In testing, use the Example domains.

[madogiwa0124]

There was a part in the test code where the Example domains was not used, so it has been fixed.

Example domains
As described in RFC 2606 and RFC 6761, a number of domains such as example.com and example.org are maintained for documentation purposes. These domains may be used as illustrative examples in documents without prior coordination with us. They are not available for registration or transfer.
https://www.iana.org/domains/reserved

How about PR?

[mikker]

Thanks! Is there a reason we use the insecure. version and not just https://...?

[madogiwa0124]

@mikker

Thanks for comment!

Is there a reason we use the insecure. version

This is an insecure redirect destination, we added insecure. for clarity.

not just https://...

This is because the original implementation was http, so I followed it.

I understand that this test verifies that redirects to another host are properly rejected.

passwordless/app/controllers/passwordless/sessions_controller.rb

Lines 74 to 79 in 43479f4

	def passwordless_query_redirect_path
	query_redirect_uri = URI(params[:destination_path])
	query_redirect_uri.to_s if query_redirect_uri.host.nil? || query_redirect_uri.host == URI(request.url).host
	rescue URI::InvalidURIError, ArgumentError
	nil
	end

As you said, even if don't add a subdomain, it will validate fine because it uses example.org which is different from the default www.example.com 👍🏻

Would https://example.org/secret-alt or something else be more obvious?

If so, I will try to fix it that way 😃

[mikker]

This is fine 👍 I was just curious if it was a conscious choice or not.

[mikker]

Thanks! 💙💚💛💜❤️