[WEB-4943] refactor: enhance URL validation and redirection logic in authentication views (#7815)

* refactor: enhance URL validation and redirection logic in authentication views

* Updated authentication views (SignInAuthSpaceEndpoint, GitHubCallbackSpaceEndpoint, GitLabCallbackSpaceEndpoint, GoogleCallbackSpaceEndpoint, and MagicSignInSpaceEndpoint) to include url_has_allowed_host_and_scheme checks for safer redirection.
* Improved URL construction by ensuring proper formatting and fallback to base host when necessary.
* Added get_allowed_hosts function to path_validator.py for better host validation.

* refactor: improve comments and clean up code in path_validator.py

* Updated comments for clarity in the get_safe_redirect_url function.
* Removed unnecessary blank line to enhance

apps/api/plane/authentication/views/space/email.py

@@ -15,8 +15,7 @@ from plane.authentication.adapter.error import (
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
-
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 class SignInAuthSpaceEndpoint(View):
     def post(self, request):
@@ -200,7 +199,7 @@ class SignUpAuthSpaceEndpoint(View):
             user_login(request=request, user=user, is_space=True)
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
-            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
             if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
                 return HttpResponseRedirect(url)
             else:

apps/api/plane/authentication/views/space/github.py

@@ -4,6 +4,7 @@ import uuid
 # Django import
 from django.http import HttpResponseRedirect
 from django.views import View
+from django.utils.http import url_has_allowed_host_and_scheme
 
 # Module imports
 from plane.authentication.provider.oauth.github import GitHubOAuthProvider
@@ -14,7 +15,7 @@ from plane.authentication.adapter.error import (
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 
 class GitHubOauthInitiateSpaceEndpoint(View):
@@ -94,8 +95,11 @@ class GitHubCallbackSpaceEndpoint(View):
             # Process workspace and project invitations
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
-            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
-            return HttpResponseRedirect(url)
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(

apps/api/plane/authentication/views/space/gitlab.py

@@ -4,6 +4,7 @@ import uuid
 # Django import
 from django.http import HttpResponseRedirect
 from django.views import View
+from django.utils.http import url_has_allowed_host_and_scheme
 
 # Module imports
 from plane.authentication.provider.oauth.gitlab import GitLabOAuthProvider
@@ -14,7 +15,7 @@ from plane.authentication.adapter.error import (
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, get_allowed_hosts, validate_next_path
 
 
 class GitLabOauthInitiateSpaceEndpoint(View):
@@ -95,8 +96,11 @@ class GitLabCallbackSpaceEndpoint(View):
             # Process workspace and project invitations
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
-            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
-            return HttpResponseRedirect(url)
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(

apps/api/plane/authentication/views/space/google.py

@@ -4,6 +4,7 @@ import uuid
 # Django import
 from django.http import HttpResponseRedirect
 from django.views import View
+from django.utils.http import url_has_allowed_host_and_scheme
 
 # Module imports
 from plane.authentication.provider.oauth.google import GoogleOAuthProvider
@@ -14,7 +15,7 @@ from plane.authentication.adapter.error import (
     AuthenticationException,
     AUTHENTICATION_ERROR_CODES,
 )
-from plane.utils.path_validator import get_safe_redirect_url, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
 
 class GoogleOauthInitiateSpaceEndpoint(View):
@@ -91,8 +92,11 @@ class GoogleCallbackSpaceEndpoint(View):
             user_login(request=request, user=user, is_space=True)
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
-            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
-            return HttpResponseRedirect(url)
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(

apps/api/plane/authentication/views/space/magic.py

@@ -96,7 +96,7 @@ class MagicSignInSpaceEndpoint(View):
             user_login(request=request, user=user, is_space=True)
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
-            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
             if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
                 return HttpResponseRedirect(url)
             else:
@@ -158,7 +158,7 @@ class MagicSignUpSpaceEndpoint(View):
             user_login(request=request, user=user, is_space=True)
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
-            url = f"{base_host(request=request, is_space=True).rstrip("/")}{next_path}"
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
             if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
                 return HttpResponseRedirect(url)
             else: