Skip to content

Commit 735569b

Browse files
hhvrcclaude
hhvrc
and
claude
committed
Fix review issues: redirect validation, status codes, stale comments, error wrapping
- Add isValidRedirectParam() and sanitizeRedirectSearchParam() helpers with reactive RedirectSanitized state for toast notification - Extract REDIRECT_QUERY_PARAM constant and use across all call sites - Sanitize invalid redirect params in hooks.client.ts init() using native browser APIs (runs before SvelteKit router init) - Show warning toast via root layout $effect when a bad param is stripped - Change 308 → 303 redirects in shockers and /t endpoints - Validate redirect_uri scheme (HTTP/S only) in API token page - Update stale comments referencing deprecated function - Include original error message in GetBasePath error wrapping - Add tests for new helpers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 5a8f0c1 commit 735569b

File tree

14 files changed

+616
-32
lines changed

14 files changed

+616
-32
lines changed

src/hooks.client.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,11 @@ import { backendMetadata } from '$lib/state/BackendMetadata.svelte';
44
import { initializeDarkModeStore } from '$lib/stores/ColorSchemeStore.svelte';
55
import { initializeSerialPortsStore } from '$lib/stores/SerialPortsStore';
66
import { UserStore } from '$lib/stores/UserStore';
7+
import { sanitizeRedirectSearchParam } from '$lib/utils/url';
78

89
export async function init() {
10+
sanitizeRedirectSearchParam();
11+
912
initBackendMetadata().catch((error) => {
1013
handleApiError(error);
1114
});

src/lib/api/index.ts

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,8 @@ function GetBasePath(): string {
3939

4040
return `${url.origin}${pathname}`;
4141
} catch (error) {
42-
throw new Error('PUBLIC_BACKEND_API_URL is not a valid URL', { cause: error });
42+
const message = error instanceof Error ? error.message : String(error);
43+
throw new Error(`PUBLIC_BACKEND_API_URL is not a valid URL: ${message}`, { cause: error });
4344
}
4445
}
4546

src/lib/state/RedirectSanitized.svelte.ts

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
/** Reactive flag set when {@link sanitizeRedirectSearchParam} strips a malicious redirect param. */
2+
let flag = $state(false);
3+
4+
export const redirectSanitized = {
5+
get value() {
6+
return flag;
7+
},
8+
set() {
9+
flag = true;
10+
},
11+
reset() {
12+
flag = false;
13+
},
14+
};

0 commit comments

Comments
 (0)