What is the correct way to implement the next query param in auth/confirm routes?
In the auth/confirm routes for Supabase UI the "next" search param is only used if it starts with
/.
In the Supabase SSR docs it just uses it as is.
If I use the implementation from Supabase UI then it would never work because the redirect URL needs to have the full domain in it.
I don't think it would be a security issue because that URL can only ever be from the allowed URL list. Am I missing something?
6 Replies
does it have to have the full domain in it, i'm not to familiar with next but these docs mention redirect used only for the path https://nextjs.org/docs/app/api-reference/functions/redirect
Functions: redirect | Next.js
API Reference for the redirect function.
No not for the Next.js part, Supabase only allows the fully qualified URL for the redirectTo when new signups or forgot password requests are sent.
The guides are just suggestions, you can modify and change it to match how you work or what works best for you. I came up with the
next= using relative paths and then later found that it was better using the fully qualified url instead. The guides have remained the same since, but it's up to you to choose your adventure.Got it, thanks! Just checking to make sure I'm not introducing a security hole by just taking whatever next is.
In framework's like Django they have a lookup table in the app of URLs the
redirect can go to. You could do this in your application if you felt someone could inject anything in the next param.
I was going to create an example with this but never got around to it.Yeah I don't think anyone can. It's being supplied from the
emailRedirectTo value in the signUp method, which is checked against the allowed redirect urls, so I'm pretty sure I'm good, but I only have 24 hours of Supabase experience 😂