Fix Host Header Injection in OAuth Callback URL

[nielsbosma]

Problem

In src/Ivy/Core/Auth/AuthController.cs:

• Line 57: X-Forwarded-Proto header is trusted unconditionally without proxy validation.
• Lines 59-60: Host header is used directly to construct OAuth callback URLs without validation against an allowlist.

An attacker can manipulate the Host header to redirect OAuth callbacks to a malicious domain.

Solution

1. Read AuthController.cs fully.
2. Add a configured allowlist of valid hosts (e.g., from IConfiguration or an options pattern). On OAuth redirect construction, validate the Host header against this allowlist. If not in the list, reject the request or fall back to a configured default.
3. For X-Forwarded-Proto: only trust this header when the request comes from a known proxy. Use ASP.NET Core's ForwardedHeadersOptions with KnownProxies/KnownNetworks configured, rather than manually reading the header.
4. Check if the app already configures UseForwardedHeaders() in the pipeline. If so, remove the manual header reading and rely on HttpContext.Request.Scheme which will already be set correctly by the middleware.

File: src/Ivy/Core/Auth/AuthController.cs

Tests

cd D:\Repos\_Ivy\Ivy-Framework
dotnet test

Finish

Commit!