redirect URL handling (#23)

* feat: enhance OAuth flow with trusted redirect URI validation and manual confirmation page(7.12.2 section)

* feat: refactor redirect URI validation to use isLocalhost helper function

* feat: simplify redirect URI validation by removing exception host checks

* - reverted exception host validation for trusted domains
- removed duplicate crypto functions from UI layer
- display only origin instead of full URL in manual confirmation page

* Bump version from 0.0.2 to 1.0.0

* Update version and description in gemini-extension.json

---------

Co-authored-by: Dmitriy Akulov <dakulovgr@gmail.com>

Author: eyepokes

gemini-extension.json

@@ -1,7 +1,7 @@
 {
 	"name": "globalping",
-	"version": "0.0.2",
-	"description": "Enable AI models to interact with a global network measurement platform and run network measurements, benchmarks and tests.",
+	"version": "1.0.0",
+	"description": "Interact with a global network of probes and run network measurements, benchmarks and tests.",
 	"mcpServers": {
 		"globalping-mcp": {
 			"httpUrl": "https://mcp.globalping.dev/mcp",

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "globalping-mcp-server",
-	"version": "0.0.2",
+	"version": "1.0.0",
 	"private": true,
 	"scripts": {
 		"deploy": "wrangler deploy",

src/app.ts

@@ -3,8 +3,8 @@
  */
 import { Hono } from "hono";
 import { html } from "hono/html";
-import { layout } from "./ui";
-import { createPKCECodes, generateRandomString, isDeepLink, isExceptionHost } from "./lib";
+import { layout, manualRedirectPage } from "./ui";
+import { createPKCECodes, generateRandomString, isTrustedRedirectUri } from "./lib";
 import type { AuthRequest, OAuthHelpers } from "@cloudflare/workers-oauth-provider";
 import type { StateData, GlobalpingEnv, GlobalpingOAuthTokenResponse } from "./types";
 
@@ -44,7 +44,7 @@ async function getUserData(accessToken: string): Promise<any> {
 }
 
 // Root route - redirect to repository
-app.get("/", async (c) => {
+app.get("/", async (_c) => {
 	return Response.redirect(GLOBALPING_REPOSITORY_URL);
 });
 
@@ -68,16 +68,23 @@ app.get("/authorize", async (c) => {
 		);
 	}
 
-	// Validate redirect_uri
-	if (
-		`${new URL(c.req.url).origin}/auth/callback` !== oauthReqInfo.redirectUri &&
-		!/http:\/\/localhost:\d+\/(.*)/is.test(oauthReqInfo.redirectUri) &&
-		!isDeepLink(oauthReqInfo.redirectUri) &&
-		!isExceptionHost(oauthReqInfo.redirectUri)
-	) {
+	// Basic validation: just check redirect_uri is set and parsable
+	// The callback endpoint will later decide if auto-redirect or show manual confirmation
+	if (!oauthReqInfo.redirectUri) {
 		return c.html(
 			layout(
-				await html`<h1>Invalid redirect URI</h1><p>Redirect URI does not match the original request.</p>`,
+				await html`<h1>Invalid request</h1><p>Missing redirect URI.</p>`,
+				"Invalid request",
+			),
+		);
+	}
+
+	try {
+		new URL(oauthReqInfo.redirectUri);
+	} catch (error) {
+		return c.html(
+			layout(
+				await html`<h1>Invalid redirect URI</h1><p>Redirect URI is malformed.</p>`,
 				"Invalid redirect URI",
 			),
 		);
@@ -245,8 +252,19 @@ app.get("/auth/callback", async (c) => {
 			},
 		});
 
-		// Redirect to the client app
-		return Response.redirect(redirectTo, 302);
+		// Per OAuth 2.0 Security Best Practices (RFC 6819 section 7.12.2),
+		// only automatically redirect to trusted URIs
+		if (isTrustedRedirectUri(redirectTo)) {
+			// Auto-redirect for trusted URIs (localhost, deep links)
+			return Response.redirect(redirectTo, 302);
+		}
+
+		// Show manual confirmation page for untrusted HTTPS URIs
+		// Extract origin for cleaner display (without query params/paths)
+		const displayUrl = new URL(redirectTo).origin;
+		return c.html(
+			layout(await manualRedirectPage(redirectTo, displayUrl), "Complete Authentication"),
+		);
 	} catch (error: any) {
 		console.error("Token exchange error:", error);
 		return c.html(

src/config/constants.ts

@@ -81,12 +81,6 @@ export const STANDARD_PROTOCOLS = new Set([
 	"javascript:",
 ]);
 
-export const EXCEPTION_HOSTS = new Set([
-	"playground.ai.cloudflare.com",
-	"mcp.docker.com",
-	"mcptotal.io",
-]);
-
 export const PKCE_CONFIG = {
 	CODE_VERIFIER_LENGTH: 64,
 	HASH_ALGORITHM: "SHA-256",
@@ -97,3 +91,9 @@ export const RANDOM_STRING_CONFIG = {
 	PAD_LENGTH: 2,
 	PAD_CHAR: "0",
 };
+
+export const EXCEPTION_HOSTS = new Set([
+	"playground.ai.cloudflare.com",
+	"mcp.docker.com",
+	"mcptotal.io",
+]);

src/lib/url-validation.ts

@@ -32,3 +32,35 @@ export function isExceptionHost(urlString: string): boolean {
 		return false;
 	}
 }
+
+/**
+ * Check if a URL is localhost
+ * @param urlString The URL to check
+ * @returns True if URL is localhost
+ */
+export function isLocalhost(urlString: string): boolean {
+	try {
+		const url = new URL(urlString);
+		const hostname = url.hostname.toLowerCase();
+		return (
+			hostname === "localhost" ||
+			hostname === "127.0.0.1" ||
+			hostname === "[::1]" ||
+			hostname.endsWith(".localhost")
+		);
+	} catch (err) {
+		// Invalid URL string
+		return false;
+	}
+}
+
+/**
+ * Check if a redirect URI is trusted for automatic redirection
+ * Per OAuth 2.0 Security Best Practices (RFC 6819 section 7.12.2),
+ * only certain types of URIs should be automatically redirected to
+ * @param urlString The redirect URI to check
+ * @returns True if the URI is trusted for automatic redirection
+ */
+export function isTrustedRedirectUri(urlString: string): boolean {
+	return isLocalhost(urlString) || isDeepLink(urlString) || isExceptionHost(urlString);
+}

src/ui/index.ts

@@ -1 +1 @@
-export * from "./layout";
+export { layout, manualRedirectPage } from "./layout";

src/ui/layout.ts

@@ -1,10 +1,8 @@
 /**
  * HTML layout template
  */
-import type { AuthRequest } from "@cloudflare/workers-oauth-provider";
 import { html } from "hono/html";
 import type { HtmlEscapedString } from "hono/utils/html";
-import type { PKCECodePair } from "../types";
 
 export const layout = (content: HtmlEscapedString | string, title: string) => html`
 	<!DOCTYPE html>
@@ -83,6 +81,17 @@ export const layout = (content: HtmlEscapedString | string, title: string) => ht
 					text-decoration: underline;
 				}
 
+				/* Preserve text-white for button-styled links */
+				.markdown a.bg-primary,
+				.markdown a.bg-secondary {
+					color: white !important;
+				}
+
+				.markdown a.bg-primary:hover,
+				.markdown a.bg-secondary:hover {
+					text-decoration: none;
+				}
+
 				.markdown blockquote {
 					border-left: 4px solid #f39c12;
 					padding-left: 1rem;
@@ -171,108 +180,90 @@ export const layout = (content: HtmlEscapedString | string, title: string) => ht
 	</html>
 `;
 
-export const parseApproveFormBody = async (body: {
-	[x: string]: string | File;
-}) => {
-	const action = body.action as string;
-	const email = body.email as string;
-	const password = body.password as string;
-	let oauthReqInfo: AuthRequest | null = null;
-	try {
-		oauthReqInfo = JSON.parse(body.oauthReqInfo as string) as AuthRequest;
-	} catch (e) {
-		oauthReqInfo = null;
-	}
-
-	return { action, oauthReqInfo, email, password };
-};
-
 /**
- * Generate a random string for PKCE and state
- * @param length Length of the random string
- * @returns A URL-safe random string
+ * Create a manual redirect confirmation page
+ * Per OAuth 2.0 Security Best Practices (RFC 6819 section 7.12.2),
+ * untrusted redirect URIs should require manual user confirmation
+ * @param redirectUri The full redirect URI for the actual redirect
+ * @param displayUrl The origin to display to the user (cleaner than full URL)
+ * @returns HTML string for the confirmation page
  */
-export function generateRandomString(length: number): string {
-	const array = new Uint8Array(length);
-	crypto.getRandomValues(array);
-	return Array.from(array)
-		.map((b) => b.toString(16).padStart(2, "0"))
-		.join("")
-		.substring(0, length);
-}
+export const manualRedirectPage = (redirectUri: string, displayUrl: string) => html`
+	<div class="markdown max-w-2xl mx-auto">
+		<div class="bg-white rounded-lg shadow-md p-8 border-l-4 border-accent">
+			<div class="mb-6">
+				<svg
+					class="w-16 h-16 mx-auto text-accent"
+					fill="none"
+					stroke="currentColor"
+					viewBox="0 0 24 24"
+					xmlns="http://www.w3.org/2000/svg"
+				>
+					<path
+						stroke-linecap="round"
+						stroke-linejoin="round"
+						stroke-width="2"
+						d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"
+					></path>
+				</svg>
+			</div>
 
-/**
- * Create a code verifier and code challenge pair for PKCE
- * @returns A code verifier and challenge pair
- */
-export async function createPKCECodes(): Promise<PKCECodePair> {
-	// Generate code verifier (random string between 43-128 chars)
-	const codeVerifier = generateRandomString(64);
+			<h1 class="text-center mb-4">Authentication successful</h1>
 
-	// Create code challenge using SHA-256
-	const encoder = new TextEncoder();
-	const data = encoder.encode(codeVerifier);
-	const digest = await crypto.subtle.digest("SHA-256", data);
+			<div class="bg-yellow-50 border-l-4 border-yellow-400 p-4 mb-6">
+				<div class="flex">
+					<div class="flex-shrink-0">
+						<svg
+							class="h-5 w-5 text-yellow-400"
+							viewBox="0 0 20 20"
+							fill="currentColor"
+						>
+							<path
+								fill-rule="evenodd"
+								d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z"
+								clip-rule="evenodd"
+							/>
+						</svg>
+					</div>
+					<div class="ml-3">
+						<p class="text-sm text-yellow-700 font-medium">
+							Security notice
+						</p>
+					</div>
+				</div>
+			</div>
 
-	// Convert digest to base64url format
-	const base64Digest = btoa(String.fromCharCode(...new Uint8Array(digest)))
-		.replace(/\+/g, "-")
-		.replace(/\//g, "_")
-		.replace(/=/g, "");
+			<p class="mb-4">
+				Your authentication was successful. However, for security reasons, you
+				need to manually complete the redirect to the following URL:
+			</p>
 
-	return {
-		codeVerifier,
-		codeChallenge: base64Digest,
-	};
-}
+			<div class="bg-gray-100 p-4 rounded-md mb-6 break-all">
+				<code class="text-sm text-gray-800">${displayUrl}</code>
+			</div>
 
-const STANDARD_PROTOCOLS = new Set([
-	"http:",
-	"https:",
-	"ftp:",
-	"file:",
-	"mailto:",
-	"tel:",
-	"ws:",
-	"wss:",
-	"sms:",
-	"data:",
-	"blob:",
-	"about:",
-	"chrome:",
-	"opera:",
-	"edge:",
-	"safari:",
-	"javascript:",
-]);
+			<div class="bg-blue-50 border-l-4 border-blue-400 p-4 mb-6">
+				<p class="text-sm text-blue-700">
+					<strong>Why do I need to click?</strong> As a security measure, this
+					authorization server requires manual confirmation before redirecting
+					to third-party websites. This helps protect you from potential
+					phishing attacks.
+				</p>
+			</div>
 
-/**
- * Check if a URL is a deep link
- * @param url The URL to check
- * @returns
- */
-export function isDeepLink(url: string): boolean {
-	try {
-		const parsedUrl = new URL(url);
-		const protocol = parsedUrl.protocol.toLowerCase();
-		return !STANDARD_PROTOCOLS.has(protocol);
-	} catch (e) {
-		return false;
-	}
-}
+			<div class="text-center">
+				<a
+					href="${redirectUri}"
+					class="inline-block bg-primary hover:bg-primary/90 text-white font-semibold py-3 px-8 rounded-lg transition-colors duration-200 shadow-md hover:shadow-lg"
+				>
+					Click here to complete authentication
+				</a>
+			</div>
 
-export function isExceptionHost(urlString: string): boolean {
-	try {
-		const url = new URL(urlString);
-		const exceptionHosts = new Set([
-			"playground.ai.cloudflare.com",
-			"mcp.docker.com",
-			"mcptotal.io",
-			// add more exception hosts here if needed
-		]);
-		return exceptionHosts.has(url.hostname);
-	} catch (err) {
-		// Invalid URL string
-		return false;
-	}
-}
+			<p class="text-sm text-gray-500 mt-6 text-center">
+				Only click the button above if you trust the destination and initiated
+				this authentication request.
+			</p>
+		</div>
+	</div>
+`;