[WEB-4943]fix: next path url redirection (#7817)

* fix: next path url redirection

* fix: enhance URL redirection safety in authentication views

Updated SignInAuthSpaceEndpoint, GitHubCallbackSpaceEndpoint, GitLabCallbackSpaceEndpoint, and GoogleCallbackSpaceEndpoint to include checks for allowed hosts and schemes before redirecting. This improves the security of URL redirection by ensuring only valid URLs are used.

* chore: updated uitl to handle double /

---------

Co-authored-by: pablohashescobar <nikhilschacko@gmail.com>
Co-authored-by: Nikhil <118773738+pablohashescobar@users.noreply.github.com>

apps/api/plane/authentication/views/space/email.py

@@ -17,6 +17,7 @@ from plane.authentication.adapter.error import (
 )
 from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
 
+
 class SignInAuthSpaceEndpoint(View):
     def post(self, request):
         next_path = request.POST.get("next_path")
@@ -99,13 +100,13 @@ class SignInAuthSpaceEndpoint(View):
             user = provider.authenticate()
             # Login the user and record his device info
             user_login(request=request, user=user, is_space=True)
-            # redirect to next path
-            url = get_safe_redirect_url(
-                base_url=base_host(request=request, is_space=True),
-                next_path=next_path,
-                params={}
-            )
-            return HttpResponseRedirect(url)
+            # redirect to referer path
+            next_path = validate_next_path(next_path=next_path)
+            url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
+            if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
+                return HttpResponseRedirect(url)
+            else:
+                return HttpResponseRedirect(base_host(request=request, is_space=True))
         except AuthenticationException as e:
             params = e.get_error_dict()
             url = get_safe_redirect_url(

apps/api/plane/authentication/views/space/github.py

@@ -95,6 +95,7 @@ class GitHubCallbackSpaceEndpoint(View):
             # Process workspace and project invitations
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
+            
             url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
             if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
                 return HttpResponseRedirect(url)

apps/api/plane/authentication/views/space/gitlab.py

@@ -15,7 +15,8 @@ from plane.authentication.adapter.error import (
     AUTHENTICATION_ERROR_CODES,
     AuthenticationException,
 )
-from plane.utils.path_validator import get_safe_redirect_url, get_allowed_hosts, validate_next_path
+from plane.utils.path_validator import get_safe_redirect_url, validate_next_path, get_allowed_hosts
+
 
 
 class GitLabOauthInitiateSpaceEndpoint(View):
@@ -96,6 +97,7 @@ class GitLabCallbackSpaceEndpoint(View):
             # Process workspace and project invitations
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
+
             url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
             if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
                 return HttpResponseRedirect(url)

apps/api/plane/authentication/views/space/google.py

@@ -92,6 +92,7 @@ class GoogleCallbackSpaceEndpoint(View):
             user_login(request=request, user=user, is_space=True)
             # redirect to referer path
             next_path = validate_next_path(next_path=next_path)
+
             url = f"{base_host(request=request, is_space=True).rstrip('/')}{next_path}"
             if url_has_allowed_host_and_scheme(url, allowed_hosts=get_allowed_hosts()):
                 return HttpResponseRedirect(url)