hotfix: adding dynamic redirection in self-host auth system (HBE-173) (#40)

* chore: completed base auth implementation with redirectUrl * chore: completed base auth fix with redirect_uri * chore: added whitelist based redirection * chore: added a env variable for session secret in main.ts * chore: removed migrations folder from prisma directory
2023-03-14 19:19:22 +05:30
parent be46ed2686
commit a779ba5c0e
13 changed files with 139 additions and 20 deletions
--- a/packages/hoppscotch-backend/src/auth/helper.ts
+++ b/packages/hoppscotch-backend/src/auth/helper.ts
@@ -30,6 +30,7 @@ export const authCookieHandler = (
  res: Response,
  authTokens: AuthTokens,
  redirect: boolean,
+  redirectUrl: string | null,
 ) => {
  const currentTime = DateTime.now();
  const accessTokenValidity = currentTime
@@ -55,9 +56,18 @@ export const authCookieHandler = (
    sameSite: 'lax',
    maxAge: refreshTokenValidity,
  });
-  if (redirect) {
-    res.status(HttpStatus.OK).redirect(process.env.REDIRECT_URL);
-  } else res.status(HttpStatus.OK).send();
+
+  if (!redirect) {
+    res.status(HttpStatus.OK).send();
+  }
+
+  // check to see if redirectUrl is a whitelisted url
+  const whitelistedOrigins = process.env.WHITELISTED_ORIGINS.split(',');
+  if (!whitelistedOrigins.includes(redirectUrl))
+    // if it is not redirect by default to REDIRECT_URL
+    redirectUrl = process.env.REDIRECT_URL;
+
+  res.status(HttpStatus.OK).redirect(redirectUrl);
 };

 /**