a few tweaks via CodeRabbit

Author: ericallam

apps/webapp/app/routes/auth.github.ts

@@ -1,16 +1,19 @@
 import { type ActionFunction, type LoaderFunction, redirect, createCookie } from "@remix-run/node";
 import { authenticator } from "~/services/auth.server";
+import { env } from "~/env.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 export let loader: LoaderFunction = () => redirect("/login");
 
 export let action: ActionFunction = async ({ request }) => {
   const url = new URL(request.url);
   const redirectTo = url.searchParams.get("redirectTo");
+  const safeRedirect = sanitizeRedirectPath(redirectTo, "/");
 
   try {
     // call authenticate as usual, in successRedirect use returnTo or a fallback
     return await authenticator.authenticate("github", request, {
-      successRedirect: redirectTo ?? "/",
+      successRedirect: safeRedirect,
       failureRedirect: "/login",
     });
   } catch (error) {
@@ -19,8 +22,8 @@ export let action: ActionFunction = async ({ request }) => {
     // if the error is a Response and is a redirect
     if (error instanceof Response) {
       // we need to append a Set-Cookie header with a cookie storing the
-      // returnTo value
-      error.headers.append("Set-Cookie", await redirectCookie.serialize(redirectTo));
+      // returnTo value (store the sanitized path)
+      error.headers.append("Set-Cookie", await redirectCookie.serialize(safeRedirect));
     }
     throw error;
   }
@@ -29,4 +32,6 @@ export let action: ActionFunction = async ({ request }) => {
 export const redirectCookie = createCookie("redirect-to", {
   maxAge: 60 * 60, // 1 hour
   httpOnly: true,
+  sameSite: "lax",
+  secure: env.NODE_ENV === "production",
 });

apps/webapp/app/routes/auth.google.ts

@@ -1,16 +1,19 @@
 import { type ActionFunction, type LoaderFunction, redirect, createCookie } from "@remix-run/node";
 import { authenticator } from "~/services/auth.server";
+import { env } from "~/env.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 export let loader: LoaderFunction = () => redirect("/login");
 
 export let action: ActionFunction = async ({ request }) => {
   const url = new URL(request.url);
   const redirectTo = url.searchParams.get("redirectTo");
+  const safeRedirect = sanitizeRedirectPath(redirectTo, "/");
 
   try {
     // call authenticate as usual, in successRedirect use returnTo or a fallback
     return await authenticator.authenticate("google", request, {
-      successRedirect: redirectTo ?? "/",
+      successRedirect: safeRedirect,
       failureRedirect: "/login",
     });
   } catch (error) {
@@ -19,8 +22,8 @@ export let action: ActionFunction = async ({ request }) => {
     // if the error is a Response and is a redirect
     if (error instanceof Response) {
       // we need to append a Set-Cookie header with a cookie storing the
-      // returnTo value
-      error.headers.append("Set-Cookie", await redirectCookie.serialize(redirectTo));
+      // returnTo value (store the sanitized path)
+      error.headers.append("Set-Cookie", await redirectCookie.serialize(safeRedirect));
     }
     throw error;
   }
@@ -29,5 +32,7 @@ export let action: ActionFunction = async ({ request }) => {
 export const redirectCookie = createCookie("google-redirect-to", {
   maxAge: 60 * 60, // 1 hour
   httpOnly: true,
+  sameSite: "lax",
+  secure: env.NODE_ENV === "production",
 });
 

apps/webapp/app/services/lastAuthMethod.server.ts

@@ -1,4 +1,5 @@
 import { createCookie } from "@remix-run/node";
+import { env } from "~/env.server";
 
 export type LastAuthMethod = "github" | "google" | "email";
 
@@ -7,7 +8,7 @@ export const lastAuthMethodCookie = createCookie("last-auth-method", {
   maxAge: 60 * 60 * 24 * 365, // 1 year
   httpOnly: true,
   sameSite: "lax",
-  secure: process.env.NODE_ENV === "production",
+  secure: env.NODE_ENV === "production",
 });
 
 export async function getLastAuthMethod(request: Request): Promise<LastAuthMethod | null> {