Skip to content

feat(web): redirect authenticated users away from login page #2928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
devin-ai-integration wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(web): redirect authenticated users away from login page #2928

devin-ai-integration wants to merge 2 commits into from

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Jan 9, 2026
edited
Loading

Summary

When a user with an active auth session visits the /auth (login) page with flow=web, they are now automatically redirected away from the login page. The redirect destination is either the redirect search param if provided, or /app/account by default.

This mirrors the inverse logic in /_view/app/route.tsx which redirects unauthenticated users TO /auth.

Desktop flow (flow=desktop) is intentionally unaffected to allow the desktop app OAuth handshake to complete.

Security

The redirect parameter is validated to prevent open redirect attacks. URLs starting with http://, https://, or // are rejected and fall back to /app/account.

Review & Testing Checklist for Human

  • Test web flow: Visit /auth?flow=web while logged in - should redirect to /app/account
  • Test redirect param: Visit /auth?flow=web&redirect=/pricing while logged in - should redirect to /pricing
  • Test open redirect protection: Visit /auth?flow=web&redirect=https://evil.com while logged in - should redirect to /app/account (NOT evil.com)
  • Test protocol-relative URL: Visit /auth?flow=web&redirect=//evil.com while logged in - should redirect to /app/account
  • Test desktop flow: Visit /auth?flow=desktop while logged in - should NOT redirect (allows OAuth to complete)
  • Test unauthenticated: Visit /auth while logged out - should show login page normally

Notes

Requested by @ComputelessComputer

Link to Devin run

@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Jan 9, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@netlify
Copy link

netlify bot commented Jan 9, 2026
edited
Loading

Deploy Preview for howto-fix-macos-audio-selection canceled.

Name Link
🔨 Latest commit 59bd756
🔍 Latest deploy log https://app.netlify.com/projects/howto-fix-macos-audio-selection/deploys/6960c651d0959a0008d66205

@netlify
Copy link

netlify bot commented Jan 9, 2026
edited
Loading

Deploy Preview for hyprnote ready!

Name Link
🔨 Latest commit 59bd756
🔍 Latest deploy log https://app.netlify.com/projects/hyprnote/deploys/6960c651aac1e20008c517e4
😎 Deploy Preview https://deploy-preview-2928--hyprnote.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Jan 9, 2026
edited
Loading

Deploy Preview for hyprnote-storybook ready!

Name Link
🔨 Latest commit 59bd756
🔍 Latest deploy log https://app.netlify.com/projects/hyprnote-storybook/deploys/6960c651232a8b0008086ae7
😎 Deploy Preview https://deploy-preview-2928--hyprnote-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

graphite-app[bot]
graphite-app bot reviewed Jan 9, 2026
View reviewed changes
apps/web/src/routes/auth.tsx
Comment on lines 23 to 25
throw redirect({
to: search.redirect || "/app/account",
});
Copy link
Contributor

@graphite-app graphite-app bot Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Open Redirect Vulnerability: The search.redirect parameter is user-controlled and used directly as a redirect destination without validation. An attacker can craft a malicious URL like /auth?flow=web&redirect=https://evil.com to redirect authenticated users to external sites for phishing attacks.

Fix: Validate that the redirect is a relative path:

if (user && search.flow === "web") {
  const redirectTo = search.redirect || "/app/account";
  // Ensure redirect is relative and doesn't start with // or http(s)://
  if (redirectTo.startsWith('http://') || redirectTo.startsWith('https://') || redirectTo.startsWith('//')) {
    throw redirect({ to: "/app/account" });
  }
  throw redirect({ to: redirectTo });
}
Suggested change
throw redirect({
to: search.redirect || "/app/account",
});
throw redirect({
to: search.redirect && !search.redirect.startsWith('http://') &&
!search.redirect.startsWith('https://') && !search.redirect.startsWith('//')
? search.redirect
: "/app/account",
});

Spotted by Graphite Agent

Fix in Graphite

Is this helpful? React 👍 or 👎 to let us know.

@ComputelessComputer ComputelessComputer mentioned this pull request Jan 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

@ComputelessComputer ComputelessComputer Awaiting requested review from ComputelessComputer

Assignees

@ComputelessComputer ComputelessComputer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ComputelessComputer