updating open redirects

packages/ui/docs-bundle/src/pages/api/fern-docs/auth/callback.ts

@@ -1,4 +1,5 @@
 import { getReturnToQueryParam } from "@/server/auth/return-to";
+import { FernNextResponse } from "@/server/FernNextResponse";
 import { redirectWithLoginError } from "@/server/redirectWithLoginError";
 import { safeUrl } from "@/server/safeUrl";
 import { getDocsDomainEdge, getHostEdge } from "@/server/xfernhost/edge";
@@ -26,11 +27,12 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     const redirectLocation = safeUrl(return_to) ?? safeUrl(withDefaultProtocol(host));
 
     if (error != null) {
-        return redirectWithLoginError(redirectLocation, error, error_description);
+        return redirectWithLoginError(req, redirectLocation, error, error_description);
     }
 
     if (typeof code !== "string") {
         return redirectWithLoginError(
+            req,
             redirectLocation,
             "missing_authorization_code",
             "Couldn't login, please try again",
@@ -51,11 +53,11 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
             "/api/fern-docs/auth/callback",
             "/api/fern-docs/oauth/ory/callback",
         );
-        return NextResponse.redirect(nextUrl);
+        return FernNextResponse.redirect(req, nextUrl.toString());
     } else if (config?.type === "sso") {
         nextUrl.pathname = nextUrl.pathname.replace("/api/fern-docs/auth/callback", "/api/fern-docs/auth/sso/callback");
-        return NextResponse.redirect(nextUrl);
+        return FernNextResponse.redirect(req, nextUrl.toString());
     }
 
-    return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+    return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
 }

packages/ui/docs-bundle/src/pages/api/fern-docs/auth/jwt/callback.ts

@@ -1,6 +1,7 @@
 import { safeVerifyFernJWTConfig } from "@/server/auth/FernJWT";
 import { getReturnToQueryParam } from "@/server/auth/return-to";
 import { withSecureCookie } from "@/server/auth/with-secure-cookie";
+import { FernNextResponse } from "@/server/FernNextResponse";
 import { redirectWithLoginError } from "@/server/redirectWithLoginError";
 import { safeUrl } from "@/server/safeUrl";
 import { getDocsDomainEdge, getHostEdge } from "@/server/xfernhost/edge";
@@ -28,17 +29,16 @@ export default async function handler(req: NextRequest): Promise<NextResponse> {
     if (edgeConfig?.type !== "basic_token_verification" || token == null) {
         // eslint-disable-next-line no-console
         console.error(`Invalid config for domain ${domain}`);
-        return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+        return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
     }
 
     const fernUser = await safeVerifyFernJWTConfig(token, edgeConfig);
 
     if (fernUser == null) {
-        return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+        return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
     }
 
-    // TODO: validate allowlist of domains to prevent open redirects
-    const res = redirectLocation ? NextResponse.redirect(redirectLocation) : NextResponse.next();
+    const res = redirectLocation ? FernNextResponse.redirect(req, redirectLocation.toString()) : NextResponse.next();
     res.cookies.set(COOKIE_FERN_TOKEN, token, withSecureCookie(withDefaultProtocol(host)));
     return res;
 }

packages/ui/docs-bundle/src/pages/api/fern-docs/auth/logout.ts

@@ -34,9 +34,10 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     let redirectLocation =
         logoutUrl ??
         safeUrl(req.nextUrl.searchParams.get(return_to_param)) ??
-        safeUrl(withDefaultProtocol(getHostEdge(req)));
+        safeUrl(withDefaultProtocol(getHostEdge(req))) ??
+        new URL(domain);
 
-    const res = FernNextResponse.redirect(req, redirectLocation);
+    const res = FernNextResponse.redirect(req, redirectLocation.toString());
     res.cookies.delete(withDeleteCookie(COOKIE_FERN_TOKEN, withDefaultProtocol(getHostEdge(req))));
     res.cookies.delete(withDeleteCookie(COOKIE_ACCESS_TOKEN, withDefaultProtocol(getHostEdge(req))));
     res.cookies.delete(withDeleteCookie(COOKIE_REFRESH_TOKEN, withDefaultProtocol(getHostEdge(req))));

packages/ui/docs-bundle/src/pages/api/fern-docs/auth/sso/callback.ts

@@ -2,6 +2,7 @@ import { getReturnToQueryParam } from "@/server/auth/return-to";
 import { withSecureCookie } from "@/server/auth/with-secure-cookie";
 import { getWorkOSClientId, workos } from "@/server/auth/workos";
 import { encryptSession } from "@/server/auth/workos-session";
+import { FernNextResponse } from "@/server/FernNextResponse";
 import { safeUrl } from "@/server/safeUrl";
 import { getDocsDomainEdge } from "@/server/xfernhost/edge";
 import { COOKIE_FERN_TOKEN } from "@fern-ui/fern-docs-utils";
@@ -58,7 +59,7 @@ export default async function handler(req: NextRequest): Promise<NextResponse> {
         // TODO: need to support docs instances with subpaths (forward-proxied from the origin).
         const destination = new URL(`${req.nextUrl.pathname}${req.nextUrl.search}`, url.origin);
         destination.searchParams.set(FORWARDED_HOST_QUERY, req.nextUrl.host);
-        return NextResponse.redirect(destination);
+        return FernNextResponse.redirect(req, destination.toString());
     }
 
     const code = req.nextUrl.searchParams.get(CODE_QUERY);
@@ -86,7 +87,7 @@ export default async function handler(req: NextRequest): Promise<NextResponse> {
             impersonator,
         });
 
-        const res = NextResponse.redirect(url);
+        const res = FernNextResponse.redirect(req, url.toString());
         res.cookies.set(COOKIE_FERN_TOKEN, session, withSecureCookie(url.origin));
 
         return res;

packages/ui/docs-bundle/src/pages/api/fern-docs/integrations/launchdarkly/identify.ts

@@ -1,3 +1,4 @@
+import { FernNextResponse } from "@/server/FernNextResponse";
 import { getHostEdge } from "@/server/xfernhost/edge";
 import { withDefaultProtocol } from "@fern-api/ui-core-utils";
 import { COOKIE_EMAIL } from "@fern-ui/fern-docs-utils";
@@ -8,8 +9,7 @@ export const runtime = "edge";
 export default async function handler(req: NextRequest): Promise<NextResponse> {
     const email = req.nextUrl.searchParams.get(COOKIE_EMAIL);
 
-    // TODO: validate allowlist of domains to prevent open redirects
-    const res = NextResponse.redirect(withDefaultProtocol(getHostEdge(req)));
+    const res = FernNextResponse.redirect(req, withDefaultProtocol(getHostEdge(req)));
 
     if (email) {
         res.cookies.set({ name: COOKIE_EMAIL, value: email });

packages/ui/docs-bundle/src/pages/api/fern-docs/oauth/ory/callback.ts

@@ -2,6 +2,7 @@ import { signFernJWT } from "@/server/auth/FernJWT";
 import { OryOAuth2Client } from "@/server/auth/ory";
 import { getReturnToQueryParam } from "@/server/auth/return-to";
 import { withSecureCookie } from "@/server/auth/with-secure-cookie";
+import { FernNextResponse } from "@/server/FernNextResponse";
 import { redirectWithLoginError } from "@/server/redirectWithLoginError";
 import { safeUrl } from "@/server/safeUrl";
 import { getDocsDomainEdge, getHostEdge } from "@/server/xfernhost/edge";
@@ -31,13 +32,14 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     if (error != null) {
         // eslint-disable-next-line no-console
         console.error(`OAuth2 error: ${error} - ${error_description}`);
-        return redirectWithLoginError(redirectLocation, error, error_description);
+        return redirectWithLoginError(req, redirectLocation, error, error_description);
     }
 
     if (typeof code !== "string") {
         // eslint-disable-next-line no-console
         console.error("Missing code in query params");
         return redirectWithLoginError(
+            req,
             redirectLocation,
             "missing_authorization_code",
             "Couldn't login, please try again",
@@ -47,7 +49,7 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     if (config == null || config.type !== "oauth2" || config.partner !== "ory") {
         // eslint-disable-next-line no-console
         console.log(`Invalid config for domain ${domain}`);
-        return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+        return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
     }
 
     const oauthClient = new OryOAuth2Client(config);
@@ -60,7 +62,7 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
         };
         const expires = token.exp == null ? undefined : new Date(token.exp * 1000);
         // TODO: validate allowlist of domains to prevent open redirects
-        const res = redirectLocation ? NextResponse.redirect(redirectLocation) : NextResponse.next();
+        const res = redirectLocation ? FernNextResponse.redirect(req, redirectLocation.toString()) : NextResponse.next();
         res.cookies.set(
             COOKIE_FERN_TOKEN,
             await signFernJWT(fernUser),
@@ -82,6 +84,6 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     } catch (error) {
         // eslint-disable-next-line no-console
         console.error("Error getting access token", error);
-        return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+        return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
     }
 }

packages/ui/docs-bundle/src/pages/api/fern-docs/oauth/webflow/callback.ts

@@ -1,5 +1,6 @@
 import { getReturnToQueryParam } from "@/server/auth/return-to";
 import { withSecureCookie } from "@/server/auth/with-secure-cookie";
+import { FernNextResponse } from "@/server/FernNextResponse";
 import { redirectWithLoginError } from "@/server/redirectWithLoginError";
 import { safeUrl } from "@/server/safeUrl";
 import { getDocsDomainEdge, getHostEdge } from "@/server/xfernhost/edge";
@@ -28,13 +29,14 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     if (error != null) {
         // eslint-disable-next-line no-console
         console.error(`OAuth2 error: ${error} - ${error_description}`);
-        return redirectWithLoginError(redirectLocation, error, error_description);
+        return redirectWithLoginError(req, redirectLocation, error, error_description);
     }
 
     if (typeof code !== "string") {
         // eslint-disable-next-line no-console
         console.error("Missing code in query params");
         return redirectWithLoginError(
+            req,
             redirectLocation,
             "missing_authorization_code",
             "Couldn't login, please try again",
@@ -44,7 +46,7 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
     if (config == null || config.type !== "oauth2" || config.partner !== "webflow") {
         // eslint-disable-next-line no-console
         console.log(`Invalid config for domain ${domain}`);
-        return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+        return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
     }
 
     try {
@@ -55,13 +57,12 @@ export default async function GET(req: NextRequest): Promise<NextResponse> {
             code,
         });
 
-        // TODO: validate allowlist of domains to prevent open redirects
-        const res = redirectLocation ? NextResponse.redirect(redirectLocation) : NextResponse.next();
+        const res = redirectLocation ? FernNextResponse.redirect(req, redirectLocation.toString()) : NextResponse.next();
         res.cookies.set("access_token", accessToken, withSecureCookie(withDefaultProtocol(host)));
         return res;
     } catch (error) {
         // eslint-disable-next-line no-console
         console.error("Error getting access token", error);
-        return redirectWithLoginError(redirectLocation, "unknown_error", "Couldn't login, please try again");
+        return redirectWithLoginError(req, redirectLocation, "unknown_error", "Couldn't login, please try again");
     }
 }

packages/ui/docs-bundle/src/server/FernNextResponse.ts

@@ -3,7 +3,7 @@ import { NextRequest, NextResponse } from "next/server";
 import { getDocsDomainEdge } from "./xfernhost/edge";
 
 export class FernNextResponse {
-    public static redirect(req: NextRequest, destination?: string): Promise<NextResponse> {
+    public static redirect(req: NextRequest, destination?: string): NextResponse {
         if (typeof destination === "undefined") {
             return NextResponse.next();
         }

packages/ui/docs-bundle/src/server/redirectWithLoginError.ts

@@ -1,6 +1,8 @@
-import { NextResponse } from "next/server";
+import { NextRequest, NextResponse } from "next/server";
+import { FernNextResponse } from "./FernNextResponse";
 
 export function redirectWithLoginError(
+    request: NextRequest,
     location: URL | undefined,
     error: string,
     error_description: string | null | undefined,
@@ -15,5 +17,5 @@ export function redirectWithLoginError(
         url.searchParams.set("error_description", error_description);
     }
     // TODO: validate allowlist of domains to prevent open redirects
-    return NextResponse.redirect(url.toString());
+    return FernNextResponse.redirect(request, url.toString());
 }

packages/ui/docs-bundle/src/server/withMiddlewareAuth.ts

@@ -4,6 +4,7 @@ import { COOKIE_FERN_TOKEN } from "@fern-ui/fern-docs-utils";
 import { NextRequest, NextResponse } from "next/server";
 import { getAuthStateEdge } from "./auth/getAuthStateEdge";
 import { withSecureCookie } from "./auth/with-secure-cookie";
+import { FernNextResponse } from "./FernNextResponse";
 import { getHostEdge } from "./xfernhost/edge";
 
 /**
@@ -41,7 +42,7 @@ export async function withMiddlewareAuth(
     }
 
     if (res.authorizationUrl) {
-        return NextResponse.redirect(res.authorizationUrl);
+        return FernNextResponse.redirect(request, res.authorizationUrl);
     }
 
     return NextResponse.next({ status: 401 });