@valentinkolb/cloud 0.5.0 → 0.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@valentinkolb/cloud",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Modular Hono+SolidJS framework for building per-app docker services behind a dynamic gateway. Powers cloud.stuve-ulm.de.",
   "license": "MIT",
   "repository": {

package/src/api/auth.ts

@@ -49,8 +49,8 @@ const app = new Hono<AuthContext>()
 
       const loginResult = await authFlows.ipa.login({ username, password });
       if (!loginResult.ok && loginResult.reason === "password_expired") {
-        log.info("Login failed", { uid: username, reason: "password_expired" });
-        return c.json({ message: "Password expired", passwordExpired: true }, 401);
+        log.info("Login failed", { uid: loginResult.uid, reason: "password_expired" });
+        return c.json({ message: "Password expired", passwordExpired: true, ipaUid: loginResult.uid }, 401);
       }
       if (!loginResult.ok) {
         log.info("Login failed", {
@@ -63,7 +63,7 @@ const app = new Hono<AuthContext>()
       // Store minimal session in Redis
       const sessionToken = await auth.session.create(c, loginResult.userId);
 
-      log.info("Login successful", { uid: username });
+      log.info("Login successful", { uid: loginResult.user.uid });
       return c.json({
         session_token: sessionToken,
         user: loginResult.user,

package/src/services/auth-flows/ipa.ts

@@ -1,10 +1,11 @@
 import { sql } from "bun";
 import { accounts } from "../accounts";
+import { logger } from "../logging";
 import { providers } from "../providers";
 import type { User } from "../../contracts/shared";
 
 type IpaLoginFailure =
-  | { ok: false; status: 401; reason: "password_expired"; message: string }
+  | { ok: false; status: 401; reason: "password_expired"; message: string; uid: string }
   | { ok: false; status: 401; reason: "invalid_credentials"; message: string }
   | { ok: false; status: 400; reason: "user_not_synced"; message: string }
   | { ok: false; status: 400; reason: "user_not_found"; message: string }
@@ -20,6 +21,42 @@ type IpaLoginSuccess = {
 
 export type IpaLoginFlowResult = IpaLoginSuccess | IpaLoginFailure;
 
+const log = logger("auth:ipa");
+const DUMMY_LOGIN_UID = "__cloud_invalid_ipa_email_login__";
+
+const normalizeEmail = (value: string): string => value.trim().toLowerCase();
+
+const resolveIpaLoginUid = async (identifier: string): Promise<string | null> => {
+  const trimmed = identifier.trim();
+  if (!trimmed) return null;
+  if (!trimmed.includes("@")) return trimmed;
+
+  const rows = await sql<{ uid: string }[]>`
+    SELECT uid
+    FROM auth.users
+    WHERE provider = 'ipa'
+      AND lower(btrim(mail)) = ${normalizeEmail(trimmed)}
+  `;
+
+  if (rows.length !== 1) {
+    if (rows.length > 1) {
+      log.warn("FreeIPA email login skipped: ambiguous email", {
+        email: normalizeEmail(trimmed),
+        matches: rows.length,
+      });
+    }
+    return null;
+  }
+  return rows[0]!.uid;
+};
+
+const failInvalidCredentials = async (params: { identifier: string; password: string }): Promise<IpaLoginFailure> => {
+  if (params.identifier.trim().includes("@")) {
+    await providers.ipa.auth.login(DUMMY_LOGIN_UID, params.password).catch(() => undefined);
+  }
+  return { ok: false, status: 401, reason: "invalid_credentials", message: "Invalid username or password" };
+};
+
 const loadSyncedIpaUser = async (uid: string): Promise<{ ok: true; userId: string; user: User } | IpaLoginFailure> => {
   const userRows = await sql`
     SELECT id FROM auth.users
@@ -50,9 +87,14 @@ const loadSyncedIpaUser = async (uid: string): Promise<{ ok: true; userId: strin
 };
 
 export const login = async (params: { username: string; password: string }): Promise<IpaLoginFlowResult> => {
-  const loginResult = await providers.ipa.auth.login(params.username, params.password);
+  const uid = await resolveIpaLoginUid(params.username);
+  if (!uid) {
+    return failInvalidCredentials({ identifier: params.username, password: params.password });
+  }
+
+  const loginResult = await providers.ipa.auth.login(uid, params.password);
   if (loginResult.status === "password_expired") {
-    return { ok: false, status: 401, reason: "password_expired", message: "Password expired" };
+    return { ok: false, status: 401, reason: "password_expired", message: "Password expired", uid };
   }
   if (loginResult.status !== "success") {
     return { ok: false, status: 401, reason: "invalid_credentials", message: "Invalid username or password" };
@@ -61,7 +103,7 @@ export const login = async (params: { username: string; password: string }): Pro
   // Must reach a "synced" outcome before granting a session. Stale mirror rows
   // (expired remotely, dropped from sync scope, or fetch failures) must never
   // grant a fresh local session on the back of successful FreeIPA credentials.
-  const syncOutcome = await providers.ipa.sync.user(params.username);
+  const syncOutcome = await providers.ipa.sync.user(uid);
   switch (syncOutcome.status) {
     case "synced":
       break;
@@ -97,7 +139,7 @@ export const login = async (params: { username: string; password: string }): Pro
       };
   }
 
-  const userResult = await loadSyncedIpaUser(params.username);
+  const userResult = await loadSyncedIpaUser(uid);
   if (!userResult.ok) return userResult;
 
   return {

package/src/services/auth-flows/magic-link.ts

@@ -1,4 +1,4 @@
-import { sql } from "bun";
+import { redis, sql } from "bun";
 import { accounts } from "../accounts";
 import { notifications } from "../notifications";
 import { providers } from "../providers";
@@ -6,33 +6,95 @@ import * as settings from "../settings";
 import { renderTemplate } from "../settings/templates";
 import type { User } from "../../contracts/shared";
 import { createAuthLoginUrl } from "../../shared/redirect";
+import { logger } from "../logging";
+
+const log = logger("auth:magic-link");
+const IPA_HINT_COOLDOWN_SECONDS = 300;
+
+const normalizeEmail = (email: string): string => email.trim().toLowerCase();
+const ipaHintCooldownKey = (email: string): string => `ipa-email-login-hint-cooldown:${email}`;
+
+const getAppUrl = async (): Promise<string> => {
+  const rawAppUrl = await settings.get<string>("app.url");
+  return rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+};
+
+const hasIpaAccountForEmail = async (email: string): Promise<boolean> => {
+  const rows = await sql<{ exists: boolean }[]>`
+    SELECT EXISTS (
+      SELECT 1
+      FROM auth.users
+      WHERE provider = 'ipa'
+        AND lower(btrim(mail)) = ${email}
+    ) AS exists
+  `;
+  return Boolean(rows[0]?.exists);
+};
+
+const claimIpaHintCooldown = async (email: string): Promise<boolean> => {
+  const result = await redis.send("SET", [
+    ipaHintCooldownKey(email),
+    "1",
+    "EX",
+    String(IPA_HINT_COOLDOWN_SECONDS),
+    "NX",
+  ]);
+  return result === "OK";
+};
+
+const sendIpaEmailLoginHint = async (params: { email: string; redirectTo?: string }): Promise<void> => {
+  const appUrl = await getAppUrl();
+  const loginUrl = createAuthLoginUrl(appUrl, {
+    method: "ipa",
+    redirectTo: params.redirectTo,
+  });
+  const [appName, contactEmail, template] = await Promise.all([
+    settings.get<string>("app.name"),
+    settings.get<string>("app.contact_email"),
+    settings.get<string>("mail.ipa_email_login_hint"),
+  ]);
+
+  await notifications.send({
+    type: "email",
+    recipient: params.email,
+    subject: `${appName} FreeIPA Sign In`,
+    rawHtml: renderTemplate(template, {
+      EMAIL: params.email,
+      LOGIN_URL: loginUrl,
+      APP_NAME: appName,
+      CONTACT_EMAIL: contactEmail?.trim() ?? "",
+    }),
+  });
+};
 
 export const request = async (params: { email: string; redirectTo?: string }): Promise<
   | { ok: true }
   | { ok: false; status: 400; message: string }
 > => {
-  const userRows = await sql`SELECT uid, provider FROM auth.users WHERE mail = ${params.email}`;
+  const email = normalizeEmail(params.email);
+  const hasIpaUser = await hasIpaAccountForEmail(email);
+  const userRows = hasIpaUser ? [] : await sql`SELECT uid, provider FROM auth.users WHERE lower(btrim(mail)) = ${email}`;
   const hasLocalUser = userRows.some((row: { provider: string | null }) => row.provider === "local");
-  const hasIpaUser = userRows.some((row: { provider: string | null }) => row.provider === "ipa");
   const allowSelfRegistration = await settings.get<boolean>("user.allow_self_registration");
 
-  if (!hasLocalUser && !allowSelfRegistration) {
-    return {
-      ok: false,
-      status: 400,
-      message: "Only existing local accounts can sign in with email. Contact an administrator if you need access.",
-    };
+  if (hasIpaUser) {
+    if (await claimIpaHintCooldown(email)) {
+      void sendIpaEmailLoginHint({ email, redirectTo: params.redirectTo }).catch((error) => {
+        log.warn("Failed to send FreeIPA email-login hint", {
+          email,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      });
+    }
+    return { ok: true };
   }
 
-  if (!hasLocalUser && hasIpaUser) {
-    // Return ok without sending email to prevent account enumeration.
-    // IPA-only users must authenticate via Kerberos, not magic-link.
+  if (!hasLocalUser && !allowSelfRegistration) {
     return { ok: true };
   }
 
-  const token = await providers.local.auth.createMagicLinkToken({ email: params.email, ttlSeconds: 300 });
-  const rawAppUrl = await settings.get<string>("app.url");
-  const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+  const token = await providers.local.auth.createMagicLinkToken({ email, ttlSeconds: 300 });
+  const appUrl = await getAppUrl();
   const magicLink = createAuthLoginUrl(appUrl, { token, redirectTo: params.redirectTo });
 
   const appName = await settings.get<string>("app.name");
@@ -40,7 +102,7 @@ export const request = async (params: { email: string; redirectTo?: string }): P
 
   await notifications.send({
     type: "email",
-    recipient: params.email,
+    recipient: email,
     subject: `${appName} Login Code`,
     rawHtml: renderTemplate(template, {
       TOKEN: token,
@@ -63,13 +125,22 @@ export const verify = async (params: { token: string }): Promise<
   }
 
   const { email } = payload;
+  const normalizedEmail = normalizeEmail(email);
+  if (await hasIpaAccountForEmail(normalizedEmail)) {
+    return {
+      ok: false,
+      status: 401,
+      message: "This email address belongs to a FreeIPA-managed account. Sign in with FreeIPA.",
+    };
+  }
+
   // Reject expired accounts at login time, not just during cleanup. Without
   // this, an expired local user / guest could still authenticate in the
   // window between expiry and the next lifecycle run.
   const userRows = await sql`
     SELECT id, account_expires
     FROM auth.users
-    WHERE mail = ${email} AND provider = 'local'
+    WHERE lower(btrim(mail)) = ${normalizedEmail} AND provider = 'local'
       AND (account_expires IS NULL OR account_expires > now())
     ORDER BY profile = 'user' DESC
     LIMIT 1
@@ -84,7 +155,7 @@ export const verify = async (params: { token: string }): Promise<
     const expiredRows = await sql`
       SELECT id
       FROM auth.users
-      WHERE mail = ${email} AND provider = 'local'
+      WHERE lower(btrim(mail)) = ${normalizedEmail} AND provider = 'local'
         AND account_expires IS NOT NULL AND account_expires <= now()
       LIMIT 1
     `;

package/src/services/notifications/index.ts

@@ -1,13 +1,14 @@
 import { sql } from "bun";
-import { sendEmail } from "./email";
 import type { PaginationParams } from "../../contracts/shared";
-import { escapeLikePattern } from "../postgres";
 import { logger } from "../logging";
+import { escapeLikePattern } from "../postgres";
+import { sendEmail } from "./email";
 
 const log = logger("notifications");
 
 export type NotificationType = "email";
 export type NotificationStatus = "sent" | "pending" | "error";
+export type NotificationStatusSummary = Record<NotificationStatus, number>;
 
 /**
  * Computes notification delivery status from sent/error timestamps.
@@ -56,6 +57,12 @@ export type NotificationMessage = {
   status: NotificationStatus;
 };
 
+const emptyStatusSummary = (): NotificationStatusSummary => ({
+  sent: 0,
+  pending: 0,
+  error: 0,
+});
+
 type DbNotificationRow = {
   id: string;
   type: NotificationType;
@@ -143,23 +150,26 @@ export const sendToUser = async (params: SendToUserParams): Promise<{ ok: true;
  */
 export const list = async (
   pagination: PaginationParams,
-  options?: { sentBy?: string; isAdmin?: boolean; search?: string },
+  options?: { sentBy?: string; isAdmin?: boolean; search?: string; status?: NotificationStatus },
 ): Promise<{ notifications: NotificationMessage[]; total: number }> => {
   const { offset, perPage } = pagination;
-  const { sentBy, isAdmin, search } = options ?? {};
+  const { sentBy, isAdmin, search, status } = options ?? {};
 
   // Build query based on permissions
   let countRows: Array<{ count: number | string }> = [];
   let dataRows: DbNotificationRow[] = [];
 
   const searchPattern = search ? `%${escapeLikePattern(search)}%` : null;
+  const statusFilter = status ?? null;
 
   if (isAdmin) {
     // Admins see all notifications
     if (searchPattern) {
       countRows = await sql`
         SELECT COUNT(*)::int as count FROM notifications.messages
-        WHERE subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\'
+        WHERE
+          (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
       `;
       dataRows = await sql`
         SELECT
@@ -168,12 +178,17 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\'
+        WHERE
+          (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
     } else {
-      countRows = await sql`SELECT COUNT(*)::int as count FROM notifications.messages`;
+      countRows = await sql`
+        SELECT COUNT(*)::int as count FROM notifications.messages
+        WHERE ${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter}
+      `;
       dataRows = await sql`
         SELECT
           m.id, m.type, m.recipient, m.subject, m.content,
@@ -181,6 +196,7 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
+        WHERE ${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter}
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
@@ -190,7 +206,10 @@ export const list = async (
     if (searchPattern) {
       countRows = await sql`
         SELECT COUNT(*)::int as count FROM notifications.messages
-        WHERE sent_by = ${sentBy} AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
+        WHERE
+          sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
       `;
       dataRows = await sql`
         SELECT
@@ -199,12 +218,20 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.sent_by = ${sentBy} AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
+        WHERE
+          m.sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
     } else {
-      countRows = await sql`SELECT COUNT(*)::int as count FROM notifications.messages WHERE sent_by = ${sentBy}`;
+      countRows = await sql`
+        SELECT COUNT(*)::int as count FROM notifications.messages
+        WHERE
+          sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+      `;
       dataRows = await sql`
         SELECT
           m.id, m.type, m.recipient, m.subject, m.content,
@@ -212,7 +239,9 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.sent_by = ${sentBy}
+        WHERE
+          m.sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
@@ -246,6 +275,47 @@ export const list = async (
   return { notifications, total };
 };
 
+/**
+ * Count current notification statuses for recent entries.
+ */
+export const getStatusSummary = async (options?: {
+  sentBy?: string;
+  isAdmin?: boolean;
+  days?: number;
+}): Promise<NotificationStatusSummary> => {
+  const { sentBy, isAdmin, days = 7 } = options ?? {};
+  const windowDays = Math.max(1, Math.floor(days));
+  const summary = emptyStatusSummary();
+
+  let rows: Array<{ status: NotificationStatus; count: number | string }> = [];
+  if (isAdmin) {
+    rows = await sql`
+      SELECT
+        CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END as status,
+        COUNT(*)::int as count
+      FROM notifications.messages
+      WHERE created_at >= now() - (${windowDays}::int * interval '1 day')
+      GROUP BY status
+    `;
+  } else if (sentBy) {
+    rows = await sql`
+      SELECT
+        CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END as status,
+        COUNT(*)::int as count
+      FROM notifications.messages
+      WHERE sent_by = ${sentBy} AND created_at >= now() - (${windowDays}::int * interval '1 day')
+      GROUP BY status
+    `;
+  }
+
+  for (const row of rows) {
+    const count = typeof row.count === "string" ? Number.parseInt(row.count, 10) : row.count;
+    summary[row.status] = Number.isFinite(count) ? count : 0;
+  }
+
+  return summary;
+};
+
 /**
  * Get a single notification by ID.
  */
@@ -410,4 +480,5 @@ export const notifications = {
   update,
   getPendingSystemCount,
   sendAllPendingSystem,
+  getStatusSummary,
 };

package/src/services/settings/defaults.ts

@@ -438,6 +438,21 @@ export const SETTINGS: SettingDef[] = [
     group: "mail",
     templateVars: ["TOKEN", "MAGIC_LINK", "APP_NAME"],
   },
+  {
+    key: "mail.ipa_email_login_hint",
+    label: "FreeIPA Email Login Hint Template",
+    kind: "template",
+    default: `<p>A sign-in link was requested for <code style="background:#f4f4f5;padding:2px 6px;border-radius:4px;">{{EMAIL}}</code>.</p>
+<p>This email address belongs to a FreeIPA-managed account. Please sign in with your FreeIPA username and password. If your email address is unique in FreeIPA, you can also use it instead of your username.</p>
+<p style="text-align:center;margin:24px 0;">
+  <a href="{{LOGIN_URL}}" target="_blank" style="color:#3b82f6;text-decoration:underline;">Open FreeIPA sign-in</a>
+</p>
+<p style="color:#71717a;font-size:12px;margin:0 0 8px 0;">No email login code was created. If you didn't request this, please ignore this email.</p>
+{{#CONTACT_EMAIL}}<p style="color:#71717a;font-size:12px;margin:0;">If you need help, contact <a href="mailto:{{CONTACT_EMAIL}}">{{CONTACT_EMAIL}}</a>.</p>{{/CONTACT_EMAIL}}`,
+    description: "FreeIPA email-login hint template (HTML). Subject: {{APP_NAME}} FreeIPA Sign In",
+    group: "mail",
+    templateVars: ["EMAIL", "LOGIN_URL", "CONTACT_EMAIL", "APP_NAME"],
+  },
   {
     key: "mail.password_reset",
     label: "Password Reset Template",

package/src/shared/redirect.test.ts

@@ -33,6 +33,15 @@ describe("redirect helpers", () => {
     expect(externalUrl).toBe("https://cloud.example/auth/login?token=token-id");
   });
 
+  test("builds method-specific login links with safe redirects only", () => {
+    const url = createAuthLoginUrl("https://cloud.example", {
+      method: "ipa",
+      redirectTo: "/app/dashboard",
+    });
+
+    expect(url).toBe("https://cloud.example/auth/login?method=ipa&redirectTo=%2Fapp%2Fdashboard");
+  });
+
   test("builds password reset links with safe redirects only", () => {
     const safeUrl = createAuthPasswordResetUrl("https://cloud.example", {
       token: "token-id",

package/src/shared/redirect.ts

@@ -30,9 +30,13 @@ export const createLoginRedirectUrl = (requestUrl: string): string => {
 };
 
 /** Build an absolute auth login URL while preserving only safe local redirects. */
-export const createAuthLoginUrl = (appUrl: string, params: { token?: string; redirectTo?: string | null | undefined } = {}): string => {
+export const createAuthLoginUrl = (
+  appUrl: string,
+  params: { token?: string; method?: "email" | "ipa" | "admin"; redirectTo?: string | null | undefined } = {},
+): string => {
   const url = new URL(`${appUrl.replace(/\/$/, "")}/auth/login`);
   if (params.token) url.searchParams.set("token", params.token);
+  if (params.method) url.searchParams.set("method", params.method);
 
   const redirectTo = normalizeRedirectTo(params.redirectTo);
   if (redirectTo) url.searchParams.set("redirectTo", redirectTo);