OAuth: Strict Redirects — add allow_redirect_prefix_match and enforce strict default #99001
Description
Summary
Add a temporary per‑application toggle to allow legacy redirect prefix matching, defaulting to strict (exact) matching for new apps. Preserve legacy behavior for existing apps, with telemetry to support deprecation.
Scope
- Model: add ApiApplication.allow_redirect_prefix_match: bool (default False for new apps).
- Migration: backfill existing rows to True (legacy tolerance).
- Validation: update ApiApplication.is_valid_redirect_uri to allow prefix only when the field is True; keep existing info log on prefix acceptance and add a metric.
- No UI changes in this ticket (optional admin surfacing can be separate).
Acceptance Criteria
- New apps (field False) accept only exact redirect URI matches (normalized); prefix‑only URIs are rejected.
- Existing apps (field True) continue to accept prefix matches; an info log and metric are emitted on prefix acceptance.
- Migration applies cleanly; field visible on the model.
Test Plan (100% coverage on changed code paths)
- tests/sentry/models/test_apiapplication.py:
- Strict default: prefix match rejected for new app (field False).
- Legacy: prefix match accepted when field True; log/metric path exercised.
- Optionally add authorize‑view tests validating redirect handling in endpoint flow.
Rollout
- Field default False for new apps; backfill True for existing.
- Metric: increment oauth.redirect.prefix_match (tags: client_id/app_id).
- Document deprecation plan in oauth2.1‑plan.
Dependencies
- None (first slice).
Risks/Mitigations
- Risk: rejecting legitimate prefixes for new apps — mitigated by making field explicit and documenting exact URI requirements; RFC 8252 native app rules handled separately.