directus
1import { useEnv } from '@directus/env';
2import { toArray } from '@directus/utils';
3import isUrlAllowed from './is-url-allowed.js';
4
5/**
6* Checks if the defined redirect after successful SSO login is in the allow list
7*/
8export function isLoginRedirectAllowed(redirect: unknown, provider: string): boolean {
9if (!redirect) return true; // empty redirect
10if (typeof redirect !== 'string') return false; // invalid type
11
12const env = useEnv();
13const publicUrl = env['PUBLIC_URL'] as string;
14
15if (URL.canParse(redirect) === false) {
16if (redirect.startsWith('//') === false) {
17// should be a relative path like `/admin/test`
18return true;
19}
20
21// domain without protocol `//example.com/test`
22return false;
23}
24
25const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
26
27const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
28
29if (envKey in env) {
30if (isUrlAllowed(redirect, [...toArray(env[envKey] as string), publicUrl])) return true;
31}
32
33if (URL.canParse(publicUrl) === false) {
34return false;
35}
36
37// allow redirects to the defined PUBLIC_URL
38const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
39
40return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
41}
42