Potential fix for code scanning alert no. 2: Open URL redirect

[grokify]

Potential fix for https://github.com/plexusone/mcpkit/security/code-scanning/2

In general, to fix untrusted URL redirects, the redirect target must be constrained to a trusted set (allowlist) or to same-origin/relative URLs, and this validation must occur as close as possible to the actual redirect call. Relying solely on earlier validation at some call sites is brittle, because other callers may bypass those checks.

For this code, the best minimally invasive fix is to add a defensive check inside redirectWithError to prevent open redirects when the redirectURI is an absolute URL with a different host than the current server. We already parse the URL into u; we can compare u.Hostname() (and optionally scheme) against r.Host, and only allow the redirect when it is (a) relative (no hostname) or (b) same-host as the current request. If the check fails, we fall back to rendering a local error page instead of redirecting externally. This preserves existing behavior for legitimate local redirects while closing the open redirect vector.

Concretely:

• Edit oauth2/handlers.go in redirectWithError.
• After parsing normalized into u, add a host/scheme validation:
  • If u.IsAbs() and u.Hostname() is non-empty and not equal to the hostname derived from r.Host, treat it as invalid.
  • In that case, call s.renderLoginError and return.
• Keep existing logic (adding error, error_description, state parameters) and the final http.Redirect unchanged for valid URLs.
• No new imports are required; we already import net/url and strings, and we can use r.Host and url.Parse (already in use) plus a tiny bit of string parsing for the hostname comparison.

This adds a robust, local safeguard around the redirect sink (http.Redirect) without changing the observable behavior for properly configured clients using relative or same-host redirect URIs.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.