fix: restrict payment return urls to internal result page

backend/internal/service/payment_resume_service_test.go

@@ -64,23 +64,39 @@ func TestNormalizePaymentSource(t *testing.T) {
 func TestCanonicalizeReturnURL(t *testing.T) {
 	t.Parallel()
 
-	got, err := CanonicalizeReturnURL("https://example.com/pay/result?b=2#a")
+	got, err := CanonicalizeReturnURL("https://example.com/payment/result?b=2#a", "example.com")
 	if err != nil {
 		t.Fatalf("CanonicalizeReturnURL returned error: %v", err)
 	}
-	if got != "https://example.com/pay/result?b=2" {
-		t.Fatalf("CanonicalizeReturnURL = %q, want %q", got, "https://example.com/pay/result?b=2")
+	if got != "https://example.com/payment/result?b=2" {
+		t.Fatalf("CanonicalizeReturnURL = %q, want %q", got, "https://example.com/payment/result?b=2")
 	}
 }
 
 func TestCanonicalizeReturnURLRejectsRelativeURL(t *testing.T) {
 	t.Parallel()
 
-	if _, err := CanonicalizeReturnURL("/payment/result"); err == nil {
+	if _, err := CanonicalizeReturnURL("/payment/result", "example.com"); err == nil {
 		t.Fatal("CanonicalizeReturnURL should reject relative URLs")
 	}
 }
 
+func TestCanonicalizeReturnURLRejectsExternalHost(t *testing.T) {
+	t.Parallel()
+
+	if _, err := CanonicalizeReturnURL("https://evil.example/payment/result", "app.example.com"); err == nil {
+		t.Fatal("CanonicalizeReturnURL should reject external hosts")
+	}
+}
+
+func TestCanonicalizeReturnURLRejectsNonCanonicalPath(t *testing.T) {
+	t.Parallel()
+
+	if _, err := CanonicalizeReturnURL("https://app.example.com/orders/42", "app.example.com"); err == nil {
+		t.Fatal("CanonicalizeReturnURL should reject non-canonical result paths")
+	}
+}
+
 func TestBuildPaymentReturnURL(t *testing.T) {
 	t.Parallel()