matt/Rocky_Mountain_Vending
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: use public admin auth redirects

Browse source
This commit is contained in:
DMleadgen 2026-04-16 11:11:29 -06:00
parent e326cc6bba
commit 4828f044fa
Signed by: matt
GPG key ID: C2720CF8CD701894
2 changed files with 38 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
app/api/admin/auth/login/route.ts
View file

@ -1,3 +1,4 @@
import { headers } from "next/headers"
import { NextResponse } from "next/server"
import {
ADMIN_SESSION_COOKIE,
@ -8,7 +9,9 @@ import {
export async function POST(request: Request) {
if (!isAdminCredentialLoginConfigured()) {
return NextResponse.redirect(new URL("/sign-in?error=config", request.url))
return NextResponse.redirect(
new URL("/sign-in?error=config", await getPublicOrigin(request))
)
}
const formData = await request.formData()
@ -19,12 +22,14 @@ export async function POST(request: Request) {
if (!isAdminCredentialMatch(email, password)) {
return NextResponse.redirect(
new URL("/sign-in?error=invalid", request.url)
new URL("/sign-in?error=invalid", await getPublicOrigin(request))
)
}
const session = await createAdminSession(email)
const response = NextResponse.redirect(new URL("/admin", request.url))
const response = NextResponse.redirect(
new URL("/admin", await getPublicOrigin(request))
)
response.cookies.set(ADMIN_SESSION_COOKIE, session.token, {
httpOnly: true,
sameSite: "lax",
@ -35,3 +40,16 @@ export async function POST(request: Request) {
return response
}
async function getPublicOrigin(request: Request) {
const headerStore = await headers()
const forwardedProto = headerStore.get("x-forwarded-proto")
const forwardedHost = headerStore.get("x-forwarded-host")
const host = forwardedHost || headerStore.get("host")
if (host) {
return `${forwardedProto || "https"}://${host}`
}
return new URL(request.url).origin
}

19
app/api/admin/auth/logout/route.ts
View file

@ -1,5 +1,5 @@
import { NextResponse } from "next/server"
import { cookies } from "next/headers"
import { cookies, headers } from "next/headers"
import {
ADMIN_SESSION_COOKIE,
destroyAdminSession,
@ -10,7 +10,9 @@ export async function POST(request: Request) {
const rawToken = cookieStore.get(ADMIN_SESSION_COOKIE)?.value || null
await destroyAdminSession(rawToken)
const response = NextResponse.redirect(new URL("/sign-in", request.url))
const response = NextResponse.redirect(
new URL("/sign-in", await getPublicOrigin(request))
)
response.cookies.set(ADMIN_SESSION_COOKIE, "", {
httpOnly: true,
sameSite: "lax",
@ -21,3 +23,16 @@ export async function POST(request: Request) {
return response
}
async function getPublicOrigin(request: Request) {
const headerStore = await headers()
const forwardedProto = headerStore.get("x-forwarded-proto")
const forwardedHost = headerStore.get("x-forwarded-host")
const host = forwardedHost || headerStore.get("host")
if (host) {
return `${forwardedProto || "https"}://${host}`
}
return new URL(request.url).origin
}