-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathurl.ts
More file actions
58 lines (50 loc) · 2.01 KB
/
url.ts
File metadata and controls
58 lines (50 loc) · 2.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import { logger } from '@repo/utils/logger/server'
import { env } from './env.js'
/**
* Validates URL against ALLOWED_ORIGINS: absolute http/https only, origin must be allowlisted.
* When ALLOWED_ORIGINS includes "*", any valid http(s) URL passes.
*/
export function isAllowedUrl(url: string): boolean {
if (typeof url !== 'string' || url.trim().length === 0) {
logger.warn({ url: '[empty]' }, 'isAllowedUrl: empty or missing URL')
return false
}
const trimmed = url.trim()
if (trimmed.startsWith('/') || !trimmed.includes(':')) {
logger.warn({ url: trimmed }, 'isAllowedUrl: relative URL not allowed')
return false
}
let parsed: URL
try {
parsed = new URL(trimmed)
} catch {
logger.warn({ url: trimmed }, 'isAllowedUrl: invalid URL format')
return false
}
const scheme = parsed.protocol.replace(/:$/, '')
if (scheme !== 'http' && scheme !== 'https') {
logger.warn({ url: trimmed, scheme }, 'isAllowedUrl: non-HTTP(S) scheme rejected')
return false
}
const allowed = env.ALLOWED_ORIGINS
if (allowed.includes('*')) return true
const origin = parsed.origin
const ok = allowed.includes(origin)
if (!ok) logger.warn({ url: trimmed, origin, allowed }, 'isAllowedUrl: origin not in allowlist')
return ok
}
/**
* Appends an authorization code to a callback URL, placing it in the query string
* before any existing fragment. When callbackUrl has a fragment (e.g. #section),
* the code must be in the query so the server receives it; fragments are not
* sent in HTTP requests.
*/
export function appendCodeToCallbackUrl(callbackUrl: string, code: string): string {
const hashIndex = callbackUrl.indexOf('#')
const base = hashIndex >= 0 ? callbackUrl.slice(0, hashIndex) : callbackUrl
const fragment = hashIndex >= 0 ? callbackUrl.slice(hashIndex + 1) : ''
const separator = base.includes('?') ? '&' : '?'
const encodedCode = encodeURIComponent(code)
const withCode = `${base}${separator}code=${encodedCode}`
return fragment ? `${withCode}#${fragment}` : withCode
}