@pylonsync/next 0.3.31 → 0.3.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/auth.ts +15 -1
package/package.json CHANGED
@@ -3,7 +3,7 @@
3
3
  "publishConfig": {
4
4
  "access": "public"
5
5
  },
6
- "version": "0.3.31",
6
+ "version": "0.3.33",
7
7
  "type": "module",
8
8
  "description": "Next.js helpers for Pylon — cookie-based auth gate, server-side session helpers, and reusable client hooks.",
9
9
  "exports": {
package/src/auth.ts CHANGED
@@ -86,7 +86,21 @@ export function startOAuthLogin(
86
86
  opts: StartOAuthLoginOptions = {},
87
87
  ): void {
88
88
  const origin = window.location.origin;
89
- const successUrl = opts.successUrl ?? `${origin}/dashboard`;
89
+ // Honor ?next=<path> on the current URL so that when the framework's
90
+ // /studio gate (or any other proxy.ts auth bounce) sends the user
91
+ // here with `?next=/studio`, the OAuth flow lands them back on
92
+ // /studio instead of the generic /dashboard. Same-origin only —
93
+ // reject absolute URLs and protocol-relative paths to close the
94
+ // open-redirect vector.
95
+ const nextParam =
96
+ typeof window !== "undefined"
97
+ ? new URLSearchParams(window.location.search).get("next")
98
+ : null;
99
+ const safeNext =
100
+ nextParam && nextParam.startsWith("/") && !nextParam.startsWith("//")
101
+ ? `${origin}${nextParam}`
102
+ : null;
103
+ const successUrl = opts.successUrl ?? safeNext ?? `${origin}/dashboard`;
90
104
  const errorUrl = opts.errorUrl ?? `${origin}/login`;
91
105
  const params = new URLSearchParams({
92
106
  redirect: "1",