Polymail, Inc.: Bug in OAuth Success Redirect URI Validation

@bluebert discovered a bug on the OAuth login endpoint that allows creation of OAuth login urls with Polymail as the subdomain on external domains. This has now been fixed.
A bug in how OAuth login URLs were generated (in particular, of the redirect URI) allowed for an attacker to steal secrets involved in setting up a user’s account (if the user hadn’t yet created an account, the hacker would be able to complete the account flow for them, then read all of their email), or would cause them to be redirected to an attacker controlled domain.