fix: hostname can be empty with redirect urls (#2241)

Oops. In in-app URLs like `com.app://` hostname is empty, but the regex
expects at least one char.

Author: hf

internal/api/verify_test.go

@@ -671,6 +671,13 @@ func (ts *VerifyTestSuite) TestVerifySignupWithRedirectURLContainedPath() {
 			requestredirectURL:  "http://japanese。.example.com/abc",
 			expectedredirectURL: "http://localhost:3000",
 		},
+		{
+			desc:                "redirect with allowed deep-link url correctly without a hostname",
+			siteURL:             "http://localhost:3000",
+			uriAllowList:        []string{"com.myapp://**"},
+			requestredirectURL:  "com.myapp://",
+			expectedredirectURL: "com.myapp:",
+		},
 	}
 
 	for _, tC := range testCases {

internal/utilities/request.go

@@ -101,12 +101,15 @@ func IsRedirectURLValid(config *conf.GlobalConfiguration, redirectURL string) bo
 		return false
 	}
 
+	scheme := strings.ToLower(refurl.Scheme)
+	isHTTP := scheme == "http:" || scheme == "https:"
+
 	if decimalIPAddressPattern.MatchString(refurl.Hostname()) {
 		// IP address in decimal form also not allowed in redirects!
 		return false
 	} else if ip := net.ParseIP(refurl.Hostname()); ip != nil {
 		return ip.IsLoopback()
-	} else if !regularHostname.MatchString(refurl.Hostname()) {
+	} else if isHTTP && !regularHostname.MatchString(refurl.Hostname()) {
 		// hostname uses characters that are not typically used
 		return false
 	}