startsWith(BaseUrl) in redirect callback is missing "/" at the end of URL

[jjojo]

Description 🐜

First off, thanks for a really nice lib! 🙏

@iaincollins explains very well in #591 (comment) that the baseUrl is checked to prevent malicious sites (clones) to steal credentials from your users. However, since baseUrl dont include an ending "/" even though one is provided to NEXTAUTH_URL=http://localhost:3000/ like so. This would make it possible to redirect to for example http://localhost:30001 on the localhost example. But in production if https://example.com is the baseUrl that makes https://example.companyevilcredentialstealers.com a valid redirect as well since it checks with "https://example.companyevilcredentialstealers.com".startsWith("https://example.com"), and that is true.

I'm sure somewhere the urls are parsed/created with new URL(). If so, using the href should always return the full url with the ending "/"

My simple workaround for now looks like this:

  redirect: async ({url, baseUrl: noSlash}) => {
      const baseUrl = new URL(noSlash).href; // basically I just added this and it seems to do the trick
      return url.startsWith(baseUrl)
        ? Promise.resolve(url)
        : Promise.resolve(baseUrl);
  },

Is this a bug in your own project?

No

How to reproduce ☕️

Just go to https://next-auth-example.vercel.app and try for yourself.
Entering a callback url like this for example

https://next-auth-example.vercel.app/api/auth/signin?callbackUrl=https://next-auth-example.vercel.app.evilcredentialstealers.org

Will redirect you to

https://next-auth-example.vercel.app.evilcredentialstealers.org

This is not an existing domain of course. But it could be if you owned the evilcredentialstealers.org domain and registered next-auth-example.vercel.app as a subdomain.

Screenshots / Logs 📽

No response

Environment 🖥

System:
[Irrelevant]
Binaries:
Node: 14.18.1 - ~/.nvm/versions/node/v14.18.1/bin/node
npm: 6.14.15 - ~/.nvm/versions/node/v14.18.1/bin/npm
Browser:
Chrome: 96.0.4664.45
npmPackages:
next: 11.1.2 => 11.1.2
next-auth: ^4.0.0-beta.6 => 4.0.0-beta.6
react: 17.0.2 => 17.0.2

Contributing 🙌🏽

Yes, I am willing to help solve this bug in a PR

[balazsorban44]

The flow is as follows:

next-auth/src/core/init.ts

Line 43 in 0f132de

const url = parseUrl(host)

https://github.com/nextauthjs/next-auth/blob/beta/src/lib/parse-url.ts

next-auth/src/core/lib/callback-url.ts

Lines 25 to 34 in 0f132de

	callbackUrl = await callbacks.redirect({
	url: paramValue,
	baseUrl: url.origin,
	})
	} else if (cookieValue) {
	// If no callbackUrl specified, try using the value from the cookie if allowed
	callbackUrl = await callbacks.redirect({
	url: cookieValue,
	baseUrl: url.origin,
	})

next-auth/src/core/lib/default-callbacks.ts

Lines 7 to 11 in 0f132de

	redirect({ url, baseUrl }) {
	if (url.startsWith(baseUrl)) return url
	else if (url.startsWith("/")) return new URL(url, baseUrl).toString()
	return baseUrl
	},

[jjojo]

Thanks for the references 🙏
I think the issue originates from parseUrl and url.origin since that wont include an ending slash. It might be an oversimplification to just change to url.href though now that I think about it. I'll try to find some time this weekend and open a PR if I find a good solution to this :)