Add sanitize function

kinde-oss · Sep 5, 2023 · 6722ce0 · 6722ce0
1 parent 2f8f562
commit 6722ce0
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 6 deletions.
diff --git a/src/config/index.js b/src/config/index.js
@@ -7,7 +7,12 @@ const initialState = {
 const SESSION_PREFIX = 'pkce-verifier';
 
 const KINDE_SITE_URL = process.env.KINDE_SITE_URL;
-const KINDE_AUTH_API_PATH = process.env.KINDE_AUTH_API_PATH || '/api/auth';
+
+// We need to use NEXT_PUBLIC for frontend vars
+const KINDE_AUTH_API_PATH = process.env.NEXT_PUBLIC_KINDE_AUTH_API_PATH
+  || process.env.KINDE_AUTH_API_PATH
+  || '/api/auth';
+
 const KINDE_POST_LOGIN_REDIRECT_URL =
   process.env.KINDE_POST_LOGIN_REDIRECT_URL ||
   process.env.KINDE_POST_LOGIN_URL_REDIRECT_URL;

diff --git a/src/frontend/AuthProvider.jsx b/src/frontend/AuthProvider.jsx
@@ -244,6 +244,7 @@ export const KindeProvider = ({children}) => {
     error,
     isLoading
   } = state;
+
   return (
     <AuthContext.Provider
       value={{

diff --git a/src/handlers/pageRouter/callback.js b/src/handlers/pageRouter/callback.js
@@ -1,7 +1,9 @@
+import jwt_decode from 'jwt-decode';
+
 import {config} from '../../config/index';
 import {isTokenValid} from '../../utils/pageRouter/isTokenValid';
 import {version} from '../../utils/version';
-import jwt_decode from 'jwt-decode';
+import {sanitizeRedirect} from '../../utils/sanitizeRedirect';
 
 var cookie = require('cookie');
 
@@ -21,7 +23,10 @@ export const callback = async (req, res) => {
       } = JSON.parse(jsonCookieValue);
 
       if (options?.callback_url) {
-        redirectUrl = options.callback_url;
+        redirectUrl = sanitizeRedirect({
+          baseUrl: new URL(config.redirectURL).origin,
+          url: options.callback_url
+        });
       }
 
       const response = await fetch(

diff --git a/src/utils/appRouter/prepareForRedirect.js b/src/utils/appRouter/prepareForRedirect.js
@@ -1,4 +1,3 @@
-import {config} from '../../config/index';
 import {setupChallenge} from '../setupChallenge';
 import {setVerifierCookie} from './setVerifierCookie';
 import {generateAuthUrl} from '../generateAuthUrl';

diff --git a/src/utils/generateAuthUrl.js b/src/utils/generateAuthUrl.js
@@ -1,5 +1,4 @@
 import {config} from '../config/index';
-import {setupChallenge} from './setupChallenge';
 
 export function generateAuthUrl(options, type = 'login') {
   const {org_code, is_create_org, org_name = ''} = options;

diff --git a/src/utils/pageRouter/prepareForRedirect.js b/src/utils/pageRouter/prepareForRedirect.js
@@ -1,4 +1,3 @@
-import {config} from '../../config/index';
 import {setupChallenge} from '../setupChallenge';
 import {setVerifierCookie} from './setVerifierCookie';
 import {generateAuthUrl} from '../generateAuthUrl';

diff --git a/src/utils/sanitizeRedirect.js b/src/utils/sanitizeRedirect.js
@@ -0,0 +1,9 @@
+export const sanitizeRedirect = ({baseUrl, url}) => {
+  if (url.startsWith("/")){
+    return `${baseUrl}${url}`
+  } else if (new URL(url).origin === baseUrl) {
+    return url
+  }
+
+  return baseUrl
+}