marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): fix mock responses in tests and block open redirect in login

Browse Source 
- Add response object to mockSuccess() in login and signup tests so
  response.headers.get() no longer throws
- Validate ?redirect= param: must start with / and not // to prevent
  redirecting users to external domains

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel Raddatz
2026-04-02 18:48:48 +02:00
parent 0aa65214fc
commit 16f0feb8d5
3 changed files with 53 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
frontend/src/routes/(public)/login/+page.server.ts
View File

@@ -40,7 +40,8 @@ export const actions = {
cookies.set('JSESSIONID', sessionId, { path: '/', httpOnly: true, sameSite: 'lax' });
}
const redirectTo = url.searchParams.get('redirect') || '/planner';
const raw = url.searchParams.get('redirect');
const redirectTo = raw && raw.startsWith('/') && !raw.startsWith('//') ? raw : '/planner';
throw redirect(303, redirectTo);
}
} satisfies Actions;