fix: typecheck

fix: also use Route.continue in pin code prompt
chore: use Route helper
2026-05-31 03:45:19 -04:00 · 2026-05-30 15:02:39 -05:00 · 2026-05-30 14:45:09 -05:00 · 2026-05-30 14:42:35 -05:00 · 2026-05-30 13:50:54 -05:00
3 changed files with 12 additions and 2 deletions
@@ -152,4 +152,13 @@ export const Route = {
  // queues
  queues: () => '/admin/queues',
  viewQueue: ({ name }: { name: QueueName }) => `/admin/queues/${asQueueSlug(name)}`,
+
+  // continue helper for ensuring same-origin URLs
+  continue: (url: string | null, fallback: string) => {
+    if (!url || !url.startsWith('/') || url.startsWith('//')) {
+      return fallback;
+    }
+
+    return url;
+  },
 };
@@ -8,7 +8,8 @@ import type { PageLoad } from './$types';
 export const load = (async ({ parent, url }) => {
  await parent();

-  const continueUrl = url.searchParams.get('continue') || Route.photos();
+  const continueUrl = Route.continue(url.searchParams.get('continue'), Route.photos());
+
  if (authManager.authenticated) {
    redirect(307, continueUrl);
  }
@@ -30,7 +30,7 @@

      await new Promise((resolve) => setTimeout(resolve, 1000));

-      await goto(data.continueUrl);
+      await goto(Route.continue(data.continueUrl, Route.photos()));
    } catch (error) {
      handleError(error, $t('wrong_pin_code'));
      isBadPinCode = true;
Author	SHA1	Message	Date
bwees	dc2c01e473	fix: typecheck	2026-05-30 15:02:39 -05:00
bwees	0a3878cfb8	fix: also use Route.continue in pin code prompt	2026-05-30 14:45:09 -05:00
bwees	306df18432	chore: use Route helper	2026-05-30 14:42:35 -05:00
bwees	2ce4d9fa61	fix: disallow cross origin/non http protocols for continueUrl on login	2026-05-30 13:50:54 -05:00