Merge remote-tracking branch 'origin/release/0.7' into fix/auth-api-include-cookie

# Conflicts:
#	app/src/auth/authenticate/Authenticator.ts

app/src/auth/authenticate/Authenticator.ts

@@ -299,8 +299,8 @@ export class Authenticator<Strategies extends Record<string, Strategy> = Record<
       }
    }
 
-   private getSuccessPath(c: Context) {
-      const p = (this.config.cookie.pathSuccess ?? "/").replace(/\/+$/, "/");
+   private getSafeUrl(c: Context, path: string) {
+      const p = path.replace(/\/+$/, "/");
 
       // nextjs doesn't support non-fq urls
       // but env could be proxied (stackblitz), so we shouldn't fq every url
@@ -312,7 +312,7 @@ export class Authenticator<Strategies extends Record<string, Strategy> = Record<
    }
 
    async respond(c: Context, data: AuthResponse | Error | any, redirect?: string) {
-      const successUrl = this.getSuccessPath(c);
+      const successUrl = this.getSafeUrl(c, redirect ?? this.config.cookie.pathSuccess ?? "/");
       const referer = redirect ?? c.req.header("Referer") ?? successUrl;
       //console.log("auth respond", { redirect, successUrl, successPath });
 

app/src/auth/authenticate/strategies/PasswordStrategy.ts

@@ -1,4 +1,5 @@
 import type { Authenticator, Strategy } from "auth";
+import { isDebug, tbValidator as tb } from "core";
 import { type Static, StringEnum, Type, parse } from "core/utils";
 import { hash } from "core/utils";
 import { type Context, Hono } from "hono";
@@ -56,26 +57,56 @@ export class PasswordStrategy implements Strategy {
       const hono = new Hono();
 
       return hono
-         .post("/login", async (c) => {
-            const body = await authenticator.getBody(c);
+         .post(
+            "/login",
+            tb(
+               "query",
+               Type.Object({
+                  redirect: Type.Optional(Type.String())
+               })
+            ),
+            async (c) => {
+               const body = await authenticator.getBody(c);
+               const { redirect } = c.req.valid("query");
 
-            try {
-               const payload = await this.login(body);
-               const data = await authenticator.resolve("login", this, payload.password, payload);
+               try {
+                  const payload = await this.login(body);
+                  const data = await authenticator.resolve(
+                     "login",
+                     this,
+                     payload.password,
+                     payload
+                  );
 
-               return await authenticator.respond(c, data);
-            } catch (e) {
-               return await authenticator.respond(c, e);
+                  return await authenticator.respond(c, data, redirect);
+               } catch (e) {
+                  return await authenticator.respond(c, e);
+               }
             }
-         })
-         .post("/register", async (c) => {
-            const body = await authenticator.getBody(c);
+         )
+         .post(
+            "/register",
+            tb(
+               "query",
+               Type.Object({
+                  redirect: Type.Optional(Type.String())
+               })
+            ),
+            async (c) => {
+               const body = await authenticator.getBody(c);
+               const { redirect } = c.req.valid("query");
 
-            const payload = await this.register(body);
-            const data = await authenticator.resolve("register", this, payload.password, payload);
+               const payload = await this.register(body);
+               const data = await authenticator.resolve(
+                  "register",
+                  this,
+                  payload.password,
+                  payload
+               );
 
-            return await authenticator.respond(c, data);
-         });
+               return await authenticator.respond(c, data, redirect);
+            }
+         );
    }
 
    getActions(): StrategyActions {