2025-10-16 23:58:15 -07:00
|
|
|
/**
|
|
|
|
|
* Validates that a URL is safe for redirection.
|
|
|
|
|
* Only allows HTTP and HTTPS protocols to prevent XSS attacks.
|
|
|
|
|
*
|
|
|
|
|
* @param url - The URL string to validate
|
|
|
|
|
* @throws Error if the URL has an unsafe protocol
|
|
|
|
|
*/
|
|
|
|
|
export function validateRedirectUrl(url: string): void {
|
|
|
|
|
try {
|
2025-10-17 17:46:28 +08:00
|
|
|
const parsedUrl = new URL(url)
|
|
|
|
|
if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:')
|
|
|
|
|
throw new Error('Authorization URL must be HTTP or HTTPS')
|
|
|
|
|
}
|
|
|
|
|
catch (error) {
|
2025-10-16 23:58:15 -07:00
|
|
|
if (
|
2025-10-17 17:46:28 +08:00
|
|
|
error instanceof Error
|
|
|
|
|
&& error.message === 'Authorization URL must be HTTP or HTTPS'
|
|
|
|
|
)
|
|
|
|
|
throw error
|
2025-10-16 23:58:15 -07:00
|
|
|
// If URL parsing fails, it's also invalid
|
2025-10-17 17:46:28 +08:00
|
|
|
throw new Error(`Invalid URL: ${url}`)
|
2025-10-16 23:58:15 -07:00
|
|
|
}
|
2025-10-17 17:46:28 +08:00
|
|
|
}
|
