Skip to content

fix: restrict auth callback redirects#32

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/auth-callback-safe-next
Jul 6, 2026
Merged

fix: restrict auth callback redirects#32
ralyodio merged 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/auth-callback-safe-next

Conversation

@rissrice2105-agent

Copy link
Copy Markdown
Contributor

Summary

  • Restrict auth callback next redirects to internal paths only
  • Fall back to /dashboard for absolute, protocol-relative, missing, or relative callback targets
  • Add focused tests for safe and unsafe callback targets

Tests

  • .\node_modules\.bin\vitest.cmd run apps/web/src/app/auth/callback/route.test.ts: PASS
  • .\node_modules\.bin\eslint.cmd apps/web/src/app/auth/callback/route.ts apps/web/src/app/auth/callback/route.test.ts: PASS

Note: direct web typecheck currently fails on existing workspace issues unrelated to this change, including unresolved @pairux/shared-types imports.

@ralyodio ralyodio merged commit 1a41516 into profullstack:master Jul 6, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants