Chagned CSP to allow only values via SetAllowedFormAction

backend/internal/controller/oidc_controller.go

@@ -94,17 +94,18 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 		return
 	}
 
-	// Set the allowed form-action in CSP when response_mode is form_post
-	if input.ResponseMode == "form_post" && input.CallbackURL != "" {
-		middleware.SetAllowedFormAction(c, input.CallbackURL)
-	}
-
 	code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 
+	// Set the allowed form-action in CSP after validation (when response_mode is form_post)
+	// Only set if we have a valid callback URL from the service
+	if input.ResponseMode == "form_post" && callbackURL != "" {
+		middleware.SetAllowedFormAction(c, callbackURL)
+	}
+
 	response := dto.AuthorizeOidcClientResponseDto{
 		Code:        code,
 		CallbackURL: callbackURL,

backend/internal/middleware/csp_middleware.go

@@ -34,12 +34,14 @@ func (m *CspMiddleware) Add() gin.HandlerFunc {
 		nonce := generateNonce()
 		c.Set("csp_nonce", nonce)
 
+		// Let the handler run first, then set CSP header with the final context values
+		c.Next()
+
 		// Determine if there is an EXTRA target beyond 'self'
+		// This is set by handlers (e.g., OIDC authorize) after validating the redirect URI
 		var extraAction string
 		if v, ok := c.Get("csp_allowed_form_action"); ok {
 			extraAction, _ = v.(string)
-		} else if c.Query("response_mode") == "form_post" {
-			extraAction = c.Query("redirect_uri")
 		}
 
 		// 'self' is kept in the string; extraAction is just appended
@@ -54,7 +56,6 @@ func (m *CspMiddleware) Add() gin.HandlerFunc {
 			"script-src 'self' 'nonce-" + nonce + "'"
 
 		c.Writer.Header().Set("Content-Security-Policy", csp)
-		c.Next()
 	}
 }