There was some discussion here on this issue: #99

This does open up the space to introduce a wider attack surface for mobile apps, although this is not as significant as it appears. On Android at least, apps can also listen to https URLs too. It is up to the user of GoTrue to make sure their settings are secure when they add redirect patterns.

cc @kangmingtay @awalias

Added to Security doc (yet unpublished). Excerpt:

Redirect URLs

Supabase Auth lets you redirect back to different URLs on susccessful
authentication. Your client app can specify the URL to redirect back to using
the redirectTo parameter.

Given that in sophisticated attacks this parameter may come from a malicious
source, Supabase Auth implements an allow list which will be consulted prior to
sending a redirect response. Should the redirect parameter not fall in the URL
allow list, the Site URL is used.

The allow list can be a simple list of exactly matching URLs, but it also
supports wildcard characters to match them as a pattern.

:::tip
You can configure the URL allow list in the Authentcation General Settings
page under Redirect URLs.
:::

Because wildcard patterns are also supported, you need to be careful when using
them, as you may be opening up your application to a larger attack surface.
Here are some examples of do's and don'ts.

Dont's.

• **
  This pattern would match any redirect URL.
• com.mobile.app.*://**
  This pattern would match any iOS application with a package name that starts
  with com.mobile.app.. An attacker can use this to call on those apps in a
  user's device.
• https://*.com/**
  This pattern would match any URL on the .com domain name. An attacker can use
  this to redirect back to any website they control.

Dos.

• https://app.example.com/**
  This is the recommended form for most project use cases on the web. Any
  redirects to the app.example.com domain will be allowed with any path. If
  your project needs to support multiple such domains, add multiple entries like
  this.
• com.mobile.app://**
  This is the recommended form for most project use cases on iOS. Any redirects
  to the com.mobile.app application will be allowed with any path. If your
  project needs to support multiple applications, add multiple entries. Avoid
  using wildcards in the URL scheme!

:::tip
If you use exact or very specific URLs, make sure you always include a trailing
slash / as that is the proper valid form of URLs. Correct form:
https://app.example.com/*/sign-in/. Incorrect form:
https://app.example.com/*/sign-in.
:::

🎉 This PR is included in version 2.17.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀