改进 登录请求

app/Http/Controllers/Public/AuthRequestController.php

@@ -19,6 +19,18 @@ public function store(Request $request): JsonResponse
             'return_url' => 'nullable|url',
         ]);
 
+        if ($request->filled('return_url') && $request->hasHeader('referer')) {
+            // 如果有 referer，检查是否和来源域名一致
+            $referer = parse_url($request->header('referer'), PHP_URL_HOST);
+
+            // return url 的域名
+            $returnUrl = parse_url($request->input('return_url'), PHP_URL_HOST);
+
+            if ($referer !== $returnUrl) {
+                return $this->error('来源域名不匹配。');
+            }
+        }
+
         $token = Str::random(128);
 
         $data = [

app/Http/Controllers/Web/AuthController.php

@@ -174,12 +174,7 @@ public function storeAuthRequest(Request $request): RedirectResponse|View
         Cache::put('auth_request:'.$request->input('token'), $data, 60);
 
         if (isset($data['meta']['return_url']) && $data['meta']['return_url']) {
-            session()->put('callback', $data['meta']['return_url']);
-
-            return view('confirm_redirect', [
-                'token' => $data['meta']['token'],
-                'callback' => $data['meta']['return_url'],
-            ]);
+            return redirect()->to($data['meta']['return_url'].'?auth_request='.$request->input('token'));
         }
 
         return redirect()->route('index')->with('success', '登录请求已确认。');