Check origin for CLI auth redirect

Summary: Just to be extra sure, we should ensure that the CLI auth only sends the token to localhost or the Pixie cloud domain.

Test Plan: deploy to staging and run `px auth login`, update the redirect URI

Reviewers: vihang, philkuz, zasgar

Reviewed By: vihang
Signed-off-by: Michelle Nguyen <michellenguyen@pixielabs.ai>

Differential Revision: https://phab.corp.pixielabs.ai/D11357

GitOrigin-RevId: cf76052ba8e04eeda5e1029b0c45b589c8930e0d

src/ui/src/pages/auth/callback.tsx

@@ -265,6 +265,12 @@ export const AuthCallbackPage: React.FC = React.memo(() => {
 
   const sendTokenToCLI = React.useCallback(async (accessToken: string, idToken: string, redirectURI: string) => {
     try {
+      // Check the URL is from an accepted origin.
+      const parsedURL = new URL(redirectURI);
+      if (parsedURL.hostname != 'localhost') {
+        return false;
+      }
+
       const response = await redirectGet(redirectURI, { accessToken });
       return response.status === 200 && response.data === 'OK';
     } catch (error) {
@@ -299,7 +305,7 @@ export const AuthCallbackPage: React.FC = React.memo(() => {
             return;
           }
           // Fallback to manual auth unless there is an actual authentication error.
-          if (config.err?.errorType !== 'auth') {
+          if (!config || config.err?.errorType !== 'auth') {
             setConfig((c) => ({
               ...c,
               mode: 'cli_token',