From bb0d0088ffb3ec71dd211efb811e75e1356dd855 Mon Sep 17 00:00:00 2001
From: Deepak Bhagat <deepak988088@gmail.com>
Date: Thu, 22 Jan 2026 01:15:57 +0530
Subject: [PATCH] fix(auth): validate origin of oauth callback to prevent login
 csrf

---
 packages/auth/src/loginWithRocketChatOAuth.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/auth/src/loginWithRocketChatOAuth.ts b/packages/auth/src/loginWithRocketChatOAuth.ts
index 955e70c7a4..66a553a9f1 100644
--- a/packages/auth/src/loginWithRocketChatOAuth.ts
+++ b/packages/auth/src/loginWithRocketChatOAuth.ts
@@ -45,6 +45,9 @@ width=800,height=600,left=-1000,top=-1000,rel=opener`;
   return new Promise<any>((resolve) => {
     if (popup) {
       const onMessage = async (e: MessageEvent) => {
+        if (e.origin !== new URL(config.api.baseUrl).origin) {
+          return;
+        }
         if (e.data.type === "rc-oauth-callback") {
           const { accessToken, expiresIn, serviceName } = e.data.credentials;
           const response = await config.api.post("/api/v1/login", {