2.21.12 (#423)

* chore: bump version to 2.21.12 and implement safe redirect path validation - Updated application version from 2.21.11 to 2.21.12 in package.json. - Introduced `getSafeRedirectPath` and `isSafeRedirectPath` utility functions to validate user-supplied redirect URLs, enhancing security against open redirect attacks. * fix: address page reload issue in Admin tests for CI
2025-12-09 23:34:10 +08:00
parent 2f78e16dfa
commit 44137016cb
15 changed files with 128 additions and 31 deletions
--- a/apps/e2e/tests/admin/admin.spec.ts
+++ b/apps/e2e/tests/admin/admin.spec.ts
@@ -103,6 +103,9 @@ test.describe('Admin', () => {
        ),
      ]);
      // TODO: find out why we need to reload the page only in CI
      await page.reload();
      await expect(page.getByText('Banned').first()).toBeVisible();
      await page.context().clearCookies();
@@ -149,7 +152,8 @@ test.describe('Admin', () => {
        ),
      ]);
-      await page.waitForTimeout(250);
+      // TODO: find out why we need to reload the page only in CI
      await page.reload();
      // Verify ban badge is removed
      await expect(page.getByText('Banned')).not.toBeVisible();
--- a/apps/web/app/auth/sign-in/page.tsx
+++ b/apps/web/app/auth/sign-in/page.tsx
@@ -1,6 +1,7 @@
 import Link from 'next/link';
 import { SignInMethodsContainer } from '@kit/auth/sign-in';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { Button } from '@kit/ui/button';
 import { Heading } from '@kit/ui/heading';
 import { Trans } from '@kit/ui/trans';
@@ -29,7 +30,7 @@ async function SignInPage({ searchParams }: SignInPageProps) {
  const paths = {
    callback: pathsConfig.auth.callback,
-    returnPath: next || pathsConfig.app.home,
+    returnPath: getSafeRedirectPath(next, pathsConfig.app.home),
    joinTeam: pathsConfig.app.joinTeam,
  };
--- a/apps/web/app/auth/verify/page.tsx
+++ b/apps/web/app/auth/verify/page.tsx
@@ -1,6 +1,7 @@
 import { redirect } from 'next/navigation';
 import { MultiFactorChallengeContainer } from '@kit/auth/mfa';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { checkRequiresMultiFactorAuthentication } from '@kit/supabase/check-requires-mfa';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
@@ -38,7 +39,7 @@ async function VerifyPage(props: Props) {
  }
  const nextPath = (await props.searchParams).next;
-  const redirectPath = nextPath ?? pathsConfig.app.home;
+  const redirectPath = getSafeRedirectPath(nextPath, pathsConfig.app.home);
  return (
    <MultiFactorChallengeContainer
--- a/apps/web/app/identities/page.tsx
+++ b/apps/web/app/identities/page.tsx
@@ -3,6 +3,7 @@ import { Metadata } from 'next';
 import { redirect } from 'next/navigation';
 import { AuthLayoutShell } from '@kit/auth/shared';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { requireUser } from '@kit/supabase/require-user';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
 import { Heading } from '@kit/ui/heading';
@@ -96,7 +97,7 @@ async function fetchData(props: IdentitiesPageProps) {
  }
  // Get the next path from URL params (where to redirect after setup)
-  const nextPath = searchParams.next || pathsConfig.app.home;
+  const nextPath = getSafeRedirectPath(searchParams.next, pathsConfig.app.home);
  // Available auth methods to add
  const showPasswordOption = authConfig.providers.password;
--- a/apps/web/app/join/accept/route.ts
+++ b/apps/web/app/join/accept/route.ts
@@ -130,7 +130,8 @@ export async function GET(request: NextRequest) {
      joinUrl.searchParams.set('is_new_user', 'true');
    }
-    authCallbackUrl.searchParams.set('next', joinUrl.href);
+    // Use pathname + search to create a safe relative path for validation
    authCallbackUrl.searchParams.set('next', joinUrl.pathname + joinUrl.search);
    logger.info(
      {
--- a/apps/web/app/update-password/page.tsx
+++ b/apps/web/app/update-password/page.tsx
@@ -2,6 +2,7 @@ import { redirect } from 'next/navigation';
 import { UpdatePasswordForm } from '@kit/auth/password-reset';
 import { AuthLayoutShell } from '@kit/auth/shared';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { requireUser } from '@kit/supabase/require-user';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
@@ -38,7 +39,7 @@ async function UpdatePasswordPage(props: UpdatePasswordPageProps) {
  }
  const { callback } = await props.searchParams;
-  const redirectTo = callback ?? pathsConfig.app.home;
+  const redirectTo = getSafeRedirectPath(callback, pathsConfig.app.home);
  return (
    <AuthLayoutShell Logo={Logo}>
--- a/apps/web/proxy.ts
+++ b/apps/web/proxy.ts
@@ -4,6 +4,7 @@ import { NextResponse } from 'next/server';
 import { CsrfError, createCsrfProtect } from '@edge-csrf/nextjs';
 import { isSuperAdmin } from '@kit/admin';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { checkRequiresMultiFactorAuthentication } from '@kit/supabase/check-requires-mfa';
 import { createMiddlewareClient } from '@kit/supabase/middleware-client';
@@ -158,8 +159,10 @@ async function getPatterns() {
        // If user is logged in and does not need to verify MFA,
        // redirect to home page.
        if (!isVerifyMfa) {
-          const nextPath =
+          const nextPath = getSafeRedirectPath(
-            req.nextUrl.searchParams.get('next') ?? pathsConfig.app.home;
+            req.nextUrl.searchParams.get('next'),
            pathsConfig.app.home,
          );
          return NextResponse.redirect(
            new URL(nextPath, req.nextUrl.origin).href,
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "next-supabase-saas-kit-turbo",
-  "version": "2.21.11",
+  "version": "2.21.12",
  "private": true,
  "sideEffects": false,
  "engines": {
--- a/packages/features/auth/src/components/sign-up-methods-container.tsx
+++ b/packages/features/auth/src/components/sign-up-methods-container.tsx
@@ -2,7 +2,7 @@
 import type { Provider } from '@supabase/supabase-js';
-import { isBrowser } from '@kit/shared/utils';
+import { isBrowser, isSafeRedirectPath } from '@kit/shared/utils';
 import { If } from '@kit/ui/if';
 import { Separator } from '@kit/ui/separator';
 import { Trans } from '@kit/ui/trans';
@@ -114,7 +114,8 @@ function getCallbackUrl(props: {
  const searchParams = new URLSearchParams(window.location.search);
  const next = searchParams.get('next');
-  if (next) {
+  // Only pass through the next param if it's a safe internal path
  if (next && isSafeRedirectPath(next)) {
    url.searchParams.set('next', next);
  }
--- a/packages/features/team-accounts/src/components/invitations/sign-out-invitation-button.tsx
+++ b/packages/features/team-accounts/src/components/invitations/sign-out-invitation-button.tsx
@@ -1,5 +1,6 @@
 'use client';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { useSignOut } from '@kit/supabase/hooks/use-sign-out';
 import { Button } from '@kit/ui/button';
 import { Trans } from '@kit/ui/trans';
@@ -16,7 +17,11 @@ export function SignOutInvitationButton(
      variant={'ghost'}
      onClick={async () => {
        await signOut.mutateAsync();
-        window.location.assign(props.nextPath);
+
        // Validate the path to prevent open redirect attacks
        const safePath = getSafeRedirectPath(props.nextPath, '/');
        window.location.assign(safePath);
      }}
    >
      <Trans i18nKey={'teams:signInWithDifferentAccount'} />
--- a/packages/shared/src/utils.ts
+++ b/packages/shared/src/utils.ts
@@ -21,3 +21,43 @@ export function formatCurrency(params: {
    currency: params.currencyCode,
  }).format(Number(params.value));
 }
 /**
 * @name isSafeRedirectPath
 * @description Checks if a path is safe for redirects (prevents open redirect attacks).
 * Safe paths must:
 * - Start with a single `/`
 * - NOT start with `//` (protocol-relative URLs)
 * - NOT contain `://` (absolute URLs)
 * - NOT contain backslash (URL normalization attacks)
 */
 export function isSafeRedirectPath(path: string): boolean {
  if (!path || typeof path !== 'string') return false;
  // Must start with exactly one forward slash (relative path)
  if (!path.startsWith('/') || path.startsWith('//')) return false;
  // Must not contain protocol indicators
  if (path.includes('://')) return false;
  // Must not contain backslashes (can be normalized to forward slashes)
  if (path.includes('\\')) return false;
  return true;
 }
 /**
 * @name getSafeRedirectPath
 * @description Returns the path if safe, otherwise returns the fallback.
 * Use this to validate user-supplied redirect URLs to prevent open redirect attacks.
 */
 export function getSafeRedirectPath(
  path: string | null | undefined,
  fallback: string,
 ): string {
  if (path && isSafeRedirectPath(path)) {
    return path;
  }
  return fallback;
 }
--- a/packages/supabase/package.json
+++ b/packages/supabase/package.json
@@ -21,6 +21,9 @@
    "./auth": "./src/auth.ts",
    "./types": "./src/types.ts"
  },
  "dependencies": {
    "@kit/shared": "workspace:*"
  },
  "devDependencies": {
    "@kit/eslint-config": "workspace:*",
    "@kit/prettier-config": "workspace:*",
--- a/packages/supabase/src/auth-callback.service.ts
+++ b/packages/supabase/src/auth-callback.service.ts
@@ -6,6 +6,8 @@ import {
  SupabaseClient,
 } from '@supabase/supabase-js';
 import { isSafeRedirectPath } from '@kit/shared/utils';
 /**
 * @name createAuthCallbackService
 * @description Creates an instance of the AuthCallbackService
@@ -71,9 +73,11 @@ class AuthCallbackService {
    const errorPath = params.errorPath ?? '/auth/callback/error';
-    // remove the query params from the url
+    // remove the auth-related query params from the url
    searchParams.delete('token_hash');
    searchParams.delete('type');
    searchParams.delete('next');
    searchParams.delete('callback');
    // if we have a next path, we redirect to that path
    if (nextPath) {
@@ -132,7 +136,11 @@ class AuthCallbackService {
    const nextUrlPathFromParams = searchParams.get('next');
    const errorPath = params.errorPath ?? '/auth/callback/error';
-    const nextUrl = nextUrlPathFromParams ?? params.redirectPath;
+    // Validate the next URL to prevent open redirect attacks
    const nextUrl =
      nextUrlPathFromParams && isSafeRedirectPath(nextUrlPathFromParams)
        ? nextUrlPathFromParams
        : params.redirectPath;
    if (authCode) {
      try {
@@ -188,6 +196,7 @@ class AuthCallbackService {
  /**
   * Parses a redirect URL and extracts the destination path and query params
   * Handles nested 'next' parameters for chained redirects
   * Validates paths to prevent open redirect attacks
   */
  private parseRedirectDestination(redirectParam: string | null): {
    path: string;
@@ -197,29 +206,45 @@ class AuthCallbackService {
      return null;
    }
    // First, try as a simple relative path with optional query string
    const [pathPart, queryPart] = redirectParam.split('?') as [
      string,
      string | undefined,
    ];
    if (isSafeRedirectPath(pathPart)) {
      return {
        path: pathPart,
        params: new URLSearchParams(queryPart ?? ''),
      };
    }
    // Handle full URLs (e.g., from Supabase callback parameter)
    try {
-      const redirectUrl = new URL(redirectParam);
+      const url = new URL(redirectParam);
-      // check for nested 'next' parameter (chained redirect)
+      // Check for nested 'next' parameter - this is the final destination
-      const nestedNext = redirectUrl.searchParams.get('next');
+      const nestedNext = url.searchParams.get('next');
-      if (nestedNext) {
+      if (nestedNext && isSafeRedirectPath(nestedNext)) {
        // use the nested path as the final destination
        return {
          path: nestedNext,
-          params: redirectUrl.searchParams,
+          params: url.searchParams,
        };
      }
-      // no nested redirect, use the pathname directly
+      // No nested next, use pathname if safe
      if (isSafeRedirectPath(url.pathname)) {
        return {
-        path: redirectUrl.pathname,
+          path: url.pathname,
-        params: redirectUrl.searchParams,
+          params: url.searchParams,
        };
    } catch {
      // invalid URL, ignore
      return null;
      }
    } catch {
      // Invalid URL, ignore
    }
    return null;
  }
  private isLocalhost(host: string | null) {
--- a/packages/supabase/src/hooks/use-link-identity-with-provider.ts
+++ b/packages/supabase/src/hooks/use-link-identity-with-provider.ts
@@ -2,6 +2,8 @@ import type { Provider } from '@supabase/supabase-js';
 import { useMutation } from '@tanstack/react-query';
 import { getSafeRedirectPath } from '@kit/shared/utils';
 import { useSupabase } from './use-supabase';
 export function useLinkIdentityWithProvider(
@@ -14,7 +16,12 @@ export function useLinkIdentityWithProvider(
  const mutationFn = async (provider: Provider) => {
    const origin = window.location.origin;
-    const redirectToPath = props.redirectToPath ?? '/home/settings';
+
    // Validate the redirect path to prevent open redirect attacks
    const redirectToPath = getSafeRedirectPath(
      props.redirectToPath,
      '/home/settings',
    );
    const url = new URL('/auth/callback', origin);
    url.searchParams.set('redirectTo', redirectToPath);
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1409,6 +1409,10 @@ importers:
        version: 19.2.7
  packages/supabase:
    dependencies:
      '@kit/shared':
        specifier: workspace:*
        version: link:../shared
    devDependencies:
      '@kit/eslint-config':
        specifier: workspace:*
@@ -14427,7 +14431,7 @@ snapshots:
      eslint: 9.39.1(jiti@2.6.1)
      eslint-import-resolver-node: 0.3.9
      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1))
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1)(eslint@9.39.1(jiti@2.6.1))
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1))
      eslint-plugin-jsx-a11y: 6.10.2(eslint@9.39.1(jiti@2.6.1))
      eslint-plugin-react: 7.37.5(eslint@9.39.1(jiti@2.6.1))
      eslint-plugin-react-hooks: 7.0.1(eslint@9.39.1(jiti@2.6.1))
@@ -14466,7 +14470,7 @@ snapshots:
      tinyglobby: 0.2.15
      unrs-resolver: 1.11.1
    optionalDependencies:
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1)(eslint@9.39.1(jiti@2.6.1))
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1))
    transitivePeerDependencies:
      - supports-color
@@ -14481,7 +14485,7 @@ snapshots:
    transitivePeerDependencies:
      - supports-color
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1)(eslint@9.39.1(jiti@2.6.1)):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.48.1(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1)))(eslint@9.39.1(jiti@2.6.1)):
    dependencies:
      '@rtsao/scc': 1.1.0
      array-includes: 3.1.9