
mainfrom
PAY-3803-f-010-prompt-none-failure-redirects-to-unvalidated-callback-url-cookie
Open

fix(payments-next): [f010] prompt=none failure redirects to unvalidated callback-url cookie#20879
elizabeth-ilina wants to merge 1 commit into
mainfrom
PAY-3803-f-010-prompt-none-failure-redirects-to-unvalidated-callback-url-cookie

Conversation

@elizabeth-ilina

@elizabeth-ilina elizabeth-ilina commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Because

  • The prompt=none login_required branch and the auth error page redirected to the authjs.callback-url cookie without validation, bypassing NextAuth's redirect allow-list. A cookie tossed from a sibling *.firefox.com subdomain could force an open redirect to an attacker-controlled URL.

This pull request

  • Adds a shared getSafeRedirectUrl helper that validates redirect origins against the NextAuth allow-list, and applies it in the callback route, the auth error page, and the existing redirect callback.

Issue that this pull request solves

Closes #PAY-3803

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

How to review (Optional)

  • Key files/areas to focus on:
  • Suggested review order:
  • Risky or complex parts:

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

…ed callback-url cookie

Because:

* The prompt=none login_required branch and the auth error page redirected
  to the authjs.callback-url cookie without validation, bypassing NextAuth's
  redirect allow-list. A cookie tossed from a sibling *.firefox.com subdomain
  could force an open redirect to an attacker-controlled URL.

This commit:

* Adds a shared getSafeRedirectUrl helper that validates redirect origins against the NextAuth allow-list, and applies it in the callback route, the auth error page, and the existing redirect callback.

Closes #[PAY-3803](https://mozilla-hub.atlassian.net/browse/PAY-3803)
@elizabeth-ilina
elizabeth-ilina marked this pull request as ready for review July 16, 2026 10:46
@elizabeth-ilina
elizabeth-ilina requested a review from a team as a code owner July 16, 2026 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant