svemagie.net/indiekit-server
1
0
Fork 0
Code Issues 1 Actions Packages Projects Releases Activity

Normalize legacy /admin redirect query targets in auth callback

Browse Source
This commit is contained in:
svemagie
2026-03-08 04:49:56 +01:00
parent acb8afc794
commit da2bf87ad3
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1
View File
@@ -5,6 +5,7 @@
- The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`). - The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`).
- Legacy `/admin` request paths are normalized to root login redirects (for example `/admin/posts` -> `/session/login?redirect=/posts`) to avoid post-login dead-end targets. - Legacy `/admin` request paths are normalized to root login redirects (for example `/admin/posts` -> `/session/login?redirect=/posts`) to avoid post-login dead-end targets.
- Legacy auth/session aliases are redirected directly (for example `/admin/auth/new-password` -> `/auth/new-password`, `/admin/session/login` -> `/session/login`). - Legacy auth/session aliases are redirected directly (for example `/admin/auth/new-password` -> `/auth/new-password`, `/admin/session/login` -> `/session/login`).
- Legacy redirect query targets are normalized as well (for example `/session/login?redirect=/admin/posts` becomes post-login redirect to `/posts`).
- Login page now auto-continues to the password consent screen by default. Add `?noautocontinue=1` to `/session/login` if you want to keep the manual button step. - Login page now auto-continues to the password consent screen by default. Add `?noautocontinue=1` to `/session/login` if you want to keep the manual button step.
- Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`. - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
- If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it. - If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it.
scripts/patch-indieauth-devmode-guard.mjs
+21
View File
@@ -14,6 +14,20 @@ const newDevModeCode = `if (devMode && process.env.INDIEKIT_ALLOW_DEV_AUTH === "
request.session.scope = "create update delete media"; request.session.scope = "create update delete media";
} else if (!process.env.PASSWORD_SECRET) {`; } else if (!process.env.PASSWORD_SECRET) {`;
const newCallbackRedirectCode = ` const { redirect } = request.query;
const requestedRedirect =
typeof redirect === "string" ? redirect : "";
const normalizedRedirect =
requestedRedirect === "/admin"
? "/"
: requestedRedirect.replace(/^\\/admin(?=\\/)/, "");
this.redirectUri = normalizedRedirect
? \`\${callbackUrl}?redirect=\${normalizedRedirect}\`
: \`\${callbackUrl}\`;`;
const oldCallbackRedirectRegex =
/const \{ redirect \} = request\.query;\n\s+this\.redirectUri = redirect\n\s+\? `\$\{callbackUrl\}\?redirect=\$\{redirect\}`\n\s+: `\$\{callbackUrl\}`;/m;
const newLoginRedirectCode = ` if (request.method === "GET") { const newLoginRedirectCode = ` if (request.method === "GET") {
const directAlias = request.originalUrl.replace( const directAlias = request.originalUrl.replace(
/^\\/admin\\/(auth|session)(?=\\/|$)/, /^\\/admin\\/(auth|session)(?=\\/|$)/,
@@ -63,6 +77,13 @@ for (const filePath of candidates) {
updated = updated.replace(oldDevModeCode, newDevModeCode); updated = updated.replace(oldDevModeCode, newDevModeCode);
} }
if (
!updated.includes("const normalizedRedirect =") &&
oldCallbackRedirectRegex.test(updated)
) {
updated = updated.replace(oldCallbackRedirectRegex, newCallbackRedirectCode);
}
if (!updated.includes("const directAlias = request.originalUrl.replace(")) { if (!updated.includes("const directAlias = request.originalUrl.replace(")) {
for (const regex of oldLoginRedirectRegexes) { for (const regex of oldLoginRedirectRegexes) {
if (regex.test(updated)) { if (regex.test(updated)) {