From 9508efe8a6bfe94665fc72eaa24f316df7dc2d34 Mon Sep 17 00:00:00 2001 From: Yash Kewlani Date: Sun, 28 Jun 2026 17:25:25 +0530 Subject: [PATCH] fix(auth): hardcode NEXT_PUBLIC_SITE_URL for OAuth redirect to prevent team-URL hijack --- .env.example | 1 + src/app/login/login-form.tsx | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index ddd82a4..549f753 100644 --- a/.env.example +++ b/.env.example @@ -5,6 +5,7 @@ NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-public-key +NEXT_PUBLIC_SITE_URL=http://localhost:3000 # --------------------------------------------------------------------------- # Analytics (optional) diff --git a/src/app/login/login-form.tsx b/src/app/login/login-form.tsx index 0bce45c..5d75acc 100644 --- a/src/app/login/login-form.tsx +++ b/src/app/login/login-form.tsx @@ -50,10 +50,11 @@ export function LoginForm() { } async function handleGoogle() { + const siteUrl = process.env.NEXT_PUBLIC_SITE_URL ?? window.location.origin; const { error } = await supabase.auth.signInWithOAuth({ provider: "google", options: { - redirectTo: `${window.location.origin}/auth/callback?next=${encodeURIComponent(next)}`, + redirectTo: `${siteUrl}/auth/callback?next=${encodeURIComponent(next)}`, }, }); if (error) toast.error(error.message);