fix: validate login redirect target by role

app/auth/login/route.ts

@@ -1,6 +1,13 @@
 import { NextRequest, NextResponse } from "next/server";
 
-import { SESSION_COOKIE, UserRole, authenticateUser, getDefaultPathForRole, serializeSession } from "@/lib/auth";
+import {
+  SESSION_COOKIE,
+  UserRole,
+  canAccessPath,
+  authenticateUser,
+  getDefaultPathForRole,
+  serializeSession
+} from "@/lib/auth";
 import { getRequestAuditContext, writeAuditTrail } from "@/lib/audit";
 import { consumeRateLimit, getRateLimitHeaders } from "@/lib/rate-limit";
 import { prisma } from "@/lib/prisma";
@@ -15,6 +22,10 @@ function getSafePath(value: string | null) {
     return null;
   }
 
+  if (value.startsWith("//")) {
+    return null;
+  }
+
   return value;
 }
 
@@ -118,7 +129,11 @@ export async function POST(request: NextRequest) {
   });
 
   const destination = next ?? getDefaultPathForRole(session.role as UserRole);
-  const response = NextResponse.redirect(new URL(destination, baseUrl));
+  const safeDestination =
+    destination && canAccessPath(session.role as UserRole, destination)
+      ? destination
+      : getDefaultPathForRole(session.role as UserRole);
+  const response = NextResponse.redirect(new URL(safeDestination, baseUrl));
   response.cookies.set(SESSION_COOKIE, await serializeSession(session), {
     httpOnly: true,
     sameSite: "lax",