Whitelist only cal domain as callbackUrls

apps/web/middleware.ts

@@ -2,6 +2,7 @@ import { collectEvents } from "next-collect/server";
 // eslint-disable-next-line @next/next/no-server-import-in-page
 import { NextMiddleware, NextResponse, userAgent } from "next/server";
 
+import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
 import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
 
 const V2_WHITELIST = ["/settings/admin"];
@@ -12,7 +13,11 @@ const middleware: NextMiddleware = async (req) => {
   if (url.pathname.startsWith("/api/auth")) {
     const callbackUrl = url.searchParams.get("callbackUrl");
     const { isBot } = userAgent(req);
-    if (isBot || (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://"))) {
+
+    if (
+      isBot ||
+      (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u)))
+    ) {
       // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
       const res = new NextResponse("hey", { status: 400, statusText: "Please don't" });
       return res;