pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-25 06:16:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

verify redirects are safe before redirecting

Browse Source
This commit is contained in:
Milo Schwartz
2025-01-09 23:21:57 -05:00
parent a556339b76
commit 6c813186b8
18 changed files with 99 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/app/auth/login/DashboardLoginForm.tsx
View File

@@ -13,6 +13,7 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
import { useRouter } from "next/navigation";
import { useEffect } from "react";
import Image from "next/image";
import { cleanRedirect } from "@app/lib/cleanRedirect";
type DashboardLoginFormProps = {
redirect?: string;
@@ -57,10 +58,9 @@ export default function DashboardLoginForm({
<LoginForm
redirect={redirect}
onLogin={() => {
if (redirect && redirect.includes("http")) {
window.location.href = redirect;
} else if (redirect) {
router.push(redirect);
if (redirect) {
const safe = cleanRedirect(redirect);
router.push(safe);
} else {
router.push("/");
}

12
src/app/auth/login/page.tsx
View File

@@ -5,6 +5,7 @@ import { cache } from "react";
import DashboardLoginForm from "./DashboardLoginForm";
import { Mail } from "lucide-react";
import { pullEnv } from "@app/lib/pullEnv";
import { cleanRedirect } from "@app/lib/cleanRedirect";
export const dynamic = "force-dynamic";
@@ -25,6 +26,11 @@ export default async function Page(props: {
redirect("/");
}
let redirectUrl: string | undefined = undefined;
if (searchParams.redirect) {
redirectUrl = cleanRedirect(searchParams.redirect as string);
}
return (
<>
{isInvite && (
@@ -42,16 +48,16 @@ export default async function Page(props: {
</div>
)}
<DashboardLoginForm redirect={searchParams.redirect as string} />
<DashboardLoginForm redirect={redirectUrl} />
{(!signUpDisabled || isInvite) && (
<p className="text-center text-muted-foreground mt-4">
Don't have an account?{" "}
<Link
href={
!searchParams.redirect
!redirectUrl
? `/auth/signup`
: `/auth/signup?redirect=${searchParams.redirect}`
: `/auth/signup?redirect=${redirectUrl}`
}
className="underline"
>

7
src/app/auth/reset-password/ResetPasswordForm.tsx
View File

@@ -43,6 +43,7 @@ import { createApiClient } from "@app/lib/api";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { REGEXP_ONLY_DIGITS_AND_CHARS } from "input-otp";
import { passwordSchema } from "@server/auth/passwordSchema";
import { cleanRedirect } from "@app/lib/cleanRedirect";
const requestSchema = z.object({
email: z.string().email()
@@ -186,11 +187,9 @@ export default function ResetPasswordForm({
setSuccessMessage("Password reset successfully! Back to login...");
setTimeout(() => {
if (redirect && redirect.includes("http")) {
window.location.href = redirect;
}
if (redirect) {
router.push(redirect);
const safe = cleanRedirect(redirect);
router.push(safe);
} else {
router.push("/login");
}

8
src/app/auth/reset-password/page.tsx
View File

@@ -3,6 +3,7 @@ import { redirect } from "next/navigation";
import { cache } from "react";
import ResetPasswordForm from "./ResetPasswordForm";
import Link from "next/link";
import { cleanRedirect } from "@app/lib/cleanRedirect";
export const dynamic = "force-dynamic";
@@ -21,6 +22,11 @@ export default async function Page(props: {
redirect("/");
}
let redirectUrl: string | undefined = undefined;
if (searchParams.redirect) {
redirectUrl = cleanRedirect(searchParams.redirect);
}
return (
<>
<ResetPasswordForm
@@ -34,7 +40,7 @@ export default async function Page(props: {
href={
!searchParams.redirect
? `/auth/signup`
: `/auth/signup?redirect=${searchParams.redirect}`
: `/auth/signup?redirect=${redirectUrl}`
}
className="underline"
>

6
src/app/auth/resource/[resourceId]/ResourceAuthPortal.tsx
View File

@@ -481,11 +481,7 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
className={`${numMethods <= 1 ? "mt-0" : ""}`}
>
<LoginForm
redirect={
typeof window !== "undefined"
? window.location.href
: ""
}
redirect={`/auth/resource/${props.resource.id}`}
onLogin={async () =>
await handleSSOAuth()
}

12
src/app/auth/resource/[resourceId]/page.tsx
View File

@@ -55,7 +55,17 @@ export default async function ResourceAuthPage(props: {
);
}
const redirectUrl = searchParams.redirect || authInfo.url;
let redirectUrl = authInfo.url;
// if (searchParams.redirect) {
// try {
// const serverResourceHost = new URL(authInfo.url).host;
// const redirectHost = new URL(searchParams.redirect).host;
//
// if (serverResourceHost === redirectHost) {
// redirectUrl = searchParams.redirect;
// }
// } catch (e) {}
// }
const hasAuth =
authInfo.password ||

11
src/app/auth/signup/SignupForm.tsx
View File

@@ -30,6 +30,7 @@ import { formatAxiosError } from "@app/lib/api";
import { createApiClient } from "@app/lib/api";
import { useEnvContext } from "@app/hooks/useEnvContext";
import Image from "next/image";
import { cleanRedirect } from "@app/lib/cleanRedirect";
type SignupFormProps = {
redirect?: string;
@@ -92,17 +93,17 @@ export default function SignupForm({
if (res.data?.data?.emailVerificationRequired) {
if (redirect) {
router.push(`/auth/verify-email?redirect=${redirect}`);
const safe = cleanRedirect(redirect);
router.push(`/auth/verify-email?redirect=${safe}`);
} else {
router.push("/auth/verify-email");
}
return;
}
if (redirect && redirect.includes("http")) {
window.location.href = redirect;
} else if (redirect) {
router.push(redirect);
if (redirect) {
const safe = cleanRedirect(redirect);
router.push(safe);
} else {
router.push("/");
}

12
src/app/auth/signup/page.tsx
View File

@@ -1,5 +1,6 @@
import SignupForm from "@app/app/auth/signup/SignupForm";
import { verifySession } from "@app/lib/auth/verifySession";
import { cleanRedirect } from "@app/lib/cleanRedirect";
import { pullEnv } from "@app/lib/pullEnv";
import { Mail } from "lucide-react";
import Link from "next/link";
@@ -41,6 +42,11 @@ export default async function Page(props: {
}
}
let redirectUrl: string | undefined;
if (searchParams.redirect) {
redirectUrl = cleanRedirect(searchParams.redirect);
}
return (
<>
{isInvite && (
@@ -59,7 +65,7 @@ export default async function Page(props: {
)}
<SignupForm
redirect={searchParams.redirect as string}
redirect={redirectUrl}
inviteToken={inviteToken}
inviteId={inviteId}
/>
@@ -68,9 +74,9 @@ export default async function Page(props: {
Already have an account?{" "}
<Link
href={
!searchParams.redirect
!redirectUrl
? `/auth/login`
: `/auth/login?redirect=${searchParams.redirect}`
: `/auth/login?redirect=${redirectUrl}`
}
className="underline"
>

7
src/app/auth/verify-email/VerifyEmailForm.tsx
View File

@@ -36,6 +36,7 @@ import { useRouter } from "next/navigation";
import { formatAxiosError } from "@app/lib/api";;
import { createApiClient } from "@app/lib/api";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { cleanRedirect } from "@app/lib/cleanRedirect";
const FormSchema = z.object({
email: z.string().email({ message: "Invalid email address" }),
@@ -91,11 +92,9 @@ export default function VerifyEmailForm({
"Email successfully verified! Redirecting you..."
);
setTimeout(() => {
if (redirect && redirect.includes("http")) {
window.location.href = redirect;
}
if (redirect) {
router.push(redirect);
const safe = cleanRedirect(redirect);
router.push(safe);
} else {
router.push("/");
}

8
src/app/auth/verify-email/page.tsx
View File

@@ -1,5 +1,6 @@
import VerifyEmailForm from "@app/app/auth/verify-email/VerifyEmailForm";
import { verifySession } from "@app/lib/auth/verifySession";
import { cleanRedirect } from "@app/lib/cleanRedirect";
import { pullEnv } from "@app/lib/pullEnv";
import { redirect } from "next/navigation";
import { cache } from "react";
@@ -27,11 +28,16 @@ export default async function Page(props: {
redirect("/");
}
let redirectUrl: string | undefined;
if (searchParams.redirect) {
redirectUrl = cleanRedirect(searchParams.redirect as string);
}
return (
<>
<VerifyEmailForm
email={user.email}
redirect={searchParams.redirect as string}
redirect={redirectUrl}
/>
</>
);