AGI-Corporation · AGI-Corporation · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
diff --git a/packages/react-ui/src/app/routes/redirect.tsx b/packages/react-ui/src/app/routes/redirect.tsx
@@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => {
         {
           code: code,
         },
-        '*',
+        window.location.origin,
       );
     }
   }, [location.search]);

diff --git a/packages/react-ui/src/lib/oauth2-utils.ts b/packages/react-ui/src/lib/oauth2-utils.ts
@@ -74,9 +74,10 @@ function constructUrl(params: OAuth2PopupParams, pckeChallenge: string) {
 function getCode(redirectUrl: string): Promise<string> {
   return new Promise<string>((resolve) => {
     window.addEventListener('message', function handler(event) {
+      const expectedOrigin = new URL(redirectUrl).origin;
       if (
         redirectUrl &&
-        redirectUrl.startsWith(event.origin) &&
+        event.origin === expectedOrigin &&
         event.data['code']
       ) {
         resolve(decodeURIComponent(event.data.code));

diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts
@@ -76,6 +76,7 @@ import { SystemJobName } from './helper/system-jobs/common'
 import { systemJobHandlers } from './helper/system-jobs/job-handlers'
 import { validateEnvPropsOnStartup } from './helper/system-validator'
 import { mcpModule } from './mcp/mcp-module'
+import { platformUtils } from './platform/platform.utils'
 import { pieceModule } from './pieces/base-piece-module'
 import { communityPiecesModule } from './pieces/community-piece-module'
 import { pieceMetadataServiceHooks } from './pieces/piece-metadata-service/hooks'
@@ -250,12 +251,15 @@ export const setupApp = async (app: FastifyInstance): Promise<FastifyInstance> =
                 return reply.send('The code is missing in url')
             }
             else {
+                const platformId = await platformUtils.getPlatformIdForRequest(request)
+                const frontendUrl = await domainHelper.getPublicUrl({ platformId })
+                const targetOrigin = new URL(frontendUrl).origin
                 return reply
                     .type('text/html')
                     .send(
                         `<script>if(window.opener){window.opener.postMessage({ 'code': '${encodeURIComponent(
                             params.code,
-                        )}' },'*')}</script> <html>Redirect succuesfully, this window should close now</html>`,
+                        )}' }, '${targetOrigin}')}</script> <html>Redirect succuesfully, this window should close now</html>`,
                     )
             }
         },
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,7 +13,7 @@ const RedirectPage: React.FC = React.memo(() => { @@
             {
               code: code,
             },
-            '*',
+            window.location.origin,
           );
         }
       }, [location.search]);
@@ Expand Down @@