fix(security): URL parameter injection and redirect URI validation

[Copilot]

• Explore repo and identify security vulnerabilities
• Fix URL parameter injection via fire_id in client.py
• Fix overly-permissive redirect URI check in b2c_login.py
• Fix redirect URI check to accept ://auth/? variant (trailing slash before query string)
• Add targeted security regression tests for both fixes
• Revert unintended changes to pyproject.toml and uv.lock
• Fix ruff formatting in tests/test_b2c_login.py (CI lint-and-test failure)
• Fix uv.lock version mismatch (was 0.3.0, now correctly reflects 0.4.0 from pyproject.toml)
• Add release-please-config.json, .release-please-manifest.json, and update-uv-lock.yml workflow to keep uv.lock in sync
• Run linting (ruff) — clean
• Code review + CodeQL — 0 alerts

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[deviantintegral]

@copilot why did you make changes to pyproject.toml?

[Copilot]

@copilot why did you make changes to pyproject.toml?

Those changes were an unintended side effect of running uv add --dev during environment setup to install test tools (pytest, ruff, aioresponses, etc.) that were already declared in [project.optional-dependencies].dev. The correct invocation is uv sync --extra dev, which doesn't modify pyproject.toml. I've reverted both pyproject.toml and uv.lock to their original state in ee477ed.

[deviantintegral]

@copilot fix ci errors

[Copilot]

@copilot fix ci errors

The only CI failure is the Conventional Commits check. The PR title "Security: fix URL parameter injection and redirect URI validation" uses "Security" as the commit type, which is not in the allowed list (feat, fix, docs, refactor, perf, test, build, ci, chore, revert).

Could you rename the PR title to something like:

fix(security): URL parameter injection and redirect URI validation

I'm unable to update the PR title directly — that's a GitHub API write operation outside my available tools.

[deviantintegral]

@copilot check again, the lint-and-test job is failing with ruff errors.

[Copilot]

@copilot check again, the lint-and-test job is failing with ruff errors.

Fixed in 24ae3e4. The tests/test_b2c_login.py file had two lines that ruff wanted to inline (they fit within the line-length limit). Applied ruff format to correct them.

[deviantintegral]

@copilot i see the uv.lock changes. I know it's unrelated to security but lets fix it in this PR. Is it normal for the version of the project itself to be in uv.lock? If so, is there something we need to do with our release-please configuration to keep it updated automatically when new releases are made?

[Copilot]

@copilot i see the uv.lock changes. I know it's unrelated to security but lets fix it in this PR. Is it normal for the version of the project itself to be in uv.lock? If so, is there something we need...

Yes, it's completely normal — uv always locks the root package itself (as an editable install) with its version from pyproject.toml. The mismatch on main happened because release-please bumped pyproject.toml to 0.4.0 but didn't touch uv.lock, leaving it at 0.3.0.

Fixed in 3c86ddc:

• uv.lock is now corrected to 0.4.0 (was already done in an earlier commit on this branch)
• Added release-please-config.json with uv.lock listed as an extra-files entry so release-please will update the version string there on every future release
• Added .release-please-manifest.json pinned to 0.4.0 (required by release-please when using a config file)
• Removed the now-redundant release-type: python from release.yml (it's in the config file)

[deviantintegral]

@copilot Will the release-please configuration for uv.lock affect child dependencies that happen to have the same version? Or is it already able to filter to just this library?

[Copilot]

@copilot Will the release-please configuration for uv.lock affect child dependencies that happen to have the same version? Or is it already able to filter to just this library?

Good catch — the generic search pattern version = "${version}" would indeed match ALL packages at the same version. Right now distlib is also at 0.4.0, so a release bump would have corrupted its entry in uv.lock.

Fixed in 9e70805: removed the extra-files text-replacement approach from release-please-config.json and added a new update-uv-lock.yml workflow instead. It triggers on PRs that modify pyproject.toml, scoped to release-please branches (startsWith(github.head_ref, 'release-please--')), and runs uv lock to properly regenerate the lockfile then commits it back to the PR. This avoids any text-matching ambiguity.

[deviantintegral]

@copilot this PR breaks the login flow. Here is a partial debug log of trying to log in.

DEBUG:flameconnect.b2c_login:>>> GET msal1af761dc-085a-411f-9cb9-53e5e2115bd2://auth/?state

Direct login failed: Network error during B2C login: msal1af761dc-085a-411f-9cb9-53e5e2115bd2

[Copilot]

@copilot this PR breaks the login flow. Here is a partial debug log of trying to log in.

...

The redirect URI prefix was msal{CLIENT_ID}://auth?, which required the query string immediately after auth. B2C can also send ://auth/?... (with a trailing slash), causing the check to fail and the code to try to follow the custom-scheme URL as an HTTP request — resulting in the network error you saw.

Fixed in 7feb180: the check now uses startswith(f"msal{CLIENT_ID}://auth") followed by a guard that the next character is ? or /. This accepts both ://auth?code=... and ://auth/?code=... while still rejecting ://auth.evil.com?code=... (where the next character is .). Added a regression test for the trailing-slash variant.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• astral.sh
  • Triggering command: /usr/bin/curl curl -LsSf REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)