wirabasalamah/whatsapp-inbox-platform
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: use forwarded host for auth redirects
Some checks failed
CI - Production Readiness / Verify (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Wira Basalamah
2026-04-21 13:18:13 +07:00
parent 70183fe23e
commit 6c6ed15c31
4 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/auth/login/route.ts
View File

@ -4,6 +4,7 @@ import { SESSION_COOKIE, UserRole, authenticateUser, getDefaultPathForRole, seri
import { getRequestAuditContext, writeAuditTrail } from "@/lib/audit";
import { consumeRateLimit, getRateLimitHeaders } from "@/lib/rate-limit";
import { prisma } from "@/lib/prisma";
import { getRequestBaseUrl } from "@/lib/request-url";
function getSafePath(value: string | null) {
if (!value) {
@ -28,6 +29,7 @@ function resolveNumber(raw: string | undefined, fallback: number) {
export async function POST(request: NextRequest) {
const { ipAddress, userAgent } = await getRequestAuditContext();
const baseUrl = getRequestBaseUrl(request);
const retryControl = consumeRateLimit(ipAddress || "unknown", {
scope: "auth_login",
limit: resolveNumber(process.env.LOGIN_RATE_LIMIT_ATTEMPTS, 10),
@ -35,7 +37,7 @@ export async function POST(request: NextRequest) {
});
if (!retryControl.allowed) {
const loginUrl = new URL("/login", request.url);
const loginUrl = new URL("/login", baseUrl);
loginUrl.searchParams.set("error", "rate_limited");
const response = NextResponse.redirect(loginUrl);
const headers = getRateLimitHeaders(retryControl);
@ -55,7 +57,7 @@ export async function POST(request: NextRequest) {
const password = typeof rawPassword === "string" ? rawPassword : "";
if (!email || !password) {
const loginUrl = new URL("/login", request.url);
const loginUrl = new URL("/login", baseUrl);
loginUrl.searchParams.set("error", "credentials_required");
if (next) {
loginUrl.searchParams.set("next", next);
@ -88,7 +90,7 @@ export async function POST(request: NextRequest) {
});
}
const loginUrl = new URL("/login", request.url);
const loginUrl = new URL("/login", baseUrl);
loginUrl.searchParams.set("error", "invalid_credentials");
if (next) {
loginUrl.searchParams.set("next", next);
@ -116,7 +118,7 @@ export async function POST(request: NextRequest) {
});
const destination = next ?? getDefaultPathForRole(session.role as UserRole);
const response = NextResponse.redirect(new URL(destination, request.url));
const response = NextResponse.redirect(new URL(destination, baseUrl));
response.cookies.set(SESSION_COOKIE, await serializeSession(session), {
httpOnly: true,
sameSite: "lax",

3
app/auth/logout/route.ts
View File

@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server";
import { getRequestAuditContext, writeAuditTrail } from "@/lib/audit";
import { getSession, SESSION_COOKIE } from "@/lib/auth";
import { getRequestBaseUrl } from "@/lib/request-url";
export async function GET(request: NextRequest) {
const session = await getSession();
@ -20,7 +21,7 @@ export async function GET(request: NextRequest) {
});
}
const response = NextResponse.redirect(new URL("/login", request.url));
const response = NextResponse.redirect(new URL("/login", getRequestBaseUrl(request)));
response.cookies.delete(SESSION_COOKIE);
return response;
}