Ensure we check the full origin of callback URLs

Vinnl · Vinnl · commit edbd2bffc53e · 2025-10-20T12:23:22.000+02:00
This ensures that someone can't just register a domain and make
it start with the same URL as ours.
diff --git a/src/app/api/auth/[...nextauth]/route.ts b/src/app/api/auth/[...nextauth]/route.ts
@@ -24,7 +24,7 @@ const handler = async (req: NextRequest, res: unknown) => {
       const cookieStore = req.cookies;
       const callbackUrl = cookieStore.get("next-auth.callback-url")?.value;
       const redirectUrl =
-        callbackUrl && callbackUrl.startsWith(process.env.SERVER_URL as string)
+        callbackUrl && isValidCallbackUrl(callbackUrl)
           ? callbackUrl
           : (process.env.SERVER_URL as string);
 
@@ -39,4 +39,10 @@ const handler = async (req: NextRequest, res: unknown) => {
   ) as Promise<Response>;
 };
 
+function isValidCallbackUrl(callbackUrlString: string): boolean {
+  const serverUrl = new URL(process.env.SERVER_URL!);
+  const callbackUrl = new URL(callbackUrlString);
+  return serverUrl.origin === callbackUrl.origin;
+}
+
 export { handler as GET, handler as POST };
