mirror of
https://github.com/SrIzan10/next-auth.git
synced 2026-05-01 10:55:20 +00:00
Compare commits
3 Commits
@next-auth
...
next-auth@
| Author | SHA1 | Date | |
|---|---|---|---|
|
8c5d9faad6 | ||
|
|
49a8d51f79 | ||
|
|
c0d251731d |
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "@next-auth/sequelize-adapter",
|
"name": "@next-auth/sequelize-adapter",
|
||||||
"version": "1.0.2",
|
"version": "1.0.4",
|
||||||
"description": "Sequelize adapter for next-auth.",
|
"description": "Sequelize adapter for next-auth.",
|
||||||
"homepage": "https://next-auth.js.org",
|
"homepage": "https://next-auth.js.org",
|
||||||
"repository": "https://github.com/nextauthjs/adapters",
|
"repository": "https://github.com/nextauthjs/adapters",
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "next-auth",
|
"name": "next-auth",
|
||||||
"version": "4.3.4",
|
"version": "4.5.0",
|
||||||
"description": "Authentication for Next.js",
|
"description": "Authentication for Next.js",
|
||||||
"homepage": "https://next-auth.js.org",
|
"homepage": "https://next-auth.js.org",
|
||||||
"repository": "https://github.com/nextauthjs/next-auth.git",
|
"repository": "https://github.com/nextauthjs/next-auth.git",
|
||||||
|
|||||||
@@ -21,9 +21,11 @@ type ConfigError =
|
|||||||
|
|
||||||
let twitterWarned = false
|
let twitterWarned = false
|
||||||
|
|
||||||
function isValidHttpUrl(url: string) {
|
function isValidHttpUrl(url: string, baseUrl: string) {
|
||||||
try {
|
try {
|
||||||
return /^https?:/.test(new URL(url).protocol)
|
return /^https?:/.test(
|
||||||
|
new URL(url, url.startsWith("/") ? baseUrl : undefined).protocol
|
||||||
|
)
|
||||||
} catch {
|
} catch {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
@@ -57,23 +59,24 @@ export function assertConfig(
|
|||||||
|
|
||||||
const callbackUrlParam = req.query?.callbackUrl as string | undefined
|
const callbackUrlParam = req.query?.callbackUrl as string | undefined
|
||||||
|
|
||||||
if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam)) {
|
const url = parseUrl(req.host)
|
||||||
|
|
||||||
|
if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam, url.base)) {
|
||||||
return new InvalidCallbackUrl(
|
return new InvalidCallbackUrl(
|
||||||
`Invalid callback URL. Received: ${callbackUrlParam}`
|
`Invalid callback URL. Received: ${callbackUrlParam}`
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// This is below the callbackUrlParam check because it would obscure the error
|
||||||
if (!req.host) return "NEXTAUTH_URL"
|
if (!req.host) return "NEXTAUTH_URL"
|
||||||
|
|
||||||
const url = parseUrl(req.host)
|
|
||||||
|
|
||||||
const { callbackUrl: defaultCallbackUrl } = defaultCookies(
|
const { callbackUrl: defaultCallbackUrl } = defaultCookies(
|
||||||
options.useSecureCookies ?? url.base.startsWith("https://")
|
options.useSecureCookies ?? url.base.startsWith("https://")
|
||||||
)
|
)
|
||||||
const callbackUrlCookie =
|
const callbackUrlCookie =
|
||||||
req.cookies?.[options.cookies?.callbackUrl?.name ?? defaultCallbackUrl.name]
|
req.cookies?.[options.cookies?.callbackUrl?.name ?? defaultCallbackUrl.name]
|
||||||
|
|
||||||
if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie)) {
|
if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie, url.base)) {
|
||||||
return new InvalidCallbackUrl(
|
return new InvalidCallbackUrl(
|
||||||
`Invalid callback URL. Received: ${callbackUrlCookie}`
|
`Invalid callback URL. Received: ${callbackUrlCookie}`
|
||||||
)
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user