Skip to content

Admin page post-login redirect #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
evan-taylor wants to merge 1 commit into from
Closed

Admin page post-login redirect #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions app/admin/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,16 @@ export default function AdminPage() {
}, [currentUser, profileEnsured, ensureCurrentUserProfile]);

useEffect(() => {
if (authLoading || currentUser === undefined) {
return;
}

if (!isAuthenticated || currentUser === null) {
router.push("/signin");
const currentPath = `${window.location.pathname}${window.location.search}`;
const redirectQuery = encodeURIComponent(currentPath);
router.replace(`/signin?redirect=${redirectQuery}`);
}
}, [isAuthenticated, currentUser, router]);
}, [authLoading, isAuthenticated, currentUser, router]);

if (
authLoading ||
Expand Down
27 changes: 24 additions & 3 deletions app/signin/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,30 @@
import { useAuthActions } from "@convex-dev/auth/react";
import { useConvexAuth, useMutation } from "convex/react";
import Link from "next/link";
import { useRouter } from "next/navigation";
import { useRouter, useSearchParams } from "next/navigation";
import posthog from "posthog-js";
import { useEffect, useRef, useState } from "react";
import { api } from "@/convex/_generated/api";

const HOME_PATH = "/";
const SIGN_IN_PATH = "/signin";

const getSafeRedirectPath = (path: string | null) => {
if (!path?.startsWith("/")) {
return HOME_PATH;
}

if (path.startsWith("//")) {
return HOME_PATH;
}

if (path === SIGN_IN_PATH || path.startsWith(`${SIGN_IN_PATH}?`)) {
return HOME_PATH;
}

return path;
Comment on lines +14 to +27
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential open redirect via /\ bypass

The guard blocks // (protocol-relative URLs) but does not catch /\ followed by a domain. Some browsers and HTTP clients normalize a backslash to a forward slash, so a crafted query param like ?redirect=%2F%5Cevil.com could decode to /\evil.com, pass all three checks, and potentially redirect to an external host depending on the runtime's URL normalization.

Adding an explicit check for path.startsWith("/\\") (or, more robustly, parsing the path with new URL(path, window.location.origin) and verifying the origin matches) would close this gap:

if (path.startsWith("/\\")) {
  return HOME_PATH;
}

The same applies to the identical function in proxy.ts.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: app/signin/page.tsx
Line: 14-27

Comment:
**Potential open redirect via `/\` bypass**

The guard blocks `//` (protocol-relative URLs) but does not catch `/\` followed by a domain. Some browsers and HTTP clients normalize a backslash to a forward slash, so a crafted query param like `?redirect=%2F%5Cevil.com` could decode to `/\evil.com`, pass all three checks, and potentially redirect to an external host depending on the runtime's URL normalization.

Adding an explicit check for `path.startsWith("/\\")` (or, more robustly, parsing the path with `new URL(path, window.location.origin)` and verifying the `origin` matches) would close this gap:

```
if (path.startsWith("/\\")) {
  return HOME_PATH;
}
```

The same applies to the identical function in `proxy.ts`.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Cursor

};

export default function SignIn() {
const { signIn } = useAuthActions();
const { isAuthenticated } = useConvexAuth();
Expand All @@ -19,6 +38,8 @@ export default function SignIn() {
const [loading, setLoading] = useState(false);
const createdRef = useRef(false);
const router = useRouter();
const searchParams = useSearchParams();
const redirectPath = getSafeRedirectPath(searchParams.get("redirect"));

useEffect(() => {
if (isAuthenticated && !createdRef.current) {
Expand Down Expand Up @@ -68,7 +89,7 @@ export default function SignIn() {
has_phone_number: !!localPhone,
});

router.push("/");
router.push(redirectPath);
setLoading(false);
} else {
formData.set("flow", "signIn");
Expand All @@ -77,7 +98,7 @@ export default function SignIn() {
posthog.identify(email, { email });
posthog.capture("user_signed_in");

router.push("/");
router.push(redirectPath);
setLoading(false);
}
} catch (authError) {
Expand Down
24 changes: 23 additions & 1 deletion proxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,25 @@ import {
nextjsMiddlewareRedirect,
} from "@convex-dev/auth/nextjs/server";

const HOME_PATH = "/";
const SIGN_IN_PATH = "/signin";

const getSafeRedirectPath = (path: string | null) => {
if (!path?.startsWith("/")) {
return HOME_PATH;
}

if (path.startsWith("//")) {
return HOME_PATH;
}

if (path === SIGN_IN_PATH || path.startsWith(`${SIGN_IN_PATH}?`)) {
return HOME_PATH;
}

return path;
};
Comment on lines +10 to +24
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicated getSafeRedirectPath utility

getSafeRedirectPath is defined identically in both proxy.ts and app/signin/page.tsx. If the validation logic ever needs to change (e.g., to patch a security bypass), it must be updated in both places, which is easy to miss. Consider extracting it to a shared utility such as lib/redirect.ts and importing it from both call sites.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: proxy.ts
Line: 10-24

Comment:
**Duplicated `getSafeRedirectPath` utility**

`getSafeRedirectPath` is defined identically in both `proxy.ts` and `app/signin/page.tsx`. If the validation logic ever needs to change (e.g., to patch a security bypass), it must be updated in both places, which is easy to miss. Consider extracting it to a shared utility such as `lib/redirect.ts` and importing it from both call sites.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Fix in Cursor


const isSignInPage = createRouteMatcher(["/signin"]);
const isProtectedRoute = createRouteMatcher([
"/server",
Expand All @@ -13,7 +32,10 @@ const isProtectedRoute = createRouteMatcher([

export default convexAuthNextjsMiddleware(async (request, { convexAuth }) => {
if (isSignInPage(request) && (await convexAuth.isAuthenticated())) {
return nextjsMiddlewareRedirect(request, "/");
const redirectPath = getSafeRedirectPath(
request.nextUrl.searchParams.get("redirect")
);
return nextjsMiddlewareRedirect(request, redirectPath);
}
if (isProtectedRoute(request) && !(await convexAuth.isAuthenticated())) {
return nextjsMiddlewareRedirect(request, "/signin");
Expand Down