Security review fixes:
- Constrain OAuth connect returnUrl to a site-relative path so the
redeemable token_key can't be redirected off-domain (was a refresh-
token leak / connection hijack)
- Route all login redirects (entra/dev/local) through ToLocalReturnUrl,
also closing a protocol-relative // open redirect in local-login
- Neutralize CSV formula prefixes in both audit-log exporters via
CsvSanitizer
- Force Secure flag on the prod auth cookie (Always, not SameAsRequest)
- Gate admin pages with an app_role-claim "Admin" policy instead of a
render-time check
Findings and rationale recorded in SECURITY-TODO.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
kawa
17f6010a93