pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-01 16:26:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

verify redirects are safe before redirecting

Browse Source
This commit is contained in:
Milo Schwartz
2025-01-09 23:21:57 -05:00
parent a556339b76
commit 6c813186b8
18 changed files with 99 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/app/auth/reset-password/ResetPasswordForm.tsx
View File

@@ -43,6 +43,7 @@ import { createApiClient } from "@app/lib/api";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { REGEXP_ONLY_DIGITS_AND_CHARS } from "input-otp";
import { passwordSchema } from "@server/auth/passwordSchema";
import { cleanRedirect } from "@app/lib/cleanRedirect";
const requestSchema = z.object({
email: z.string().email()
@@ -186,11 +187,9 @@ export default function ResetPasswordForm({
setSuccessMessage("Password reset successfully! Back to login...");
setTimeout(() => {
if (redirect && redirect.includes("http")) {
window.location.href = redirect;
}
if (redirect) {
router.push(redirect);
const safe = cleanRedirect(redirect);
router.push(safe);
} else {
router.push("/login");
}

8
src/app/auth/reset-password/page.tsx
View File

@@ -3,6 +3,7 @@ import { redirect } from "next/navigation";
import { cache } from "react";
import ResetPasswordForm from "./ResetPasswordForm";
import Link from "next/link";
import { cleanRedirect } from "@app/lib/cleanRedirect";
export const dynamic = "force-dynamic";
@@ -21,6 +22,11 @@ export default async function Page(props: {
redirect("/");
}
let redirectUrl: string | undefined = undefined;
if (searchParams.redirect) {
redirectUrl = cleanRedirect(searchParams.redirect);
}
return (
<>
<ResetPasswordForm
@@ -34,7 +40,7 @@ export default async function Page(props: {
href={
!searchParams.redirect
? `/auth/signup`
: `/auth/signup?redirect=${searchParams.redirect}`
: `/auth/signup?redirect=${redirectUrl}`
}
className="underline"
>