chore: store return URLs in session

43081j · 43081j · commit a66f5356888f · 2026-02-06T22:53:36.000Z
Stores the return URL in the session rather than using cookies.
diff --git a/package.json b/package.json
@@ -83,6 +83,7 @@
     "nuxt": "4.3.0",
     "nuxt-og-image": "5.1.13",
     "ofetch": "1.5.1",
+    "ohash": "2.0.11",
     "perfect-debounce": "2.1.0",
     "sanitize-html": "2.17.0",
     "semver": "7.7.3",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/server/api/auth/atproto.get.ts b/server/api/auth/atproto.get.ts
@@ -69,7 +69,7 @@ export default defineEventHandler(async event => {
 
   if (!query.code) {
     // Validate returnTo is a safe relative path (prevent open redirect)
-    // Only set cookie on initial auth request, not the callback
+    // Store in session on initial auth request, not the callback
     let redirectPath = '/'
     try {
       const clientOrigin = new URL(clientUri).origin
@@ -81,12 +81,7 @@ export default defineEventHandler(async event => {
       // Invalid URL, fall back to root
     }
 
-    setCookie(event, 'auth_return_to', redirectPath, {
-      maxAge: 60 * 5,
-      httpOnly: true,
-      // secure only if NOT in dev mode
-      secure: !import.meta.dev,
-    })
+    await session.update({ returnTo: redirectPath })
     try {
       const handle = query.handle?.toString()
       const create = query.create?.toString()
@@ -148,8 +143,8 @@ export default defineEventHandler(async event => {
     })
   }
 
-  const returnToURL = getCookie(event, 'auth_return_to') || '/'
-  deleteCookie(event, 'auth_return_to')
+  const returnToURL = session.data.returnTo || '/'
+  await session.update({ returnTo: undefined })
 
   return sendRedirect(event, returnToURL)
 })
diff --git a/server/api/registry/badge/[type]/[...pkg].get.ts b/server/api/registry/badge/[type]/[...pkg].get.ts
@@ -1,4 +1,5 @@
 import * as v from 'valibot'
+import { hash } from 'ohash'
 import { createError, getRouterParam, getQuery, setHeader } from 'h3'
 import { PackageRouteParamsSchema } from '#shared/schemas/package'
 import { CACHE_MAX_AGE_ONE_HOUR, ERROR_NPM_FETCH_FAILED } from '#shared/utils/constants'
@@ -11,11 +12,13 @@ const OSV_QUERY_API = 'https://api.osv.dev/v1/query'
 const BUNDLEPHOBIA_API = 'https://bundlephobia.com/api/size'
 const NPMS_API = 'https://api.npms.io/v2/package'
 
+const SafeStringSchema = v.pipe(v.string(), v.regex(/^[^<>"&]*$/, 'Invalid characters'))
+
 const QUERY_SCHEMA = v.object({
-  color: v.optional(v.string()),
+  color: v.optional(SafeStringSchema),
   name: v.optional(v.string()),
-  labelColor: v.optional(v.string()),
-  label: v.optional(v.string()),
+  labelColor: v.optional(SafeStringSchema),
+  label: v.optional(SafeStringSchema),
 })
 
 const COLORS = {
@@ -338,7 +341,7 @@ export default defineCachedEventHandler(
       const type = getRouterParam(event, 'type') ?? 'version'
       const pkg = getRouterParam(event, 'pkg') ?? ''
       const query = getQuery(event)
-      return `badge:${type}:${pkg}:${JSON.stringify(query)}`
+      return `badge:${type}:${pkg}:${hash(query)}`
     },
   },
 )
diff --git a/shared/types/userSession.ts b/shared/types/userSession.ts
@@ -12,4 +12,6 @@ export interface UserServerSession {
   // multiple did logins per server session
   oauthSession: NodeSavedSession | undefined
   oauthState: NodeSavedState | undefined
+  // Temporary storage for post-auth redirect path during OAuth flow
+  returnTo?: string
 }

Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,6 @@ export interface UserServerSession {`
`12`	`12`	`// multiple did logins per server session`
`13`	`13`	`oauthSession: NodeSavedSession \| undefined`
`14`	`14`	`oauthState: NodeSavedState \| undefined`
	`15`	`+ // Temporary storage for post-auth redirect path during OAuth flow`
	`16`	`+ returnTo?: string`
`15`	`17`	`}`