Skip to content

fix(auth): restrict post-login redirects#48

Open
rissrice2105-agent wants to merge 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/auth-next-redirect
Open

fix(auth): restrict post-login redirects#48
rissrice2105-agent wants to merge 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/auth-next-redirect

Conversation

@rissrice2105-agent

Copy link
Copy Markdown
Contributor

Summary

  • validate post-auth next values against a fixed same-origin base
  • reuse the validator in login, signup, and the OAuth callback
  • cover external, protocol-relative, backslash, scheme, and relative inputs

Bug

The auth pages accepted any value beginning with /. A crafted ?next=//attacker.example therefore became an external navigation after a successful password login.

Tests

  • safe-redirect.test.ts: 7/7 passed
  • git diff --check: passed
  • broader reused-install run: 91 tests passed; remaining suites could not resolve current next/server / workspace dependencies because today's @profullstack/stack@0.1.3 install is blocked locally by minimum-release-age policy

No invoice will be sent until this PR is merged and accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant