From f404ddcfdf22aaa4851ae641316a257a98e150ab Mon Sep 17 00:00:00 2001
From: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Date: Fri, 5 Dec 2025 23:25:39 +0100
Subject: [PATCH] Improve OAuth

---
 app/login/page.tsx          | 4 +++-
 app/oauth/callback/route.ts | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/login/page.tsx b/app/login/page.tsx
index f529d2c..c4e1281 100644
--- a/app/login/page.tsx
+++ b/app/login/page.tsx
@@ -7,7 +7,9 @@ export default async function LoginPage({
 }: {
   searchParams: Promise<{ error?: string; returnUrl?: string }>;
 }) {
-  const { error, returnUrl = "/" } = await searchParams;
+  const params = await searchParams;
+  const error = params.error
+  const returnUrl = params.returnUrl && params.returnUrl.startsWith('/') ? params.returnUrl : '/';
 
   return (
     <div className="LoginPage">
diff --git a/app/oauth/callback/route.ts b/app/oauth/callback/route.ts
index c32c714..6f19226 100644
--- a/app/oauth/callback/route.ts
+++ b/app/oauth/callback/route.ts
@@ -35,7 +35,7 @@ async function handleCallback(request: NextRequest) {
     if (state) {
       try {
         const parsed = JSON.parse(state);
-        if (parsed.returnUrl && typeof parsed.returnUrl === "string") {
+        if (parsed.returnUrl && typeof parsed.returnUrl === "string" && parsed.returnUrl.startsWith('/')) {
           returnUrl = parsed.returnUrl;
         }
       } catch {
@@ -59,7 +59,7 @@ async function handleCallback(request: NextRequest) {
     session.did = oauthSession.did;
     await session.save();
 
-    // Redirect to returnUrl
+    // Redirect to returnUrl: We have ensured the return URL is relative above:
     const redirectUrl = new URL(returnUrl, baseUrl);
     return NextResponse.redirect(redirectUrl);
   } catch (err) {
-- 
2.43.0