🛡️ Sentinel: Fix insecure postMessage wildcard in OAuth2 redirects

[AGI-Corporation]

🚨 Severity: HIGH
💡 Vulnerability: Use of wildcard ('*') as target origin in window.postMessage during OAuth2 redirects.
🎯 Impact: Sensitive OAuth2 authorization codes could be leaked to malicious origins if a user is tricked into opening the redirect page from an untrusted site.
🔧 Fix:

• Restricted postMessage target origin to the actual application origin in both server-side and client-side redirect handlers.
• Hardened the frontend message listener to perform strict origin verification.
• Improved server-side payload serialization using JSON.stringify.
  ✅ Verification:
• Verified code changes manually for correctness and security best practices.
• Ran eslint on modified files.

---

PR created automatically by Jules for task 13943745947564606606 started by @AGI-Corporation

Summary by CodeRabbit

• Bug Fixes
  • Enhanced OAuth2 authentication security by enforcing exact origin validation instead of partial-origin matches, preventing unauthorized cross-origin access.
  • Corrected redirect success message text.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes enhance OAuth2 cross-origin messaging security by replacing wildcard and partial-origin checks with exact origin matching across client and server components. This includes updated postMessage calls and stricter origin validation when receiving OAuth2 code messages.

Changes

Cohort / File(s)	Summary
Client-side OAuth2 message security packages/react-ui/src/app/routes/redirect.tsx, packages/react-ui/src/lib/oauth2-utils.ts	Updated postMessage targetOrigin from wildcard (*) to window.location.origin and replaced startsWith origin validation with strict equality check for exact origin matching.
Server-side OAuth2 redirect handling packages/server/api/src/app/app.ts	Added platformUtils integration to determine correct targetOrigin via domainHelper.getPublicUrl(), updated postMessage payload to include proper targetOrigin, and corrected typo in HTML response.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A Safer Warren

Cross the bridge, but check the door—
No more wildcards, just what's yours!
Origins matched, exact and true,
My rabbit hole now safe for you! 🔐

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description covers the security vulnerability, impact, fixes implemented, and verification steps, but does not include the required template sections like 'What does this PR do?', 'Explain How the Feature Works', and 'Relevant User Scenarios'.	Reformat the description to follow the template structure with sections for 'What does this PR do?', 'Explain How the Feature Works', and 'Relevant User Scenarios' to maintain consistency with repository standards.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically identifies the main security issue being addressed: fixing the insecure wildcard postMessage in OAuth2 redirects, which directly matches the primary change across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-postmessage-wildcard-13943745947564606606

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/react-ui/src/lib/oauth2-utils.ts`:
- Around line 76-81: In the message event handler (the function named handler
passed to window.addEventListener in oauth2-utils.ts) tighten the condition to
ensure the message comes from the specific popup by adding an event.source ===
currentPopup check, and replace the unsafe event.data['code'] access with a
defensive check like typeof event.data === 'object' && event.data !== null &&
'code' in event.data; keep the existing redirectUrl and expectedOrigin checks so
the full gating becomes redirectUrl && event.source === currentPopup &&
event.origin === expectedOrigin && typeof event.data === 'object' && event.data
!== null && 'code' in event.data before resolving/consuming the code and
removing the listener.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46d1cd8a-085d-4944-b6d9-71c9f81bfe78

📥 Commits

Reviewing files that changed from the base of the PR and between f61e720 and a0e04b0.

📒 Files selected for processing (4)

• .jules/sentinel.md
• packages/react-ui/src/app/routes/redirect.tsx
• packages/react-ui/src/lib/oauth2-utils.ts
• packages/server/api/src/app/app.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n packages/react-ui/src/lib/oauth2-utils.ts

Repository: AGI-Corporation/Route.X

Length of output: 3309

---

Add event.source === currentPopup check to bind the message to the correct popup window.

The current code accepts messages from any same-origin window. If multiple OAuth2 flows execute in sequence, a stale popup from the previous flow—or another tab on the same domain—could satisfy the origin check and resolve the promise with an unrelated authorization code. The listener should verify that the message originates from the popup window opened for this specific flow.

Additionally, add defensive property checks for event.data['code'] to avoid unsafe access (replace with typeof event.data === 'object' && event.data !== null && 'code' in event.data).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/react-ui/src/lib/oauth2-utils.ts` around lines 76 - 81, In the
message event handler (the function named handler passed to
window.addEventListener in oauth2-utils.ts) tighten the condition to ensure the
message comes from the specific popup by adding an event.source === currentPopup
check, and replace the unsafe event.data['code'] access with a defensive check
like typeof event.data === 'object' && event.data !== null && 'code' in
event.data; keep the existing redirectUrl and expectedOrigin checks so the full
gating becomes redirectUrl && event.source === currentPopup && event.origin ===
expectedOrigin && typeof event.data === 'object' && event.data !== null &&
'code' in event.data before resolving/consuming the code and removing the
listener.