Skip to content

Commit 96138ca

Browse files
waleedlatif1waleedlatif1
committed
refactor: move validateCallbackUrl into input-validation.ts
1 parent 730c9ae commit 96138ca

File tree

4 files changed

+23
-23
lines changed

4 files changed

+23
-23
lines changed

apps/sim/app/(auth)/login/login-form.tsx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@ import {
1515
ModalHeader,
1616
} from '@/components/emcn'
1717
import { client } from '@/lib/auth/auth-client'
18-
import { validateCallbackUrl } from '@/lib/auth/validate-callback-url'
1918
import { getEnv, isFalsy, isTruthy } from '@/lib/core/config/env'
19+
import { validateCallbackUrl } from '@/lib/core/security/input-validation'
2020
import { cn } from '@/lib/core/utils/cn'
2121
import { getBaseUrl } from '@/lib/core/utils/urls'
2222
import { quickValidateEmail } from '@/lib/messaging/email/validation'

apps/sim/ee/sso/components/sso-form.tsx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ import Link from 'next/link'
66
import { useRouter, useSearchParams } from 'next/navigation'
77
import { Button, Input, Label } from '@/components/emcn'
88
import { client } from '@/lib/auth/auth-client'
9-
import { validateCallbackUrl } from '@/lib/auth/validate-callback-url'
109
import { env, isFalsy } from '@/lib/core/config/env'
10+
import { validateCallbackUrl } from '@/lib/core/security/input-validation'
1111
import { cn } from '@/lib/core/utils/cn'
1212
import { quickValidateEmail } from '@/lib/messaging/email/validation'
1313
import { BrandedButton } from '@/app/(auth)/components/branded-button'

apps/sim/lib/auth/validate-callback-url.ts

Lines changed: 0 additions & 21 deletions
This file was deleted.

apps/sim/lib/core/security/input-validation.ts

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1169,3 +1169,24 @@ export function validatePaginationCursor(
11691169

11701170
return { isValid: true, sanitized: value }
11711171
}
1172+
1173+
/**
1174+
* Validates a callback URL to prevent open redirect attacks.
1175+
* Accepts relative paths and absolute URLs matching the current origin.
1176+
*
1177+
* @param url - The callback URL to validate
1178+
* @returns true if the URL is safe to redirect to
1179+
*/
1180+
export function validateCallbackUrl(url: string): boolean {
1181+
try {
1182+
if (url.startsWith('/')) return true
1183+
1184+
const currentOrigin = typeof window !== 'undefined' ? window.location.origin : ''
1185+
if (url.startsWith(currentOrigin)) return true
1186+
1187+
return false
1188+
} catch (error) {
1189+
logger.error('Error validating callback URL:', { error, url })
1190+
return false
1191+
}
1192+
}

0 commit comments

Comments
 (0)