packages/lib/getSafeRedirectUrl.ts

// It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it.
export const getSafeRedirectUrl = (url = "") => {
  if (!url) {
    return null;
  }

  //It is important that this fn is given absolute URL because urls that don't start with HTTP can still deceive browser into redirecting to another domain
  if (url.search(/^https?:\/\//) === -1) {
    throw new Error("Pass an absolute URL");
  }

  const urlParsed = new URL(url);

  // Avoid open redirection security vulnerability
  if (
    !["CONSOLE_URL", "WEBAPP_URL", "WEBSITE_URL"].some(
      (u) => new URL(u).origin === urlParsed.origin
    )
  ) {
    url = `${"WEBAPP_URL"}/`;
  }

  return url;
};
test 2023-01-14 16:41:53 +01:00			`// It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it.`
			`export const getSafeRedirectUrl = (url = "") => {`
			`if (!url) {`
			`return null;`
			`}`
login login basics 2023-01-11 14:36:59 +01:00
test 2023-01-14 16:41:53 +01:00			`//It is important that this fn is given absolute URL because urls that don't start with HTTP can still deceive browser into redirecting to another domain`
			`if (url.search(/^https?:\/\//) === -1) {`
			`throw new Error("Pass an absolute URL");`
			`}`
login login basics 2023-01-11 14:36:59 +01:00
test 2023-01-14 16:41:53 +01:00			`const urlParsed = new URL(url);`
login login basics 2023-01-11 14:36:59 +01:00
test 2023-01-14 16:41:53 +01:00			`// Avoid open redirection security vulnerability`
			`if (`
			`!["CONSOLE_URL", "WEBAPP_URL", "WEBSITE_URL"].some(`
			`(u) => new URL(u).origin === urlParsed.origin`
			`)`
			`) {`
			url = `${"WEBAPP_URL"}/`;
			`}`
login login basics 2023-01-11 14:36:59 +01:00
test 2023-01-14 16:41:53 +01:00			`return url;`
			`};`