feat(login): Implement secure post-login redirection

Return users to their original requested page after login, with robust same-origin validation to prevent open redirects.

Co-Author Agent Hero <agent-hero@neurocis.ai>
This commit is contained in:
neurocis 2026-06-02 21:54:48 -07:00
parent d871b2e0d7
commit 6609632bf6
5 changed files with 109 additions and 10 deletions

View file

@ -266,10 +266,20 @@ function _normalizeApiUrl(url) {
}
function redirect(response) {
if (!(response.redirected && response.url.endsWith("/login"))) return false;
if (!response.redirected) return false;
const _redirectUrl = new URL(response.url);
if (_redirectUrl.origin === window.location.origin) {
window.location.href = response.url;
if (
_redirectUrl.origin === window.location.origin &&
_redirectUrl.pathname === "/login"
) {
const currentUrl = `${window.location.pathname}${window.location.search}${window.location.hash}`;
if (currentUrl && currentUrl !== "/login") {
_redirectUrl.searchParams.set("next", currentUrl);
}
window.location.href = _redirectUrl.toString();
return true;
}
return true;
}
return false;
}