@lobehub/lobehub 2.0.0-next.222 → 2.0.0-next.224

package/.github/workflows/test.yml

@@ -6,6 +6,10 @@ permissions:
   actions: write
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   # Check for duplicate runs
   pre_job:
@@ -16,69 +20,18 @@ jobs:
       - id: skip_check
         uses: fkirc/skip-duplicate-actions@v5
         with:
-          concurrent_skipping: 'same_content_newer'
-          skip_after_successful_duplicate: 'true'
+          concurrent_skipping: "same_content_newer"
+          skip_after_successful_duplicate: "true"
           do_not_skip: '["workflow_dispatch", "schedule"]'
 
-  # Package tests - using each package's own test script
-  test-intenral-packages:
-    needs: pre_job
-    if: needs.pre_job.outputs.should_skip != 'true'
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        package:
-          - file-loaders
-          - prompts
-          - model-runtime
-          - web-crawler
-          - electron-server-ipc
-          - utils
-          - python-interpreter
-          - context-engine
-          - agent-runtime
-          - conversation-flow
-          - ssrf-safe-fetch
-          - memory-user-memory
-
-    name: Test package ${{ matrix.package }}
-
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 24.11.1
-          package-manager-cache: false
-
-      - name: Install bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: ${{ secrets.BUN_VERSION }}
-
-      - name: Install deps
-        run: bun i
-
-      - name: Test ${{ matrix.package }} package with coverage
-        run: bun run --filter @lobechat/${{ matrix.package }} test:coverage
-
-      - name: Upload ${{ matrix.package }} coverage to Codecov
-        uses: codecov/codecov-action@v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/${{ matrix.package }}/coverage/lcov.info
-          flags: packages/${{ matrix.package }}
-
+  # Package tests - all packages in single job to save runner resources
   test-packages:
     needs: pre_job
     if: needs.pre_job.outputs.should_skip != 'true'
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        package: [model-bank]
-
-    name: Test package ${{ matrix.package }}
+    name: Test Packages
+    env:
+      PACKAGES: "@lobechat/file-loaders @lobechat/prompts @lobechat/model-runtime @lobechat/web-crawler @lobechat/electron-server-ipc @lobechat/utils @lobechat/python-interpreter @lobechat/context-engine @lobechat/agent-runtime @lobechat/conversation-flow @lobechat/ssrf-safe-fetch @lobechat/memory-user-memory model-bank"
 
     steps:
       - uses: actions/checkout@v6
@@ -92,20 +45,32 @@ jobs:
       - name: Install bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: latest
+          bun-version: ${{ secrets.BUN_VERSION }}
 
       - name: Install deps
         run: bun i
 
-      - name: Test ${{ matrix.package }} package with coverage
-        run: bun run --filter ${{ matrix.package }} test:coverage
-
-      - name: Upload ${{ matrix.package }} coverage to Codecov
-        uses: codecov/codecov-action@v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/${{ matrix.package }}/coverage/lcov.info
-          flags: packages/${{ matrix.package }}
+      - name: Test packages with coverage
+        run: |
+          for package in $PACKAGES; do
+            echo "::group::Testing $package"
+            bun run --filter $package test:coverage
+            echo "::endgroup::"
+          done
+
+      - name: Upload coverage to Codecov
+        if: always()
+        run: |
+          for package in $PACKAGES; do
+            # Extract directory name: @lobechat/file-loaders -> file-loaders, model-bank -> model-bank
+            dir="${package#@lobechat/}"
+            if [ -f "./packages/$dir/coverage/lcov.info" ]; then
+              echo "Uploading coverage for $package..."
+              npx codecov --token=${{ secrets.CODECOV_TOKEN }} \
+                --file=./packages/$dir/coverage/lcov.info \
+                --flags=packages/$dir
+            fi
+          done
 
   # App tests
   test-website:
@@ -199,7 +164,6 @@ jobs:
         options: >-
           --health-cmd pg_isready --health-interval 10s --health-timeout 5s  --health-retries 5
 
-
         ports:
           - 5432:5432
 

package/CHANGELOG.md

@@ -2,6 +2,56 @@
 
 # Changelog
 
+## [Version 2.0.0-next.224](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.223...v2.0.0-next.224)
+
+<sup>Released on **2026-01-06**</sup>
+
+#### ♻ Code Refactoring
+
+- **router**: Replace client-side rendering with dynamic import for DesktopClientRouter.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### Code refactoring
+
+- **router**: Replace client-side rendering with dynamic import for DesktopClientRouter, closes [#11276](https://github.com/lobehub/lobe-chat/issues/11276) ([f50305b](https://github.com/lobehub/lobe-chat/commit/f50305b))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+## [Version 2.0.0-next.223](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.222...v2.0.0-next.223)
+
+<sup>Released on **2026-01-06**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Fix callback url error during signin period.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Fix callback url error during signin period, closes [#11139](https://github.com/lobehub/lobe-chat/issues/11139) ([3fc69c5](https://github.com/lobehub/lobe-chat/commit/3fc69c5))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ## [Version 2.0.0-next.222](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.221...v2.0.0-next.222)
 
 <sup>Released on **2026-01-06**</sup>

package/changelog/v1.json

@@ -1,4 +1,18 @@
 [
+  {
+    "children": {},
+    "date": "2026-01-06",
+    "version": "2.0.0-next.224"
+  },
+  {
+    "children": {
+      "fixes": [
+        "Fix callback url error during signin period."
+      ]
+    },
+    "date": "2026-01-06",
+    "version": "2.0.0-next.223"
+  },
   {
     "children": {
       "fixes": [

package/e2e/package.json

@@ -7,7 +7,7 @@
     "build": "cd .. && bun run build",
     "test": "cucumber-js --config cucumber.config.js",
     "test:ci": "bun run build && bun run test",
-    "test:discover": "cucumber-js --config cucumber.config.js src/features/discover/",
+    "test:community": "cucumber-js --config cucumber.config.js src/features/community/",
     "test:headed": "HEADLESS=false cucumber-js --config cucumber.config.js",
     "test:routes": "cucumber-js --config cucumber.config.js --tags '@routes'",
     "test:routes:ci": "cucumber-js --config cucumber.config.js --tags '@routes and not @ci-skip'",

package/e2e/src/mocks/index.ts

@@ -6,7 +6,7 @@
  */
 import type { Page, Route } from 'playwright';
 
-import { discoverMocks } from './discover';
+import { discoverMocks } from './community';
 
 // ============================================
 // Types
@@ -35,7 +35,7 @@ export interface MockConfig {
 const defaultConfig: MockConfig = {
   enabled: true,
   handlers: {
-    discover: discoverMocks,
+    community: discoverMocks,
     // Add more domains here as needed:
     // user: userMocks,
     // chat: chatMocks,

package/e2e/src/steps/{discover → community}/detail-pages.steps.ts

@@ -47,7 +47,7 @@ Then('I should be on an assistant detail page', async function (this: CustomWorl
 
   const currentUrl = this.page.url();
   // Check if URL matches assistant detail page pattern
-  const hasAssistantDetail = /\/discover\/assistant\/[^#?]+/.test(currentUrl);
+  const hasAssistantDetail = /\/community\/assistant\/[^#?]+/.test(currentUrl);
   expect(
     hasAssistantDetail,
     `Expected URL to match assistant detail page pattern, but got: ${currentUrl}`,
@@ -116,7 +116,7 @@ Then('I should be on the assistant list page', async function (this: CustomWorld
   // Check if URL is assistant list (not detail page)
   const isListPage =
     currentUrl.includes('/community/assistant') &&
-    !/\/discover\/assistant\/[^#?]+/.test(currentUrl);
+    !/\/community\/assistant\/[^#?]+/.test(currentUrl);
   expect(isListPage, `Expected URL to be assistant list page, but got: ${currentUrl}`).toBeTruthy();
 });
 
@@ -126,7 +126,7 @@ Then('I should be on a model detail page', async function (this: CustomWorld) {
 
   const currentUrl = this.page.url();
   // Check if URL matches model detail page pattern
-  const hasModelDetail = /\/discover\/model\/[^#?]+/.test(currentUrl);
+  const hasModelDetail = /\/community\/model\/[^#?]+/.test(currentUrl);
   expect(
     hasModelDetail,
     `Expected URL to match model detail page pattern, but got: ${currentUrl}`,
@@ -175,7 +175,7 @@ Then('I should be on the model list page', async function (this: CustomWorld) {
   const currentUrl = this.page.url();
   // Check if URL is model list (not detail page)
   const isListPage =
-    currentUrl.includes('/community/model') && !/\/discover\/model\/[^#?]+/.test(currentUrl);
+    currentUrl.includes('/community/model') && !/\/community\/model\/[^#?]+/.test(currentUrl);
   expect(isListPage, `Expected URL to be model list page, but got: ${currentUrl}`).toBeTruthy();
 });
 
@@ -185,7 +185,7 @@ Then('I should be on a provider detail page', async function (this: CustomWorld)
 
   const currentUrl = this.page.url();
   // Check if URL matches provider detail page pattern
-  const hasProviderDetail = /\/discover\/provider\/[^#?]+/.test(currentUrl);
+  const hasProviderDetail = /\/community\/provider\/[^#?]+/.test(currentUrl);
   expect(
     hasProviderDetail,
     `Expected URL to match provider detail page pattern, but got: ${currentUrl}`,
@@ -234,7 +234,7 @@ Then('I should be on the provider list page', async function (this: CustomWorld)
   const currentUrl = this.page.url();
   // Check if URL is provider list (not detail page)
   const isListPage =
-    currentUrl.includes('/community/provider') && !/\/discover\/provider\/[^#?]+/.test(currentUrl);
+    currentUrl.includes('/community/provider') && !/\/community\/provider\/[^#?]+/.test(currentUrl);
   expect(isListPage, `Expected URL to be provider list page, but got: ${currentUrl}`).toBeTruthy();
 });
 
@@ -244,7 +244,7 @@ Then('I should be on an MCP detail page', async function (this: CustomWorld) {
 
   const currentUrl = this.page.url();
   // Check if URL matches MCP detail page pattern
-  const hasMcpDetail = /\/discover\/mcp\/[^#?]+/.test(currentUrl);
+  const hasMcpDetail = /\/community\/mcp\/[^#?]+/.test(currentUrl);
   expect(
     hasMcpDetail,
     `Expected URL to match MCP detail page pattern, but got: ${currentUrl}`,
@@ -291,6 +291,6 @@ Then('I should be on the MCP list page', async function (this: CustomWorld) {
   const currentUrl = this.page.url();
   // Check if URL is MCP list (not detail page)
   const isListPage =
-    currentUrl.includes('/community/mcp') && !/\/discover\/mcp\/[^#?]+/.test(currentUrl);
+    currentUrl.includes('/community/mcp') && !/\/community\/mcp\/[^#?]+/.test(currentUrl);
   expect(isListPage, `Expected URL to be MCP list page, but got: ${currentUrl}`).toBeTruthy();
 });

package/e2e/src/steps/{discover → community}/interactions.steps.ts

@@ -327,7 +327,7 @@ Then('I should be navigated to the assistant detail page', async function (this:
 
   const currentUrl = this.page.url();
   // Verify that URL changed and contains /assistant/ followed by an identifier
-  const hasAssistantDetail = /\/discover\/assistant\/[^#?]+/.test(currentUrl);
+  const hasAssistantDetail = /\/community\/assistant\/[^#?]+/.test(currentUrl);
   const urlChanged = currentUrl !== this.testContext.previousUrl;
 
   expect(
@@ -362,7 +362,7 @@ Then('I should be navigated to the model detail page', async function (this: Cus
 
   const currentUrl = this.page.url();
   // Verify that URL changed and contains /model/ followed by an identifier
-  const hasModelDetail = /\/discover\/model\/[^#?]+/.test(currentUrl);
+  const hasModelDetail = /\/community\/model\/[^#?]+/.test(currentUrl);
   const urlChanged = currentUrl !== this.testContext.previousUrl;
 
   expect(
@@ -384,7 +384,7 @@ Then('I should be navigated to the provider detail page', async function (this:
 
   const currentUrl = this.page.url();
   // Verify that URL changed and contains /provider/ followed by an identifier
-  const hasProviderDetail = /\/discover\/provider\/[^#?]+/.test(currentUrl);
+  const hasProviderDetail = /\/community\/provider\/[^#?]+/.test(currentUrl);
   const urlChanged = currentUrl !== this.testContext.previousUrl;
 
   expect(
@@ -422,7 +422,7 @@ Then('I should be navigated to the MCP detail page', async function (this: Custo
 
   const currentUrl = this.page.url();
   // Verify that URL changed and contains /mcp/ followed by an identifier
-  const hasMcpDetail = /\/discover\/mcp\/[^#?]+/.test(currentUrl);
+  const hasMcpDetail = /\/community\/mcp\/[^#?]+/.test(currentUrl);
   const urlChanged = currentUrl !== this.testContext.previousUrl;
 
   expect(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/lobehub",
-  "version": "2.0.0-next.222",
+  "version": "2.0.0-next.224",
   "description": "LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",

package/packages/utils/src/server/correctOIDCUrl.test.ts

@@ -338,9 +338,8 @@ describe('correctOIDCUrl', () => {
       const originalUrl = new URL('http://localhost:3000/auth/callback');
       const result = correctOIDCUrl(mockRequest, originalUrl);
 
-      // Should return original URL because example.com:8443 doesn't match configured APP_URL (https://example.com)
-      expect(result).toBe(originalUrl);
-      expect(result.toString()).toBe('http://localhost:3000/auth/callback');
+      // Should fall back to host header because example.com:8443 doesn't match configured APP_URL
+      expect(result.toString()).toBe('https://internal.com:3000/auth/callback');
     });
 
     it('should not need correction when URL hostname matches actual host', () => {
@@ -358,18 +357,18 @@ describe('correctOIDCUrl', () => {
   });
 
   describe('Open Redirect protection', () => {
-    it('should prevent redirection to malicious external domains', () => {
+    it('should prevent redirection to malicious external domains via x-forwarded-host', () => {
       (mockRequest.headers.get as any).mockImplementation((header: string) => {
-        if (header === 'host') return 'malicious.com';
+        if (header === 'host') return 'example.com';
+        if (header === 'x-forwarded-host') return 'malicious.com';
         return null;
       });
 
       const originalUrl = new URL('http://localhost:3000/auth/callback');
       const result = correctOIDCUrl(mockRequest, originalUrl);
 
-      // Should return original URL and not redirect to malicious.com
-      expect(result).toBe(originalUrl);
-      expect(result.toString()).toBe('http://localhost:3000/auth/callback');
+      // Should fall back to host header and not redirect to malicious.com
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
     });
 
     it('should allow redirection to configured domain (example.com)', () => {
@@ -410,9 +409,9 @@ describe('correctOIDCUrl', () => {
       const originalUrl = new URL('http://localhost:3000/auth/callback');
       const result = correctOIDCUrl(mockRequest, originalUrl);
 
-      // Should return original URL and not redirect to evil.com
-      expect(result).toBe(originalUrl);
-      expect(result.toString()).toBe('http://localhost:3000/auth/callback');
+      // Should fall back to request host (example.com) and not redirect to evil.com
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
+      expect(result.hostname).not.toBe('evil.com');
     });
 
     it('should allow localhost in development environment', () => {
@@ -437,30 +436,92 @@ describe('correctOIDCUrl', () => {
       delete process.env.APP_URL;
 
       (mockRequest.headers.get as any).mockImplementation((header: string) => {
-        if (header === 'host') return 'any-domain.com';
+        if (header === 'host') return 'example.com';
+        if (header === 'x-forwarded-host') return 'any-domain.com';
         return null;
       });
 
       const originalUrl = new URL('http://localhost:3000/auth/callback');
       const result = correctOIDCUrl(mockRequest, originalUrl);
 
-      // Should return original URL when APP_URL is not configured
-      expect(result).toBe(originalUrl);
-      expect(result.toString()).toBe('http://localhost:3000/auth/callback');
+      // Should fall back to host header when APP_URL is not configured and forwarded host is present
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
     });
 
     it('should handle domains that look like subdomains but are not', () => {
       (mockRequest.headers.get as any).mockImplementation((header: string) => {
-        if (header === 'host') return 'fakeexample.com'; // Not a subdomain of example.com
+        if (header === 'host') return 'example.com';
+        if (header === 'x-forwarded-host') return 'fakeexample.com'; // Not a subdomain of example.com
         return null;
       });
 
       const originalUrl = new URL('http://localhost:3000/auth/callback');
       const result = correctOIDCUrl(mockRequest, originalUrl);
 
-      // Should prevent redirection to fake domain
-      expect(result).toBe(originalUrl);
-      expect(result.toString()).toBe('http://localhost:3000/auth/callback');
+      // Should fall back to host header
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
+    });
+
+    it('should reject invalid forwarded protocol', () => {
+      (mockRequest.headers.get as any).mockImplementation((header: string) => {
+        if (header === 'host') return 'example.com';
+        if (header === 'x-forwarded-host') return 'example.com';
+        if (header === 'x-forwarded-proto') return 'javascript'; // Invalid protocol
+        return null;
+      });
+
+      const originalUrl = new URL('http://localhost:3000/auth/callback');
+      const result = correctOIDCUrl(mockRequest, originalUrl);
+
+      // Should fall back to http protocol from URL
+      expect(result.protocol).toBe('http:');
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
+    });
+
+    it('should handle uppercase in forwarded protocol', () => {
+      (mockRequest.headers.get as any).mockImplementation((header: string) => {
+        if (header === 'host') return 'example.com';
+        if (header === 'x-forwarded-host') return 'example.com';
+        if (header === 'x-forwarded-proto') return 'HTTPS'; // Uppercase
+        return null;
+      });
+
+      const originalUrl = new URL('http://localhost:3000/auth/callback');
+      const result = correctOIDCUrl(mockRequest, originalUrl);
+
+      // Should normalize to lowercase
+      expect(result.protocol).toBe('https:');
+      expect(result.toString()).toBe('https://example.com:3000/auth/callback');
+    });
+
+    it('should handle multiple hosts in x-forwarded-host', () => {
+      (mockRequest.headers.get as any).mockImplementation((header: string) => {
+        if (header === 'host') return 'internal.com';
+        if (header === 'x-forwarded-host') return 'example.com,attacker.com'; // Multiple hosts
+        return null;
+      });
+
+      const originalUrl = new URL('http://localhost:3000/auth/callback');
+      const result = correctOIDCUrl(mockRequest, originalUrl);
+
+      // Should use the first (leftmost) host
+      expect(result.hostname).toBe('example.com');
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
+    });
+
+    it('should fall back to request host when forwarded host is invalid', () => {
+      (mockRequest.headers.get as any).mockImplementation((header: string) => {
+        if (header === 'host') return 'example.com';
+        if (header === 'x-forwarded-host') return 'evil.com'; // Invalid
+        return null;
+      });
+
+      const originalUrl = new URL('http://localhost:3000/auth/callback');
+      const result = correctOIDCUrl(mockRequest, originalUrl);
+
+      // Should fall back to request host
+      expect(result.hostname).toBe('example.com');
+      expect(result.toString()).toBe('http://example.com:3000/auth/callback');
     });
   });
 });

package/packages/utils/src/server/correctOIDCUrl.ts

@@ -5,29 +5,69 @@ import { validateRedirectHost } from './validateRedirectHost';
 
 const log = debug('lobe-oidc:correctOIDCUrl');
 
+// Allowed protocols for security
+const ALLOWED_PROTOCOLS = ['http', 'https'] as const;
+
 /**
  * Fix OIDC redirect URL issues in proxy environments
+ *
+ * This function:
+ * 1. Validates protocol against whitelist (http, https only)
+ * 2. Handles X-Forwarded-Host with multiple values (RFC 7239)
+ * 3. Validates X-Forwarded-Host against APP_URL to prevent open redirect attacks
+ * 4. Provides fallback logic for invalid forwarded values
+ *
+ * Note: Only X-Forwarded-Host is validated, not the Host header. This is because:
+ * - X-Forwarded-Host can be injected by attackers
+ * - Host header comes from the reverse proxy or direct access, which is trusted
+ *
  * @param req - Next.js request object
  * @param url - URL object to fix
  * @returns Fixed URL object
  */
 export const correctOIDCUrl = (req: NextRequest, url: URL): URL => {
+  log('Input URL: %s', url.toString());
+
+  // Get request headers for origin determination
   const requestHost = req.headers.get('host');
   const forwardedHost = req.headers.get('x-forwarded-host');
   const forwardedProto =
     req.headers.get('x-forwarded-proto') || req.headers.get('x-forwarded-protocol');
 
-  log('Input URL: %s', url.toString());
   log(
-    'Request headers - host: %s, x-forwarded-host: %s, x-forwarded-proto: %s',
+    'Getting safe origin - requestHost: %s, forwardedHost: %s, forwardedProto: %s',
     requestHost,
     forwardedHost,
     forwardedProto,
   );
 
-  // Determine actual hostname and protocol with fallback values
-  const actualHost = forwardedHost || requestHost;
-  const actualProto = forwardedProto || (url.protocol === 'https:' ? 'https' : 'http');
+  // Determine actual hostname with fallback values
+  // Handle multiple hosts in X-Forwarded-Host (RFC 7239: comma-separated)
+  let actualHost = forwardedHost || requestHost;
+  if (forwardedHost && forwardedHost.includes(',')) {
+    // Take the first (leftmost) host as the original client's request
+    actualHost = forwardedHost.split(',')[0]!.trim();
+    log('Multiple hosts in X-Forwarded-Host, using first: %s', actualHost);
+  }
+
+  // Determine actual protocol with validation
+  // Use URL's protocol as fallback to preserve original behavior
+  let actualProto: string | null | undefined = forwardedProto;
+  if (actualProto) {
+    // Validate protocol is http or https
+    const protoLower = actualProto.toLowerCase();
+    if (!ALLOWED_PROTOCOLS.includes(protoLower as any)) {
+      log('Warning: Invalid protocol %s, ignoring', actualProto);
+      actualProto = null;
+    } else {
+      actualProto = protoLower;
+    }
+  }
+
+  // Fallback protocol priority: URL protocol > request.nextUrl.protocol > 'https'
+  if (!actualProto) {
+    actualProto = url.protocol === 'https:' ? 'https' : 'http';
+  }
 
   // If unable to determine valid hostname, return original URL
   if (!actualHost || actualHost === 'null') {
@@ -35,9 +75,30 @@ export const correctOIDCUrl = (req: NextRequest, url: URL): URL => {
     return url;
   }
 
-  // Validate target host for security, prevent Open Redirect attacks
-  if (!validateRedirectHost(actualHost)) {
-    log('Warning: Target host %s failed validation, returning original URL', actualHost);
+  // Validate only X-Forwarded-Host for security, prevent Open Redirect attacks
+  // Host header is trusted (comes from reverse proxy or direct access)
+  if (forwardedHost && !validateRedirectHost(actualHost)) {
+    log('Warning: X-Forwarded-Host %s failed validation, falling back to request host', actualHost);
+    // Try to fall back to request host if forwarded host is invalid
+    if (requestHost) {
+      actualHost = requestHost;
+    } else {
+      // No valid host available
+      log('Error: No valid host available after validation, returning original URL');
+      return url;
+    }
+  }
+
+  // Build safe origin
+  const safeOrigin = `${actualProto}://${actualHost}`;
+  log('Safe origin: %s', safeOrigin);
+
+  // Parse safe origin to get hostname and protocol
+  let safeOriginUrl: URL;
+  try {
+    safeOriginUrl = new URL(safeOrigin);
+  } catch (error) {
+    log('Error parsing safe origin: %O', error);
     return url;
   }
 
@@ -46,24 +107,28 @@ export const correctOIDCUrl = (req: NextRequest, url: URL): URL => {
     url.hostname === 'localhost' ||
     url.hostname === '127.0.0.1' ||
     url.hostname === '0.0.0.0' ||
-    url.hostname !== actualHost;
+    url.hostname !== safeOriginUrl.hostname;
+
+  if (!needsCorrection) {
+    log('URL does not need correction, returning original: %s', url.toString());
+    return url;
+  }
 
-  if (needsCorrection) {
-    log('URL needs correction. Original hostname: %s, correcting to: %s', url.hostname, actualHost);
+  log(
+    'URL needs correction. Original hostname: %s, correcting to: %s',
+    url.hostname,
+    safeOriginUrl.hostname,
+  );
 
-    try {
-      const correctedUrl = new URL(url.toString());
-      correctedUrl.protocol = actualProto + ':';
-      correctedUrl.host = actualHost;
+  try {
+    const correctedUrl = new URL(url.toString());
+    correctedUrl.protocol = safeOriginUrl.protocol;
+    correctedUrl.host = safeOriginUrl.host;
 
-      log('Corrected URL: %s', correctedUrl.toString());
-      return correctedUrl;
-    } catch (error) {
-      log('Error creating corrected URL, returning original: %O', error);
-      return url;
-    }
+    log('Corrected URL: %s', correctedUrl.toString());
+    return correctedUrl;
+  } catch (error) {
+    log('Error creating corrected URL, returning original: %O', error);
+    return url;
   }
-
-  log('URL does not need correction, returning original: %s', url.toString());
-  return url;
 };

package/packages/utils/src/server/index.ts

@@ -3,4 +3,5 @@ export * from './correctOIDCUrl';
 export * from './response';
 export * from './responsive';
 export * from './sse';
+export * from './validateRedirectHost';
 export * from './xor';

package/src/app/(backend)/oidc/callback/desktop/route.ts

@@ -10,41 +10,15 @@ const log = debug('lobe-oidc:callback:desktop');
 const errorPathname = '/oauth/callback/error';
 
 /**
- * 安全地构建重定向URL
+ * 安全地构建重定向URL，使用经过验证的 correctOIDCUrl 防止开放重定向攻击
  */
 const buildRedirectUrl = (req: NextRequest, pathname: string): URL => {
-  const forwardedHost = req.headers.get('x-forwarded-host');
-  const requestHost = req.headers.get('host');
-  const forwardedProto =
-    req.headers.get('x-forwarded-proto') || req.headers.get('x-forwarded-protocol');
-
-  // 确定实际的主机名，提供后备值
-  const actualHost = forwardedHost || requestHost;
-  const actualProto = forwardedProto || 'https';
-
-  log(
-    'Building redirect URL - host: %s, proto: %s, pathname: %s',
-    actualHost,
-    actualProto,
-    pathname,
-  );
-
-  // 如果主机名仍然无效，使用req.nextUrl作为后备
-  if (!actualHost) {
-    log('Warning: Invalid host detected, using req.nextUrl as fallback');
-    const fallbackUrl = req.nextUrl.clone();
-    fallbackUrl.pathname = pathname;
-    return fallbackUrl;
-  }
+  // 使用 req.nextUrl 作为基础URL，然后通过 correctOIDCUrl 进行验证和修正
+  const baseUrl = req.nextUrl.clone();
+  baseUrl.pathname = pathname;
 
-  try {
-    return new URL(`${actualProto}://${actualHost}${pathname}`);
-  } catch (error) {
-    log('Error constructing URL, using req.nextUrl as fallback: %O', error);
-    const fallbackUrl = req.nextUrl.clone();
-    fallbackUrl.pathname = pathname;
-    return fallbackUrl;
-  }
+  // correctOIDCUrl 会验证 X-Forwarded-* 头部并防止开放重定向攻击
+  return correctOIDCUrl(req, baseUrl);
 };
 
 export const GET = async (req: NextRequest) => {
@@ -82,9 +56,6 @@ export const GET = async (req: NextRequest) => {
     log('Request x-forwarded-proto: %s', req.headers.get('x-forwarded-proto'));
     log('Constructed success URL: %s', successUrl.toString());
 
-    const correctedUrl = correctOIDCUrl(req, successUrl);
-    log('Final redirect URL: %s', correctedUrl.toString());
-
     // cleanup expired
     after(async () => {
       const cleanedCount = await authHandoffModel.cleanupExpired();
@@ -92,7 +63,7 @@ export const GET = async (req: NextRequest) => {
       log('Cleaned up %d expired handoff records', cleanedCount);
     });
 
-    return NextResponse.redirect(correctedUrl);
+    return NextResponse.redirect(successUrl);
   } catch (error) {
     log('Error in OIDC callback: %O', error);
 

package/src/app/[variants]/router/index.tsx

@@ -1,20 +1,16 @@
 'use client';
 
-import { useEffect, useState } from 'react';
+import dynamic from 'next/dynamic';
 
-import DesktopClientRouter from './DesktopClientRouter';
+import Loading from '@/components/Loading/BrandTextLoading';
+
+const DesktopRouterClient = dynamic(() => import('./DesktopClientRouter'), {
+  loading: () => <Loading debugId="DesktopRouter" />,
+  ssr: false,
+});
 
-const useIsClient = () => {
-  const [isClient, setIsClient] = useState(false);
-  useEffect(() => {
-    setIsClient(true);
-  }, []);
-  return isClient;
-};
 const DesktopRouter = () => {
-  const isClient = useIsClient();
-  if (!isClient) return null;
-  return <DesktopClientRouter />;
+  return <DesktopRouterClient />;
 };
 
 export default DesktopRouter;

package/src/libs/next/proxy/define-config.ts

@@ -234,8 +234,10 @@ export function defineConfig() {
       // ref: https://authjs.dev/getting-started/session-management/protecting
       if (isProtected) {
         logNextAuth('Request a protected route, redirecting to sign-in page');
-        const nextLoginUrl = new URL('/next-auth/signin', req.nextUrl.origin);
-        nextLoginUrl.searchParams.set('callbackUrl', req.nextUrl.href);
+        const authUrl = authEnv.NEXT_PUBLIC_AUTH_URL;
+        const callbackUrl = `${authUrl}${req.nextUrl.pathname}${req.nextUrl.search}`;
+        const nextLoginUrl = new URL('/next-auth/signin', authUrl);
+        nextLoginUrl.searchParams.set('callbackUrl', callbackUrl);
         const hl = req.nextUrl.searchParams.get('hl');
         if (hl) {
           nextLoginUrl.searchParams.set('hl', hl);
@@ -320,8 +322,10 @@ export function defineConfig() {
       // If request a protected route, redirect to sign-in page
       if (isProtected) {
         logBetterAuth('Request a protected route, redirecting to sign-in page');
-        const signInUrl = new URL('/signin', req.nextUrl.origin);
-        signInUrl.searchParams.set('callbackUrl', req.nextUrl.href);
+        const authUrl = authEnv.NEXT_PUBLIC_AUTH_URL;
+        const callbackUrl = `${authUrl}${req.nextUrl.pathname}${req.nextUrl.search}`;
+        const signInUrl = new URL('/signin', authUrl);
+        signInUrl.searchParams.set('callbackUrl', callbackUrl);
         const hl = req.nextUrl.searchParams.get('hl');
         if (hl) {
           signInUrl.searchParams.set('hl', hl);