Improve OAuth #1

+3 -1

app/login/page.tsx

reviewed

··· 7 7 }: { 8 8 searchParams: Promise<{ error?: string; returnUrl?: string }>; 9 9 }) { 10 10 - const { error, returnUrl = "/" } = await searchParams; 10 10 + const params = await searchParams; 11 11 + const error = params.error 12 12 + const returnUrl = params.returnUrl && params.returnUrl.startsWith('/') ? params.returnUrl : '/'; 11 13 12 14 return ( 13 15 <div className="LoginPage">

+2 -2

app/oauth/callback/route.ts

reviewed

··· 35 35 if (state) { 36 36 try { 37 37 const parsed = JSON.parse(state); 38 38 - if (parsed.returnUrl && typeof parsed.returnUrl === "string") { 38 38 + if (parsed.returnUrl && typeof parsed.returnUrl === "string" && parsed.returnUrl.startsWith('/')) { 39 39 returnUrl = parsed.returnUrl; 40 40 } 41 41 } catch { ··· 59 59 session.did = oauthSession.did; 60 60 await session.save(); 61 61 62 62 - // Redirect to returnUrl 62 62 + // Redirect to returnUrl: We have ensured the return URL is relative above: 63 63 const redirectUrl = new URL(returnUrl, baseUrl); 64 64 return NextResponse.redirect(redirectUrl); 65 65 } catch (err) {

+6 -4

auth/actions.ts

reviewed

··· 6 6 7 7 export async function login(formData: FormData) { 8 8 const rawHandle = formData.get("loginHint") as string; 9 9 - const returnUrl = (formData.get("returnUrl") as string) || "/"; 9 9 + let returnUrl = (formData.get("returnUrl") as string) || "/"; 10 10 + if (!returnUrl.startsWith('/')) { 11 11 + returnUrl = '/' 12 12 + } 10 13 11 14 const handle = rawHandle?.trim().replace(/^@/, ""); 12 15 ··· 25 28 }); 26 29 27 30 authorizationUrl = url.toString(); 31 31 + redirect(authorizationUrl); 28 32 } catch (error) { 29 33 console.error("OAuth authorize error:", error); 30 34 const message = error instanceof Error ? error.message : "Unknown error"; 31 35 redirect("/login?error=" + encodeURIComponent(`Login failed: ${message}`)); 32 32 - } 33 33 - 34 34 - redirect(authorizationUrl); 36 36 + } 35 37 } 36 38 37 39 export async function logout(returnUrl: string = "/") {