GHSA-X3F4-V83F-7WP2: Unvalidated Redirect Leading to Token Leakage in Authorizer

Authorizer operates as a database-independent authentication and authorization service, managing user identities, OAuth flows, and session tokens. The application utilizes a combination of GraphQL mutations and HTTP handlers to process authentication states, password resets, and user invitations. A critical design requirement for these workflows involves redirecting users to predefined endpoints upon successful completion of identity verification tasks.

Vulnerability GHSA-X3F4-V83F-7WP2 manifests as an unvalidated redirect flaw across multiple core identity operations. The vulnerability occurs because the application fails to validate the user-supplied redirect_uri parameter against a trusted list of origins in specific code paths. This oversight directly violates secure design principles requiring strict validation of client-controlled routing instructions.

When a system processes untrusted input to determine an output destination without validation, it introduces a severe risk of URL redirection to untrusted sites (CWE-601). In the context of an authentication provider, this primitive escalates beyond standard phishing risks. The application appends sensitive credential material, including magic link tokens and full OAuth session bundles, to the redirect destination, exposing this data to any attacker-controlled endpoint.

The root cause of this vulnerability lies in the inconsistent implementation of access controls across the application's routing logic. The Authorizer codebase contains a dedicated utility function, validators.IsValidOrigin(), designed to verify that a requested redirect URI matches the administrator-defined AllowedOrigins configuration. While the primary OAuth handler correctly invoked this validator, developers omitted the check in several secondary authentication endpoints.

Six distinct endpoints failed to implement the origin validation logic. These encompass the GraphQL mutations for ForgotPassword, MagicLinkLogin, SignUp, and InviteMembers, alongside the HTTP handlers governing OAuthLoginHandler and VerifyEmailHandler. Each of these endpoints accepts a client-provided redirect_uri parameter and utilizes it to construct the final response destination after the user completes the designated action.

During the final phase of these authentication workflows, the application appends operational tokens to the URI structure. For example, upon successful email verification, the VerifyEmailHandler constructs a URL containing the Access Token, ID Token, and Refresh Token as query parameters. Because the base URI remains unvalidated, the application willingly transmits these high-privilege tokens to arbitrary domains specified by the initial requester.

The remediation implemented in commit 6d9bef1aaba3f867f8c769b93eb7fc80e4e7b0a2 addresses the vulnerability through structural changes to the validation pipeline. The patch introduces mandatory origin validation checks across all previously exposed endpoints. Before processing any authentication request involving a redirect, the handlers now execute a strict comparison against the configured trusted origins.

In the GraphQL implementation for ForgotPassword (internal/graphql/forgot_password.go), the patched code introduces an explicit validation block. The application evaluates the input and terminates the transaction if the origin does not align with the security policy.

if !validators.IsValidOrigin(redirectURI, g.Config.AllowedOrigins) {
    return nil, fmt.Errorf("invalid redirect URI")
}

Beyond implementing the missing checks, the patch refactors the IsValidOrigin function to improve the robustness of the origin comparison. The revised logic relies on the standard net/url package to properly parse and normalize hostnames and ports. The function now anchors regular expression patterns using ^ and $ boundaries, mitigating partial domain match bypasses where an attacker registers a domain like trusteddomain.evil.com or trusteddomain-evil.com.

Exploitation of this vulnerability requires the attacker to construct a targeted URL invoking one of the flawed endpoints with a manipulated redirect_uri parameter. The attacker selects an operation, such as a password reset request or an email verification trigger, and designates an infrastructure asset they control as the redirect destination.

The attacker distributes this crafted URL to the target victim. When the victim interacts with the link and authenticates or confirms their email address, the Authorizer service successfully processes the valid state change. The service then initiates an HTTP 302 redirect instructing the victim's browser to navigate to the attacker's infrastructure.

The browser executes the redirect, carrying the sensitive token payload appended by the Authorizer service. The attacker's server receives an HTTP GET request containing the tokens within the URL query string. The attacker extracts the access and refresh tokens from their web server logs, completing the credential theft phase.

The security impact of this vulnerability encompasses complete account takeover and persistent unauthorized access. The precise consequence depends on the specific endpoint targeted during the exploit chain. Exploitation of the ForgotPassword mutation yields a password reset token, enabling the attacker to establish a new password and lock the legitimate user out of their account.

Targeting the VerifyEmailHandler produces an even more severe outcome by directly exposing a complete OAuth2 session bundle. This bundle includes the Access Token, ID Token, and Refresh Token. Possession of these artifacts allows the attacker to immediately assume the victim's identity within the application and interface with backend APIs under the context of the compromised user.

The exposure of the Refresh Token provides the attacker with long-term persistence. Even if the initial Access Token expires, the attacker can leverage the Refresh Token to continually mint new session credentials. This bypasses standard session timeouts and maintains the compromise until the victim's session is explicitly revoked by an administrator or the user initiates a global logout event.

Remediation requires immediate upgrades to Authorizer version 2.0.1 or later. This release integrates the structural patch enforcing strict origin validation across all GraphQL mutations and HTTP handlers. Deploying the updated binary or container image neutralizes the unvalidated redirect primitive and prevents unauthorized token routing.

Organizations must thoroughly review their deployment configurations, specifically the ALLOWED_ORIGINS environment variable. Administrators must eliminate wildcard characters (*) from production environments. The configuration should explicitly list only trusted domains, subdomains, and required ports to restrict the attack surface and ensure the IsValidOrigin function operates effectively.

Security teams should analyze web server access logs and application logs for anomalous redirect patterns indicating prior exploitation. Indicators of compromise include requests to the /graphql endpoint or OAuth handlers containing unrecognized or suspicious domains within the redirect_uri parameter. If unauthorized token extraction is suspected, administrators must force a global token invalidation and require users to re-authenticate.