cleanup: auth sync, respect redirectUrl and callbackUrl

Author: Soxasora

components/form.js

@@ -1424,7 +1424,9 @@ export function BrandingUpload ({ label, groupClassName, name, ...props }) {
       <img
         src={tempId ? `${MEDIA_URL}/${tempId}` : '/favicon.png'}
         alt={name}
-        style={{ objectFit: 'contain', position: 'relative', width: '100%', height: '100%' }}
+        width={100}
+        height={100}
+        style={{ objectFit: 'contain', position: 'relative' }}
       />
       <Avatar
         onSuccess={handleSuccess}

components/login.js

@@ -124,7 +124,7 @@ export default function Login ({ providers, callbackUrl, multiAuth, error, text,
                 text={`${text || 'Login'} with`}
               />
             )
-          case 'Sync': // TODO: remove this
+          case 'Sync':
             return null
           default:
             return (

components/territory-domains.js

@@ -184,7 +184,7 @@ export default function CustomDomainForm ({ sub }) {
   return (
     <>
       <Form
-        initial={{ domain }}
+        initial={{ domain: domain || sub?.customDomain?.domain }}
         schema={customDomainSchema}
         onSubmit={onSubmit}
         className='mb-2'

pages/api/auth/sync.js

@@ -10,9 +10,10 @@ export default async function handler (req, res) {
   }
 
   // redirectUrl parse
+  const decodedRedirectUrl = decodeURIComponent(redirectUrl)
   let customDomain
   try {
-    customDomain = new URL(redirectUrl)
+    customDomain = new URL(decodedRedirectUrl)
     const domain = await models.customDomain.findUnique({ where: { domain: customDomain.host, status: 'ACTIVE' } })
     if (!domain) {
       return res.status(400).json({ status: 'ERROR', reason: 'custom domain not found' })
@@ -27,7 +28,7 @@ export default async function handler (req, res) {
   const session = await getServerSession(req, res, getAuthOptions(req, res))
   if (!session) {
     // redirect to the login page, middleware will handle the rest
-    return res.redirect(mainDomain + '/login?callbackUrl=' + encodeURIComponent(redirectUrl))
+    return res.redirect(mainDomain + '/login?callbackUrl=' + encodeURIComponent(decodedRedirectUrl))
   }
 
   try {
@@ -48,9 +49,9 @@ export default async function handler (req, res) {
     }
 
     // domain provider will handle this sync request
-    const customDomainCallback = new URL('/?type=sync', redirectUrl)
+    const customDomainCallback = new URL('/?type=sync', decodedRedirectUrl)
     customDomainCallback.searchParams.set('token', token)
-    customDomainCallback.searchParams.set('callbackUrl', redirectUrl)
+    customDomainCallback.searchParams.set('callbackUrl', decodedRedirectUrl)
     if (multiAuth) {
       customDomainCallback.searchParams.set('multiAuth', multiAuth)
     }

pages/login.js

@@ -21,7 +21,7 @@ export async function getServerSideProps ({ req, res, query: { callbackUrl, mult
   // let undefined urls through without redirect ... otherwise this interferes with multiple auth linking
   let external = true
   try {
-    external = isExternal(decodeURIComponent(callbackUrl))
+    external = isExternal(decodeURIComponent(callbackUrl)) && !domain
   } catch (err) {
     console.error('error decoding callback:', callbackUrl, err)
   }
@@ -30,11 +30,10 @@ export async function getServerSideProps ({ req, res, query: { callbackUrl, mult
     callbackUrl = '/'
   }
 
-  // TODO: custom domain mapping security
   // If we're coming from a custom domain, set as callbackUrl the auth sync endpoint
   if (domain) {
     const params = new URLSearchParams()
-    params.set('redirectUrl', 'https://' + encodeURIComponent(domain))
+    params.set('redirectUrl', encodeURIComponent(callbackUrl))
     if (multiAuth) { // take care of multiAuth if requested
       params.set('multiAuth', multiAuth)
     }