You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Origin allowlist for return_to redirects: _vgi_return_to redirects are now restricted to configured allowed origins (default: cupola.query-farm.services) and localhost, preventing open redirect vulnerabilities.
Early auth redirect: Already-authenticated users with a _vgi_return_to parameter are redirected immediately via process_request, skipping the OAuth flow entirely.
Configurable allowed origins: _OAuthPkceMiddleware accepts an allowed_return_origins parameter to customize the allowlist.
