Ivy-Interactive · rorychatt · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026 · Apr 1, 2026
diff --git a/src/Ivy/Auth/DefaultAuthApp.cs b/src/Ivy/Auth/DefaultAuthApp.cs
@@ -145,7 +145,7 @@ public class OAuthFlowView(AuthOption option) : ViewBase
 
         var state = this.UseState(() => registry.RegisterPending(args.ConnectionId, option.Id ?? ""));
 
-        var oauthUriBuilder = new UriBuilder($"{args.BaseUrl}/ivy/auth/oauth-login")
+        var oauthUriBuilder = new UriBuilder($"{args.BaseUrl}ivy/auth/oauth-login")
         {
             Query = $"optionId={Uri.EscapeDataString(option.Id ?? "")}&callbackId={Uri.EscapeDataString(state.Value)}&connectionId={Uri.EscapeDataString(args.ConnectionId)}"
         };

diff --git a/src/Ivy/Auth/IAuthTokenHandler.cs b/src/Ivy/Auth/IAuthTokenHandler.cs
@@ -3,7 +3,7 @@ namespace Ivy;
 
 public interface IAuthTokenHandler
 {
-    Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, CancellationToken cancellationToken = default)
+    Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, string? basePath = null, CancellationToken cancellationToken = default)
     {
         return Task.CompletedTask;
     }

diff --git a/src/Ivy/Core/Auth/AuthController.cs b/src/Ivy/Core/Auth/AuthController.cs
@@ -21,6 +21,7 @@
         [FromQuery] string callbackId,
         [FromQuery] string connectionId,
         [FromServices] AppSessionStore sessionStore,
+        [FromServices] ServerArgs serverArgs,
         [FromServices] ILogger<AuthController> logger)
     {
         if (string.IsNullOrWhiteSpace(optionId) || string.IsNullOrWhiteSpace(callbackId) || string.IsNullOrWhiteSpace(connectionId))
@@ -58,7 +59,7 @@
             scheme = forwardedProto.ToString();
         }
         var host = HttpContext.Request.Host.Value ?? throw new InvalidOperationException("Host not found in request");
-        var callback = WebhookEndpoint.CreateAuthCallback(callbackId, scheme, host);
+        var callback = WebhookEndpoint.CreateAuthCallback(callbackId, scheme, host, serverArgs.BasePath);
 
         try
         {
@@ -85,6 +86,7 @@
         [FromServices] IOAuthCallbackRegistry registry,
         [FromServices] IAuthProvider authProvider,
         [FromServices] AppSessionStore sessionStore,
+        [FromServices] ServerArgs serverArgs,
         [FromServices] ILogger<AuthController> logger)
     {
         var effectiveId = callbackId ?? state;
@@ -140,7 +142,8 @@
             cookies.AddCookiesForBrokeredSessions(tempSession.BrokeredSessions);
             cookies.WriteToResponse(Response);
 
-            return Redirect("/?oauthLogin=1");
+            var redirectUrl = serverArgs.BasePath != null ? $"{serverArgs.BasePath}/?oauthLogin=1" : "/?oauthLogin=1";
+            return Redirect(redirectUrl);
@@ -142,7 +142,34 @@
            cookies.AddCookiesForBrokeredSessions(tempSession.BrokeredSessions);
            cookies.WriteToResponse(Response);
-            var redirectUrl = serverArgs.BasePath != null ? $"{serverArgs.BasePath}/?oauthLogin=1" : "/?oauthLogin=1";
+            // Ensure redirect URL remains within this application by normalizing BasePath to a relative path
+            var basePath = serverArgs.BasePath;
+            if (string.IsNullOrWhiteSpace(basePath))
+            {
+                basePath = "/";
+            }
+
+            // Disallow absolute or protocol-relative URLs in BasePath
+            if (basePath.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
+                basePath.StartsWith("https://", StringComparison.OrdinalIgnoreCase) ||
+                basePath.StartsWith("//", StringComparison.Ordinal))
+            {
+                basePath = "/";
+            }
+
+            // Normalize to a rooted, application-local path
+            if (!basePath.StartsWith("/"))
+            {
+                basePath = "/" + basePath;
+            }
+
+            // Avoid double slashes before query
+            if (!basePath.EndsWith("/"))
+            {
+                basePath += "/";
+            }
+
+            var redirectUrl = $"{basePath}?oauthLogin=1";
            return Redirect(redirectUrl);
        }
        catch (Exception ex)
@@ -142,7 +142,34 @@
            cookies.AddCookiesForBrokeredSessions(tempSession.BrokeredSessions);
            cookies.WriteToResponse(Response);

-            var redirectUrl = serverArgs.BasePath != null ? $"{serverArgs.BasePath}/?oauthLogin=1" : "/?oauthLogin=1";
+            // Ensure redirect URL remains within this application by normalizing BasePath to a relative path
+            var basePath = serverArgs.BasePath;
+            if (string.IsNullOrWhiteSpace(basePath))
+            {
+                basePath = "/";
+            }
+
+            // Disallow absolute or protocol-relative URLs in BasePath
+            if (basePath.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
+                basePath.StartsWith("https://", StringComparison.OrdinalIgnoreCase) ||
+                basePath.StartsWith("//", StringComparison.Ordinal))
+            {
+                basePath = "/";
+            }
+
+            // Normalize to a rooted, application-local path
+            if (!basePath.StartsWith("/"))
+            {
+                basePath = "/" + basePath;
+            }
+
+            // Avoid double slashes before query
+            if (!basePath.EndsWith("/"))
+            {
+                basePath += "/";
+            }
+
+            var redirectUrl = $"{basePath}?oauthLogin=1";
            return Redirect(redirectUrl);
        }
        catch (Exception ex)
         }
         catch (Exception ex)
         {

diff --git a/src/Ivy/Core/Auth/CheckedAuthTokenHandler.cs b/src/Ivy/Core/Auth/CheckedAuthTokenHandler.cs
@@ -7,14 +7,14 @@ public class CheckedAuthTokenHandler(IAuthTokenHandler innerAuthTokenHandler) :
 {
     protected readonly IAuthTokenHandler _innerAuthTokenHandler = innerAuthTokenHandler;
 
-    public Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, CancellationToken cancellationToken = default)
+    public Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, string? basePath = null, CancellationToken cancellationToken = default)
     {
         var checkedSession = authSession.WithCheckedAccess()
             .WithTokenAccess(AuthSessionAccessMode.ReadWrite)
             .WithSessionDataAccess(AuthSessionAccessMode.ReadWrite)
             .WithBrokeredSessionsAccess(AuthSessionAccessMode.ReadWrite)
             .Build();
-        return _innerAuthTokenHandler.InitializeAsync(checkedSession, requestScheme, requestHost, cancellationToken);
+        return _innerAuthTokenHandler.InitializeAsync(checkedSession, requestScheme, requestHost, basePath, cancellationToken);
     }
 
     public Task<AuthToken?> RefreshAccessTokenAsync(IAuthTokenHandlerSession authSession, CancellationToken cancellationToken = default)

diff --git a/src/Ivy/Core/Server/AppHub.cs b/src/Ivy/Core/Server/AppHub.cs
@@ -114,6 +114,13 @@ public override async Task OnConnectedAsync()
                 requestScheme = forwardedProto.ToString();
             }
 
+            // Get base path from X-Forwarded-Prefix header (for reverse proxy), or fall back to server.Args
+            var basePath = server.Args?.BasePath;
+            if (httpContext.Request.Headers.TryGetValue("X-Forwarded-Prefix", out var forwardedPrefix) && !string.IsNullOrEmpty(forwardedPrefix.ToString()))
+            {
+                basePath = forwardedPrefix.ToString().Trim('/');
+            }
+
             var machineId = AppRouter.GetMachineId(httpContext);
 
             // Resolve route before auth so we can avoid reload loop on error page (skip LogoutAsync) and avoid overriding to Auth app
@@ -134,7 +141,7 @@ public override async Task OnConnectedAsync()
 
                 var oldSession = authSession.TakeSnapshot();
                 await TimeoutHelper.WithTimeoutAsync(
-                    ct => authProvider.InitializeAsync(authSession, requestScheme, request.Host.Value!, ct),
+                    ct => authProvider.InitializeAsync(authSession, requestScheme, request.Host.Value!, basePath, ct),
                     Context.ConnectionAborted);
                 if (authSession.HasChangedSince(oldSession))
                 {
@@ -193,7 +200,7 @@ await TimeoutHelper.WithTimeoutAsync(
 
             if (routeResult.AppDescriptor.Title is { } title && routeResult.AppId != AppIds.AppShell && parentId == null)
             {
-                clientProvider.SetTitle(title, server.Args.Metadata.Title);
+                clientProvider.SetTitle(title, server.Args?.Metadata?.Title);
             }
 
             appServices.AddSingleton(routeResult.AppRepository);
@@ -699,7 +706,7 @@ private async Task BrokeredTokenRefreshLoopAsync(string connectionId, string pro
             var appContext = session.AppServices.GetService<AppContext>();
             if (appContext != null)
             {
-                await handler.InitializeAsync(providerSession, appContext.Scheme, appContext.Host, cancellationToken);
+                await handler.InitializeAsync(providerSession, appContext.Scheme, appContext.Host, appContext.BasePath, cancellationToken);
             }
 
             var client = session.AppServices.GetRequiredService<IClientProvider>();

diff --git a/src/Ivy/Core/WebhookEndpoint.cs b/src/Ivy/Core/WebhookEndpoint.cs
@@ -11,19 +11,21 @@ private WebhookEndpoint(string id, string baseUrl)
         BaseUrl = baseUrl;
     }
 
-    public static WebhookEndpoint CreateWebhook(string id, string scheme, string host)
+    public static WebhookEndpoint CreateWebhook(string id, string scheme, string host, string? basePath = null)
     {
-        return new(id, BuildWebhookBaseUrl(scheme, host));
+        return new(id, BuildWebhookBaseUrl(scheme, host, basePath));
     }
 
-    public static WebhookEndpoint CreateAuthCallback(string id, string scheme, string host)
+    public static WebhookEndpoint CreateAuthCallback(string id, string scheme, string host, string? basePath = null)
     {
-        return new(id, BuildAuthCallbackBaseUrl(scheme, host));
+        return new(id, BuildAuthCallbackBaseUrl(scheme, host, basePath));
     }
 
-    public static string BuildWebhookBaseUrl(string scheme, string host) => $"{scheme}://{host}/ivy/webhook";
+    public static string BuildWebhookBaseUrl(string scheme, string host, string? basePath = null)
+        => basePath != null ? $"{scheme}://{host}{basePath}/ivy/webhook" : $"{scheme}://{host}/ivy/webhook";
 
-    public static string BuildAuthCallbackBaseUrl(string scheme, string host) => $"{scheme}://{host}/ivy/auth/callback";
+    public static string BuildAuthCallbackBaseUrl(string scheme, string host, string? basePath = null)
+        => basePath != null ? $"{scheme}://{host}{basePath}/ivy/auth/callback" : $"{scheme}://{host}/ivy/auth/callback";
 
     public Uri GetUri(bool includeIdInPath = true) => includeIdInPath
         ? new Uri($"{BaseUrl}/{Id}")

diff --git a/src/Ivy/Hooks/UseWebhook.cs b/src/Ivy/Hooks/UseWebhook.cs
@@ -37,7 +37,7 @@ public static WebhookEndpoint UseWebhook(this IViewContext context, Func<HttpReq
 
         context.UseEffect(() => webhookController.Register(webhookId.Value, handler), [EffectTrigger.OnMount()]);
 
-        return WebhookEndpoint.CreateWebhook(webhookId.Value, appContext.Scheme, appContext.Host);
+        return WebhookEndpoint.CreateWebhook(webhookId.Value, appContext.Scheme, appContext.Host, appContext.BasePath);
     }
 }
 

diff --git a/src/auth/Ivy.Auth.Clerk/ClerkAuthTokenHandler.cs b/src/auth/Ivy.Auth.Clerk/ClerkAuthTokenHandler.cs
@@ -70,10 +70,10 @@ public ClerkAuthTokenHandler(IConfiguration configuration)
         HttpClient.DefaultRequestHeaders.Add("User-Agent", userAgent);
     }
 
-    public async Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, CancellationToken cancellationToken = default)
+    public async Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, string? basePath = null, CancellationToken cancellationToken = default)
     {
-        _origin = $"{requestScheme}://{requestHost}";
-        _callbackBaseUrl = WebhookEndpoint.BuildAuthCallbackBaseUrl(requestScheme, requestHost);
+        _origin = basePath != null ? $"{requestScheme}://{requestHost}{basePath}" : $"{requestScheme}://{requestHost}";
+        _callbackBaseUrl = WebhookEndpoint.BuildAuthCallbackBaseUrl(requestScheme, requestHost, basePath);
 
         var frontendClient = MakeFrontendApiClient(authSession);
         if (IsProduction)

diff --git a/src/auth/Ivy.Auth.MicrosoftEntra/MicrosoftEntraAuthTokenHandler.cs b/src/auth/Ivy.Auth.MicrosoftEntra/MicrosoftEntraAuthTokenHandler.cs
@@ -38,9 +38,9 @@ public MicrosoftEntraAuthTokenHandler(IConfiguration configuration)
         );
     }
 
-    public Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, CancellationToken cancellationToken = default)
+    public Task InitializeAsync(IAuthTokenHandlerSession authSession, string requestScheme, string requestHost, string? basePath = null, CancellationToken cancellationToken = default)
     {
-        var baseUrl = WebhookEndpoint.BuildAuthCallbackBaseUrl(requestScheme, requestHost);
+        var baseUrl = WebhookEndpoint.BuildAuthCallbackBaseUrl(requestScheme, requestHost, basePath);
         SetBaseUrl(baseUrl);
         return Task.CompletedTask;
     }
-Original file line number
+Diff line change
@@ Expand Up @@
             context.UseEffect(() => webhookController.Register(webhookId.Value, handler), [EffectTrigger.OnMount()]);
-            return WebhookEndpoint.CreateWebhook(webhookId.Value, appContext.Scheme, appContext.Host);
+            return WebhookEndpoint.CreateWebhook(webhookId.Value, appContext.Scheme, appContext.Host, appContext.BasePath);
         }
     }
@@ Expand Down @@