fix(clerk-js): Do not discard relative redirect urls (#754)

clerk · Feb 1, 2023 · 6b227ff · 6b227ff
1 parent 96d18a3
commit 6b227ff
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 12 deletions.
diff --git a/packages/clerk-js/src/ui/common/authPropHelpers.ts b/packages/clerk-js/src/ui/common/authPropHelpers.ts
@@ -44,7 +44,7 @@ export const extractAuthProp = (
     ctx.redirectUrl ||
     displayConfig[key];
 
-  if (!isValidUrl(url) || hasBannedProtocol(url)) {
+  if (!isValidUrl(url, { includeRelativeUrls: true }) || hasBannedProtocol(url)) {
     return '';
   }
 

diff --git a/packages/clerk-js/src/utils/__tests__/url.test.ts b/packages/clerk-js/src/utils/__tests__/url.test.ts
@@ -80,16 +80,16 @@ describe('isValidUrl(url)', () => {
 });
 
 describe('isValidUrl(url,base)', () => {
-  const cases: Array<[string, string | undefined, boolean]> = [
-    ['', 'https://www.clerk.dev/', true],
-    ['/test', 'https://www.clerk.dev/', true],
-    ['/test?clerk=true', 'https://www.clerk.dev/', true],
-    ['/test?clerk=true', '', false],
-    ['/test?clerk=true', undefined, false],
+  const cases: Array<[string, boolean]> = [
+    ['', true],
+    ['/', true],
+    ['/test', true],
+    ['/test?clerk=true', true],
+    ['/?clerk=true', true],
   ];
 
-  test.each(cases)('.isValidUrl(%s,%s)', (a, b, expected) => {
-    expect(isValidUrl(a, b)).toBe(expected);
+  test.each(cases)('.isValidUrl(%s,%s)', (a, expected) => {
+    expect(isValidUrl(a, { includeRelativeUrls: true })).toBe(expected);
   });
 });
 
@@ -108,6 +108,9 @@ describe('hasBannedProtocol(url)', () => {
   const cases: Array<[string, boolean]> = [
     ['https://www.clerk.dev/', false],
     ['http://www.clerk.dev/', false],
+    ['/sign-in', false],
+    ['/sign-in?test=1', false],
+    ['/?test', false],
     ['javascript:console.log(document.cookies)', true],
     ['data:image/png;base64,iVBORw0KGgoAAA5ErkJggg==', false],
   ];

diff --git a/packages/clerk-js/src/utils/url.ts b/packages/clerk-js/src/utils/url.ts
@@ -289,13 +289,14 @@ export function removeSearchParameterFromHash({
   return dummyUrlForHash.href.replace(DUMMY_URL_BASE, '');
 }
 
-export function isValidUrl(val: unknown, base?: string): val is string {
-  if (!val && !base) {
+export function isValidUrl(val: unknown, opts?: { includeRelativeUrls?: boolean }): val is string {
+  const { includeRelativeUrls = false } = opts || {};
+  if (!val && !includeRelativeUrls) {
     return false;
   }
 
   try {
-    new URL(val as string, base);
+    new URL(val as string, includeRelativeUrls ? DUMMY_URL_BASE : undefined);
     return true;
   } catch (e) {
     return false;