fix: embedded direct template recipient auth

packages/auth/server/lib/utils/handle-oauth-callback-url.ts

@@ -5,6 +5,7 @@ import { deleteCookie } from 'hono/cookie';
 
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { onCreateUserHook } from '@documenso/lib/server-only/user/create-user';
+import { isValidReturnTo, normalizeReturnTo } from '@documenso/lib/utils/is-valid-return-to';
 import { prisma } from '@documenso/prisma';
 
 import type { OAuthClientOptions } from '../../config';
@@ -177,6 +178,12 @@ export const validateOauth = async (options: HandleOAuthCallbackUrlOptions) => {
     redirectPath = '/';
   }
 
+  if (!isValidReturnTo(redirectPath)) {
+    redirectPath = '/';
+  }
+
+  redirectPath = normalizeReturnTo(redirectPath) || '/';
+
   const tokens = await oAuthClient.validateAuthorizationCode(
     token_endpoint,
     code,

packages/lib/utils/is-valid-return-to.ts

@@ -0,0 +1,37 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+
+export const isValidReturnTo = (returnTo?: string) => {
+  if (!returnTo) {
+    return false;
+  }
+
+  try {
+    // Decode if it's URL encoded
+    const decodedReturnTo = decodeURIComponent(returnTo);
+    const returnToUrl = new URL(decodedReturnTo, NEXT_PUBLIC_WEBAPP_URL());
+
+    if (returnToUrl.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
+      return false;
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+};
+
+export const normalizeReturnTo = (returnTo?: string) => {
+  if (!returnTo) {
+    return undefined;
+  }
+
+  try {
+    // Decode if it's URL encoded
+    const decodedReturnTo = decodeURIComponent(returnTo);
+    const returnToUrl = new URL(decodedReturnTo, NEXT_PUBLIC_WEBAPP_URL());
+
+    return `${returnToUrl.pathname}${returnToUrl.search}${returnToUrl.hash}`;
+  } catch {
+    return undefined;
+  }
+};