SsoBridgeController
HTTP face of the SSO bridge (social-login redirect flow). Routes
are mounted by VenAuthServiceProvider when bridge.enabled is on:
GET {prefix}/{provider}/redirect → redirect() — kick off GET {prefix}/callback → callback() — finish
{prefix} defaults to auth/rw3iss (config bridge.route_prefix).
Register https://<app>{/prefix}/callback in the app’s
allowed_redirect_urls on the auth-server.
Password logins don’t pass through here — they go straight from the app’s own login form to {@see SessionBridge::loginWithPassword()} (see docs/SSO_BRIDGE.md for the Filament page override).
Methods
redirect()
function redirect(Request $request, string $provider): RedirectResponseKick off: 302 the browser to the provider via the auth-server.
callback()
function callback(Request $request): RedirectResponseFinish: exchange code+state, establish the local session.
safeNext()
function safeNext(mixed $next): ?stringValidate a post-login ?next= target: only same-origin relative paths
survive. Rejects absolute URLs, protocol-relative //host, backslash
tricks, control chars, and anything carrying a scheme — open-redirect
defense (a bare str_starts_with('/') let //evil.example through).