Skip to content

Commit d060e65

Browse files
mhdgning131baseplate-admin
mhdgning131
authored and
baseplate-admin
committed
updated: src/frontend/src/lib/utils.ts
updated: src/frontend/src/routes/(needs_onboarding)/login/+page.svelte updated: src/frontend/src/routes/(needs_onboarding)/logout/+page.server.ts
1 parent 0fca0ae commit d060e65

3 files changed

Lines changed: 30 additions & 19 deletions

File tree

src/frontend/src/lib/utils.ts

Lines changed: 11 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -14,22 +14,18 @@ export type WithElementRef<T, U extends HTMLElement = HTMLElement> = T & { ref?:
1414

1515
export function validateRedirectUrl(url: string, origin: string): string {
1616
try {
17-
const parsedUrl = new URL(url, origin);
18-
if (parsedUrl.origin !== origin) {
19-
const allowedDomains = ['chithi.dev', 'localhost'];
20-
if (!allowedDomains.includes(parsedUrl.hostname) && !parsedUrl.hostname.endsWith('.chithi.dev')) {
21-
url = '/';
22-
}
23-
}
24-
if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
25-
url = '/';
17+
const parsed = new URL(url, origin);
18+
19+
if (parsed.origin !== origin) {
20+
throw new Error('External redirects are not allowed.');
2621
}
27-
} catch {
28-
url = '/';
29-
}
3022

31-
if (url.startsWith('/admin')) {
32-
return '/';
23+
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
24+
throw new Error('Invalid protocol.');
25+
}
26+
return parsed.pathname + parsed.search + parsed.hash;
27+
} catch (e) {
28+
if (e instanceof Error) throw e;
29+
throw new Error('Malformed redirect URL.');
3330
}
34-
return url;
3531
}

src/frontend/src/routes/(needs_onboarding)/login/+page.svelte

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,17 @@
1515
import AnimatedGrid from '$lib/components/AnimatedGrid.svelte';
1616
import { validateRedirectUrl } from '$lib/utils';
1717
18-
// Next url
1918
const nextUrl = $derived.by(() => {
20-
const url = page.url.searchParams.get('next') ?? '/';
21-
return validateRedirectUrl(url, page.url.origin);
19+
const next = page.url.searchParams.get('next') ?? '/';
20+
try {
21+
const url = validateRedirectUrl(next, page.url.origin);
22+
if (url.startsWith('/admin')) {
23+
return '/';
24+
}
25+
return url;
26+
} catch {
27+
return '/';
28+
}
2229
});
2330
2431
let { data } = $props();

src/frontend/src/routes/(needs_onboarding)/logout/+page.server.ts

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,15 @@ export const actions = {
77
await logout();
88

99
let next = url.searchParams.get('next') ?? '/';
10-
next = validateRedirectUrl(next, url.origin);
10+
try {
11+
next = validateRedirectUrl(next, url.origin);
12+
} catch {
13+
next = '/';
14+
}
15+
16+
if (next.startsWith('/admin')) {
17+
next = '/';
18+
}
1119
throw redirect(303, next);
1220
}
1321
};

0 commit comments

Comments
 (0)