2.21.12 (#423)

* chore: bump version to 2.21.12 and implement safe redirect path validation

- Updated application version from 2.21.11 to 2.21.12 in package.json.
- Introduced `getSafeRedirectPath` and `isSafeRedirectPath` utility functions to validate user-supplied redirect URLs, enhancing security against open redirect attacks.
* fix: address page reload issue in Admin tests for CI

packages/features/auth/src/components/sign-up-methods-container.tsx

@@ -2,7 +2,7 @@
 
 import type { Provider } from '@supabase/supabase-js';
 
-import { isBrowser } from '@kit/shared/utils';
+import { isBrowser, isSafeRedirectPath } from '@kit/shared/utils';
 import { If } from '@kit/ui/if';
 import { Separator } from '@kit/ui/separator';
 import { Trans } from '@kit/ui/trans';
@@ -114,7 +114,8 @@ function getCallbackUrl(props: {
   const searchParams = new URLSearchParams(window.location.search);
   const next = searchParams.get('next');
 
-  if (next) {
+  // Only pass through the next param if it's a safe internal path
+  if (next && isSafeRedirectPath(next)) {
     url.searchParams.set('next', next);
   }
 

packages/features/team-accounts/src/components/invitations/sign-out-invitation-button.tsx

@@ -1,5 +1,6 @@
 'use client';
 
+import { getSafeRedirectPath } from '@kit/shared/utils';
 import { useSignOut } from '@kit/supabase/hooks/use-sign-out';
 import { Button } from '@kit/ui/button';
 import { Trans } from '@kit/ui/trans';
@@ -16,7 +17,11 @@ export function SignOutInvitationButton(
       variant={'ghost'}
       onClick={async () => {
         await signOut.mutateAsync();
-        window.location.assign(props.nextPath);
+
+        // Validate the path to prevent open redirect attacks
+        const safePath = getSafeRedirectPath(props.nextPath, '/');
+
+        window.location.assign(safePath);
       }}
     >
       <Trans i18nKey={'teams:signInWithDifferentAccount'} />