Issue #1883: accept non-public TLDs in redirect URLs.

[mbert]

This fixes issue #1883.

Redirect URLs are validated using Apache UrlValidator which will also validate a URL's TLD against a whitelist. This leads to a new restriction: eSignet cannot redirect to URLs in sandbox environments where the TLD is not "official".

In a sandbox environment, an organisation-wide root CA can be used to sign sandbox hosts' TLS certificates, hence they cannot just be renamed to something the UrlValidator acceps.

As a solution I propose to skip the validation of TLDs against the whitelist. Unfortunately this is a bit awkward when using Apache's UrlValidator, one has to implement the hostname + if present port validation oneself using a RegexValidator.

This PR provides such an implementation.

Summary by CodeRabbit

• Improvements

  • Replaced previous redirect-URI validation with a stricter, project-specific validator enforcing tighter host/port and TLD rules, improving security and broadening recognized schemes (HTTP, FTP, custom deep-links), plus better IPv4/IPv6 and localhost handling.

• Tests

  • Added extensive tests covering valid and invalid redirect URLs: domains, custom TLDs, IP literals, port bounds, schemes, paths, queries, fragments, and malformed inputs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0299bc32-1f58-401a-944a-38f00ebff20b

📥 Commits

Reviewing files that changed from the base of the PR and between afb55a9 and 25bc4fc.

📒 Files selected for processing (3)

• esignet-core/src/main/java/io/mosip/esignet/core/util/IdentityProviderUtil.java
• esignet-core/src/main/java/io/mosip/esignet/core/validator/RedirectURLValidator.java
• esignet-core/src/test/java/io/mosip/esignet/core/validator/RedirectURLValidatorTest.java

---

Walkthrough

Replaces Apache Commons UrlValidator with RedirectURLValidator using a strict authority-part regex, integrates it into IdentityProviderUtil, and adds comprehensive JUnit tests for many valid and invalid redirect-URL cases.

Changes

Redirect URL Validation Enhancement

Layer / File(s)	Summary
Custom Authority Validator Implementation esignet-core/src/main/java/io/mosip/esignet/core/validator/RedirectURLValidator.java	RedirectURLValidator composes regexes for bracketed IPv6, IPv4, localhost, domain names with constrained TLDs, and an optional port range (0–65535) into AUTHORITY_PART_RX and configures an Apache Commons UrlValidator with new RegexValidator(AUTHORITY_PART_RX). isValid delegates to the configured validator.
Integration into IdentityProviderUtil esignet-core/src/main/java/io/mosip/esignet/core/util/IdentityProviderUtil.java	Replaces the static UrlValidator with a RedirectURLValidator instance in the static initializer and updates matchUri calls to urlValidator.isValid(..., null) for both registered and requested redirect URIs.
Validation Test Coverage esignet-core/src/test/java/io/mosip/esignet/core/validator/RedirectURLValidatorTest.java	New JUnit 5 test class validating IANA-style and custom TLDs, IPv4/IPv6/localhost hosts, port boundary cases (including 0 and 65535), multiple schemes, path/query/fragment variations, and many invalid inputs (null/empty, missing scheme, invalid TLD/IP/host, scheme-only).

Sequence Diagram

sequenceDiagram
  participant IdentityProviderUtil
  participant RedirectURLValidator
  participant ApacheUrlValidator
  participant RegexValidator
  IdentityProviderUtil->>RedirectURLValidator: isValid(uri)
  RedirectURLValidator->>ApacheUrlValidator: isValid(uri, null)
  ApacheUrlValidator->>RegexValidator: validate authority part (host[:port])
  RegexValidator-->>ApacheUrlValidator: regex match result
  ApacheUrlValidator-->>RedirectURLValidator: validation result
  RedirectURLValidator-->>IdentityProviderUtil: true/false

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related Issues

• eSignet rejects non-public URLs #1883 — Addresses the same redirect-URI validation behavior by replacing Apache UrlValidator with a custom RedirectURLValidator to allow non-public/custom TLDs and sandbox/internal URLs.

Poem

🐰 A rabbit hops through redirect paths with care,
Bracketed IPv6 and IPv4 in the air.
Localhost and ports now checked edge to edge,
Schemes and queries fenced by a regex hedge.
Tests cheer softly — secure redirects everywhere.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: accepting non-public TLDs in redirect URLs, which directly aligns with the core objective described in PR #1883.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@esignet-core/src/main/java/io/mosip/esignet/core/validator/RedirectURLValidator.java`:
- Around line 16-30: The custom authority regex (AUTHORITY_PART_RX) in
RedirectURLValidator (and its components IPV6_REGEX, DOMAIN_REGEX) is too
permissive and short-circuits UrlValidator by using new
RegexValidator(AUTHORITY_PART_RX), allowing invalid hosts; change the
implementation to stop passing a full-authority RegexValidator to UrlValidator —
instead parse the authority into host and optional port in RedirectURLValidator,
validate the port separately, and pass only the scheme/URL to UrlValidator (or
call UrlValidator.isValidHost()/DomainValidator/IP validators directly) so
Commons Validator’s built-in DomainValidator and IP validation are used for host
checks; update urlValidator usage to rely on UrlValidator/DomainValidator
methods and add regression tests for invalid hosts like “[::::]” and labels
starting/ending with “-”.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a1dff8c5-2474-4fd2-91de-d51bb2cb159d

📥 Commits

Reviewing files that changed from the base of the PR and between 823dae9 and afb55a9.

📒 Files selected for processing (3)

• esignet-core/src/main/java/io/mosip/esignet/core/util/IdentityProviderUtil.java
• esignet-core/src/main/java/io/mosip/esignet/core/validator/RedirectURLValidator.java
• esignet-core/src/test/java/io/mosip/esignet/core/validator/RedirectURLValidatorTest.java