fix: more throw redirects, and fix redirectToPostLogin so if not absolute url, it will return and redirect to login

Alexis · Alexis · commit c634bb7ac142 · 2025-08-21T11:42:12.000+01:00
diff --git a/src/lib/handleAuth/handleAuth.ts b/src/lib/handleAuth/handleAuth.ts
@@ -145,9 +145,13 @@ const redirectToPostLoginUrl = async () => {
   const post_login_redirect_url = value as string;
   sessionStorage.removeSessionItem(KEY_POST_LOGIN_REDIRECT_URL);
 
+  const appBaseUrl = new URL(kindeConfiguration.appBase);
   if (isAbsoluteUrl(post_login_redirect_url)) {
-    redirect(302, new URL(post_login_redirect_url));
-  } else {
-    redirect(302, new URL(post_login_redirect_url, kindeConfiguration.appBase));
+    const target = new URL(post_login_redirect_url);
+    if (target.origin !== appBaseUrl.origin) {
+      return;
+    }
+    throw redirect(302, target.toString());
   }
+  throw redirect(302, new URL(post_login_redirect_url, appBaseUrl).toString());
 };
