fix(app-router): encode returnTo in login redirect to prevent OAuth param injection

MegaManSec · MegaManSec · commit 069a70fa1668 · 2025-11-27T16:12:10.000+08:00
URLencode returnTo in appRouteHandlerFactory so the query params don't break out into
/auth/login and get forwarded to /authorize (e.g., scope, audience, etc).

Also obey the local returnTo instead of the global opt.

This bug was found with ZeroPath.

Signed-off-by: Joshua Rogers &lt;MegaManSec@users.noreply.github.com&gt;
diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts
@@ -196,7 +196,7 @@ export const appRouteHandlerFactory =
           : opts.returnTo;
       const { redirect } = await import("next/navigation.js");
       redirect(
-        `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}`
+        `${config.loginUrl}${returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}`
       );
     }
     return handler(params);

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ export const appRouteHandlerFactory =`
`196`	`196`	`: opts.returnTo;`
`197`	`197`	`const { redirect } = await import("next/navigation.js");`
`198`	`198`	`redirect(`
`199`		- `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}`
	`199`	+ `${config.loginUrl}${returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}`
`200`	`200`	`);`
`201`	`201`	`}`
`202`	`202`	`return handler(params);`