Allow "side redirects" instead of restricting to just the SERVER_NAME for ?next=URL

[mchineboy]

Environment

• Flask-Security-Too version: 5.4.3
• Flask version: 3.0.3
• Python version: 3.11
• Configuration variable SECURITY_REDIRECT_ALLOW_SUBDOMAINS is set to True

Description

There is a current behaviour in Flask-Security-Too's redirect handling during login (?next=) that permits redirects from foo.example.com to bar.foo.example.com but disallows redirects to bar.example.com. This restriction is limiting when working with subdomains, where foo.example.com, bar.example.com, and other similar subdomains are considered part of the same parent domain example.com.

It's reasonably expected that redirects between subdomains at the same domain level should be permitted, as they fall within the same administration boundary of example.com. For instance, services deployed on different subdomains may need to integrate with each other, and such a policy would hinder this integration unnecessarily.

Expected Behavior

Flask Security Too should allow for redirects from a subdomain to another subdomain where the "base" (parent) domain is the same. For example, given a parent domain example.com, redirects from foo.example.com to bar.example.com should be allowed.

Actual Behavior

Currently, Flask Security Too only allows redirects within the same subdomain hierarchy, e.g., from foo.example.com to bar.foo.example.com but does not permit redirects to bar.example.com.

Steps to Reproduce

1. Set up a Flask application with Flask Security Too enabled.
2. Attempt to login via https://foo.example.com/login?next=https://bar.example.com
3. Observe that the redirect is blocked/not allowed by Flask Security Too.

Additional Information This behaviour can potentially be managed by a configuration setting, which by default retains the current behaviour (for backward compatibility and security) but allows administrators to enable more permissive cross-subdomain redirects if their application scenario deems it safe and necessary.

I do have a patch prepared if this is an acceptable feature request and will open a PR for it. However, there are a few possible paths for accepting subdomains:

• New SECURITY_ config variable: SECURITY_ALLOW_REDIRECT_BASEDOMAIN as a Boolean. Code would remove the first portion of the hostname I.E. foo and allow the remainder of the domain name.
• New SECURITY_ config variable: SECURITY_ALLOWED_REDIRECT_BASEDOMAIN as a String. Would specify which part of the base domain is acceptable for comparison.
• Reuse the SESSION_COOKIE_DOMAIN as an acceptable configuration if SECURITY_ALLOW_REDIRECT_SUBDOMAINS is set. This one is my favourite solution.

Thank you for your consideration of this feature request. Allowing this type of redirect would significantly ease the development of web services that need to interact across different subdomains within the same parent domain.