Skip to content

CDM-350 Add external URL redirect whitelist for nextRequest #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dauglyon wants to merge 2 commits into
base: main
Choose a base branch
from
Open

CDM-350 Add external URL redirect whitelist for nextRequest #252

dauglyon wants to merge 2 commits into from

Conversation

@dauglyon
Copy link
Collaborator

@dauglyon dauglyon commented Jan 9, 2026

Summary

  • Adds support for nextRequest to redirect to external URLs on whitelisted domains after login
  • Enables cross-subdomain redirects (e.g., from narrative.kbase.us to hub.berdl.kbase.us)
  • Maintains security by validating URLs against a configurable whitelist

How to Whitelist URLs for Redirect

1. Configure the whitelist in config.json

Add a redirect_whitelist array to any environment that needs external redirects:

{
  "environments": {
    "production": {
      "domain": "narrative.kbase.us",
      ...
      "redirect_whitelist": ["*.berdl.kbase.us"]
    }
  }
}

2. Wildcard patterns

  • *.berdl.kbase.us - Matches hub.berdl.kbase.us, hub.dev.berdl.kbase.us, etc.
  • *.kbase.us - Matches any *.kbase.us subdomain
  • hub.berdl.kbase.us - Matches exact domain only
  • TLD-only wildcards like *.com are rejected for security

3. Usage

Pass the full external URL as the nextRequest parameter:

/login?nextRequest=https://hub.berdl.kbase.us/somepath

After successful login, the user will be redirected to the external URL.

Security

  • Only HTTPS URLs are allowed
  • URLs not matching the whitelist are blocked with a toast notification
  • Blocked redirects fall back to /narratives
  • Wildcard patterns must have at least 2 domain parts after the wildcard

Test plan

  • Verify external redirect works with whitelisted domain
  • Verify non-whitelisted external URLs are blocked with toast
  • Verify internal nextRequest (JSON-encoded paths) still works
  • Verify HTTP URLs are blocked

@dauglyon dauglyon force-pushed the add-external-redirect-whitelist branch from 93198bf to 2caa2f6 Compare January 9, 2026 21:47
@dauglyon
Add external URL redirect whitelist for nextRequest
d778ff7 
Allow nextRequest parameter to redirect to external URLs on whitelisted
domains after login. This enables cross-subdomain redirects (e.g., from
narrative.kbase.us to hub.berdl.kbase.us) while maintaining security.

Features:
- Configurable whitelist via redirect_whitelist in config.json
- Wildcard support (e.g., *.berdl.kbase.us)
- HTTPS-only enforcement
- TLD-only wildcards rejected for security (e.g., *.com blocked)
- Blocked redirects show toast and fall back to /narratives
@dauglyon dauglyon force-pushed the add-external-redirect-whitelist branch from 2caa2f6 to d778ff7 Compare January 9, 2026 21:55
@dauglyon dauglyon changed the title Add external URL redirect whitelist for nextRequest CDM-350 Add external URL redirect whitelist for nextRequest Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dauglyon