fix(auth): post-callback redirect honors APP_URL (reverse-proxy) (#102) #103
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!103
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "102-redirect-honor-app-url"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
The
redirectTo()helper inapp/api/auth/oauth/callback/[provider]/route.tsresolved redirect locations (/login,/profile,/account) againstreq.nextUrlraw — which inside a container behind a reverse proxy is the bind address (http://0.0.0.0:3000). Every refused-callback path 302'd users to an internal URL their browser couldn't reach.Same class of bug as the outbound
redirect_uribeforeAPP_URLwas threaded throughappOrigin(): inbound IdP callback worked (usesAPP_URL), but the response-time redirect didn't. Discovered while testing #100 against Authentik oncarol.int.wynning.tech—?error=oidc_claimcorrectly identified but the redirect landed onhttp://0.0.0.0:3000/login?error=oidc_claiminstead ofhttps://carol.int.wynning.tech/login?....Fix:
redirectTo()now builds the URL againstappOrigin(req)(the same helper that drives the outboundredirect_uri). The same-origin defence-in-depth check compares against the same public origin. Single source of truth for the public URL staysAPP_URL.Test plan
npm run typecheck— clean.npm run lint— clean.npm test— 215 / 38 skipped (one new test).APP_URL=https://carol.example.com, drive theno_verified_emailrefusal, assert theLocationheader starts withhttps://carol.example.com/login?error=no_verified_email.carol.int.wynning.techafter a release — theoidc_claimerror from #100 should now land on the public URL.Closes #102.
🤖 Generated with Claude Code