From 56b1851d6830edba9e090a8f54a6831b2a74f0dc Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Sat, 4 Apr 2026 19:13:16 +0530
Subject: [PATCH] fix(security): validate redirect_uri to prevent open redirect
 in SDKs and login app

---
 src/components/AuthorizerResetPassword.tsx | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/components/AuthorizerResetPassword.tsx b/src/components/AuthorizerResetPassword.tsx
index 1946ee0..cdc5eec 100644
--- a/src/components/AuthorizerResetPassword.tsx
+++ b/src/components/AuthorizerResetPassword.tsx
@@ -9,6 +9,20 @@ import { Message } from './Message';
 import { getSearchParams } from '../utils/url';
 import PasswordStrengthIndicator from './PasswordStrengthIndicator';
 
+function isValidRedirectUri(uri: string, allowedRedirect?: string): boolean {
+  try {
+    const url = new URL(uri, window.location.origin);
+    if (url.origin === window.location.origin) return true;
+    if (allowedRedirect) {
+      const allowed = new URL(allowedRedirect);
+      if (url.origin === allowed.origin) return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
 type Props = {
   showOTPInput?: boolean;
   onReset?: (res: any) => void;
@@ -65,8 +79,11 @@ export const AuthorizerResetPassword: FC<Props> = ({
       if (onReset) {
         onReset(res);
       } else {
-        window.location.href =
-          redirect_uri || config.redirectURL || window.location.origin;
+        const fallback = config.redirectURL || window.location.origin;
+        const target = redirect_uri && isValidRedirectUri(redirect_uri, config.redirectURL)
+          ? redirect_uri
+          : fallback;
+        window.location.href = target;
       }
     } catch (err) {
       setError(formatErrorMessage((err as Error).message));