File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -10,6 +10,8 @@ import { handleResolver } from '#server/utils/atproto/oauth'
1010import { Client } from '@atproto/lex'
1111import * as app from '#shared/types/lexicons/app'
1212import { ensureValidAtIdentifier } from '@atproto/syntax'
13+ // @ts -expect-error virtual file from oauth module
14+ import { clientUri } from '#oauth/config'
1315
1416/**
1517 * Fetch the user's profile record to get their avatar blob reference
@@ -53,13 +55,11 @@ export default defineEventHandler(async event => {
5355 }
5456
5557 const query = getQuery ( event )
56- const rawReturnTo = query . returnTo ?. toString ( ) || '/'
5758 // Validate returnTo is a safe relative path (prevent open redirect)
58- const isRelativePath =
59- rawReturnTo . startsWith ( '/' ) && ! rawReturnTo . startsWith ( '//' ) && ! rawReturnTo . includes ( ':' )
60- const returnTo = isRelativePath ? rawReturnTo : '/'
59+ const newURL = new URL ( query . returnTo ?. toString ( ) || '/' , clientUri )
60+ const redirectPath = newURL . origin === clientUri ? newURL . pathname : '/'
6161
62- setCookie ( event , 'auth_return_to' , returnTo , {
62+ setCookie ( event , 'auth_return_to' , redirectPath , {
6363 maxAge : 60 * 5 ,
6464 httpOnly : true ,
6565 // secure only if NOT in dev mode
You can’t perform that action at this time.
0 commit comments