thisismissem.social
+3
-1
app/login/page.tsx
+3
-1
app/login/page.tsx
···
7
7
}: {
8
8
searchParams: Promise<{ error?: string; returnUrl?: string }>;
9
9
}) {
10
-
const { error, returnUrl = "/" } = await searchParams;
10
+
const params = await searchParams;
11
+
const error = params.error
12
+
const returnUrl = params.returnUrl && params.returnUrl.startsWith('/') ? params.returnUrl : '/';
11
13
12
14
return (
13
15
<div className="LoginPage">
+2
-2
app/oauth/callback/route.ts
+2
-2
app/oauth/callback/route.ts
···
35
35
if (state) {
36
36
try {
37
37
const parsed = JSON.parse(state);
38
-
if (parsed.returnUrl && typeof parsed.returnUrl === "string") {
38
+
if (parsed.returnUrl && typeof parsed.returnUrl === "string" && parsed.returnUrl.startsWith('/')) {
39
39
returnUrl = parsed.returnUrl;
40
40
}
41
41
} catch {
···
59
59
session.did = oauthSession.did;
60
60
await session.save();
61
61
62
-
// Redirect to returnUrl
62
+
// Redirect to returnUrl: We have ensured the return URL is relative above:
63
63
const redirectUrl = new URL(returnUrl, baseUrl);
64
64
return NextResponse.redirect(redirectUrl);
65
65
} catch (err) {