ponderants/app
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Preserve original host in OAuth callback redirects

Browse Source 
Fixed OAuth callback to preserve the original host (localhost vs 127.0.0.1)
by using request headers instead of request.url as the base URL for redirects.

This ensures that if a user accesses the app via 127.0.0.1, they will be
redirected back to 127.0.0.1 after OAuth, and vice versa for localhost.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Albert
2025-11-09 04:50:47 +00:00
parent b22931f393
commit 9a2c0f9a96
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/api/auth/callback/route.ts
View File

@@ -24,13 +24,18 @@ import Surreal from 'surrealdb';
export async function GET(request: NextRequest) {
const { searchParams } = new URL(request.url);
// Get base URL from request headers to preserve the original host
const protocol = request.headers.get('x-forwarded-proto') || 'http';
const host = request.headers.get('host') || 'localhost:3000';
const baseUrl = `${protocol}://${host}`;
// Check for error from OAuth provider
const error = searchParams.get('error');
if (error) {
const errorDescription = searchParams.get('error_description') || 'Unknown error';
console.error('[OAuth Callback] Error from provider:', error, errorDescription);
return NextResponse.redirect(
new URL(`/login?error=${encodeURIComponent(errorDescription)}`, request.url)
new URL(`/login?error=${encodeURIComponent(errorDescription)}`, baseUrl)
);
}
@@ -105,7 +110,7 @@ export async function GET(request: NextRequest) {
}
// Create redirect response
const response = NextResponse.redirect(new URL(returnTo, request.url));
const response = NextResponse.redirect(new URL(returnTo, baseUrl));
// Set SurrealDB JWT cookie (for our app's authorization)
response.cookies.set('ponderants-auth', surrealJwt, {
@@ -130,20 +135,20 @@ export async function GET(request: NextRequest) {
if (error instanceof Error) {
if (error.message.includes('Invalid state')) {
return NextResponse.redirect(
new URL('/login?error=Invalid or expired session', request.url)
new URL('/login?error=Invalid or expired session', baseUrl)
);
}
if (error.message.includes('DPoP')) {
console.error('[OAuth Callback] DPoP error - this should not happen with the library!', error);
return NextResponse.redirect(
new URL('/login?error=Authentication protocol error', request.url)
new URL('/login?error=Authentication protocol error', baseUrl)
);
}
}
return NextResponse.redirect(
new URL('/login?error=Authentication failed', request.url)
new URL('/login?error=Authentication failed', baseUrl)
);
}
}