From 4828f044fa92cd2ea0bac8f973339910ee57d999 Mon Sep 17 00:00:00 2001
From: DMleadgen <matt@dmleadgen.net>
Date: Thu, 16 Apr 2026 11:11:29 -0600
Subject: [PATCH] fix: use public admin auth redirects

---
 app/api/admin/auth/login/route.ts  | 24 +++++++++++++++++++++---
 app/api/admin/auth/logout/route.ts | 19 +++++++++++++++++--
 2 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/app/api/admin/auth/login/route.ts b/app/api/admin/auth/login/route.ts
index 28da8495..fb9c0b1b 100644
--- a/app/api/admin/auth/login/route.ts
+++ b/app/api/admin/auth/login/route.ts
@@ -1,3 +1,4 @@
+import { headers } from "next/headers"
 import { NextResponse } from "next/server"
 import {
   ADMIN_SESSION_COOKIE,
@@ -8,7 +9,9 @@ import {
 
 export async function POST(request: Request) {
   if (!isAdminCredentialLoginConfigured()) {
-    return NextResponse.redirect(new URL("/sign-in?error=config", request.url))
+    return NextResponse.redirect(
+      new URL("/sign-in?error=config", await getPublicOrigin(request))
+    )
   }
 
   const formData = await request.formData()
@@ -19,12 +22,14 @@ export async function POST(request: Request) {
 
   if (!isAdminCredentialMatch(email, password)) {
     return NextResponse.redirect(
-      new URL("/sign-in?error=invalid", request.url)
+      new URL("/sign-in?error=invalid", await getPublicOrigin(request))
     )
   }
 
   const session = await createAdminSession(email)
-  const response = NextResponse.redirect(new URL("/admin", request.url))
+  const response = NextResponse.redirect(
+    new URL("/admin", await getPublicOrigin(request))
+  )
   response.cookies.set(ADMIN_SESSION_COOKIE, session.token, {
     httpOnly: true,
     sameSite: "lax",
@@ -35,3 +40,16 @@ export async function POST(request: Request) {
 
   return response
 }
+
+async function getPublicOrigin(request: Request) {
+  const headerStore = await headers()
+  const forwardedProto = headerStore.get("x-forwarded-proto")
+  const forwardedHost = headerStore.get("x-forwarded-host")
+  const host = forwardedHost || headerStore.get("host")
+
+  if (host) {
+    return `${forwardedProto || "https"}://${host}`
+  }
+
+  return new URL(request.url).origin
+}
diff --git a/app/api/admin/auth/logout/route.ts b/app/api/admin/auth/logout/route.ts
index 94bd0dbd..ba8a9cea 100644
--- a/app/api/admin/auth/logout/route.ts
+++ b/app/api/admin/auth/logout/route.ts
@@ -1,5 +1,5 @@
 import { NextResponse } from "next/server"
-import { cookies } from "next/headers"
+import { cookies, headers } from "next/headers"
 import {
   ADMIN_SESSION_COOKIE,
   destroyAdminSession,
@@ -10,7 +10,9 @@ export async function POST(request: Request) {
   const rawToken = cookieStore.get(ADMIN_SESSION_COOKIE)?.value || null
   await destroyAdminSession(rawToken)
 
-  const response = NextResponse.redirect(new URL("/sign-in", request.url))
+  const response = NextResponse.redirect(
+    new URL("/sign-in", await getPublicOrigin(request))
+  )
   response.cookies.set(ADMIN_SESSION_COOKIE, "", {
     httpOnly: true,
     sameSite: "lax",
@@ -21,3 +23,16 @@ export async function POST(request: Request) {
 
   return response
 }
+
+async function getPublicOrigin(request: Request) {
+  const headerStore = await headers()
+  const forwardedProto = headerStore.get("x-forwarded-proto")
+  const forwardedHost = headerStore.get("x-forwarded-host")
+  const host = forwardedHost || headerStore.get("host")
+
+  if (host) {
+    return `${forwardedProto || "https"}://${host}`
+  }
+
+  return new URL(request.url).origin
+}