directus

1
import { useEnv } from '@directus/env';
2
import { toArray } from '@directus/utils';
3
import isUrlAllowed from './is-url-allowed.js';
4

5
/**
6
 * Checks if the defined redirect after successful SSO login is in the allow list
7
 */
8
export function isLoginRedirectAllowed(redirect: unknown, provider: string): boolean {
9
	if (!redirect) return true; // empty redirect
10
	if (typeof redirect !== 'string') return false; // invalid type
11

12
	const env = useEnv();
13
	const publicUrl = env['PUBLIC_URL'] as string;
14

15
	if (URL.canParse(redirect) === false) {
16
		if (redirect.startsWith('//') === false) {
17
			// should be a relative path like `/admin/test`
18
			return true;
19
		}
20

21
		// domain without protocol `//example.com/test`
22
		return false;
23
	}
24

25
	const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
26

27
	const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
28

29
	if (envKey in env) {
30
		if (isUrlAllowed(redirect, [...toArray(env[envKey] as string), publicUrl])) return true;
31
	}
32

33
	if (URL.canParse(publicUrl) === false) {
34
		return false;
35
	}
36

37
	// allow redirects to the defined PUBLIC_URL
38
	const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
39

40
	return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
41
}
42