Move forward auth redirect URI from query string to HttpOnly cookie

Replace the ?rd= query parameter in the Caddy→portal redirect with a _cpm_rd HttpOnly cookie (Secure, SameSite=Lax, Path=/portal, 10min TTL). The portal server component reads and immediately deletes the cookie, then processes it through the existing validation and redirect intent flow. This removes the redirect URI from the browser URL bar while maintaining all existing security properties (domain validation, server-side storage, one-time opaque rid). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 10:21:45 +02:00
parent 16c92f9268
commit b6b53b7029
2 changed files with 15 additions and 5 deletions
@@ -1185,7 +1185,10 @@ async function buildProxyRoutes(
                      status_code: 302,
                      headers: {
                        Location: [
-                          `${config.baseUrl}/portal?rd={http.request.scheme}://{http.request.host}{http.request.uri}`
+                          `${config.baseUrl}/portal`
+                        ],
+                        "Set-Cookie": [
+                          `_cpm_rd={http.request.scheme}://{http.request.host}{http.request.uri}; Path=/portal; HttpOnly; Secure; SameSite=Lax; Max-Age=600`
                        ]
                      }
                    }