adding redirect warnings to external systems

app-code/api/login/confirm_external_redirect.php

@@ -0,0 +1,8 @@
+<?php
+include "../utils/security.php";
+secure_session_start();
+header('Content-Type: application/json');
+
+$_SESSION["external_domain_confirmed"] = true;
+
+echo json_encode(['success' => true]);

app-code/api/login/redirect.php

@@ -56,10 +56,19 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 &&
 	mysqli_stmt_execute($stmt);
 	mysqli_stmt_close($stmt);
 	if(!empty($send_to)){
-		$data=[
-		        'message' => 'done',
-		        'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
-		];
+		$external_domain = is_external_domain($send_to);
+		if ($external_domain !== null && !isset($_SESSION["external_domain_confirmed"])){
+			$data=[
+				'message' => 'external_redirect_warning',
+				'domain' => $external_domain,
+				'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
+			];
+		}else{
+			$data=[
+				'message' => 'done',
+				'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
+			];
+		}
 	}else{
 		$data=[
 		        'message' => 'done',

app-code/api/login/set_username.php

@@ -11,6 +11,7 @@ $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
 check_rate_limit($conn, 'set_username', 30, 60);
 $_SESSION["needs_auth"]=true;
 $_SESSION["logged_in"]=false;
+unset($_SESSION["external_domain_confirmed"]);
 $username = strtolower((string) ($_POST["username"] ?? ""));
 $_SESSION["username"]=preg_replace("/[^a-z0-9_]/","",$username);
 session_regenerate_id(true);

app-code/api/utils/security.php

@@ -295,4 +295,23 @@ function append_auth_token_to_redirect(string $redirect, string $auth_token): st
     return $redirect . $separator . 'auth=' . rawurlencode($auth_token);
 }
 
+function is_external_domain(string $url): ?string
+{
+    if (!str_starts_with($url, 'http://') && !str_starts_with($url, 'https://')) {
+        return null;
+    }
+
+    $host = parse_url($url, PHP_URL_HOST);
+    if ($host === null || $host === '') {
+        return null;
+    }
+
+    $host = strtolower($host);
+    if ($host === 'auth.jakach.ch' || str_ends_with($host, '.jakach.ch')) {
+        return null;
+    }
+
+    return $host;
+}
+
 ?>