chore: don't return allowed return URLs

[jonas-jonas]

Related issue(s)

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.34%. Comparing base (68693a4) to head (99f52a4).
Report is 9 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #4044       +/-   ##
===========================================
+ Coverage        0   78.34%   +78.34%     
===========================================
  Files           0      370      +370     
  Lines           0    26118    +26118     
===========================================
+ Hits            0    20461    +20461     
- Misses          0     4096     +4096     
- Partials        0     1561     +1561     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aeneasr]

Log this instead then? Or trace?

[jonas-jonas]

I don't think that adds any value, because you can always check the project configuration.

I added this a while back mainly to make live for a developer implementing Ory a little easier, but in this configuration we're leaking this information to end users if they deliberately trigger this error (e.g. by providing an illegal return_to).

[aeneasr]

ok