fix(login): Validate redirect path

ashquarky · ashquarky · commit 6d8eced05a4c · 2025-06-10T14:09:57.000+10:00
diff --git a/apps/juxtaposition-ui/src/services/juxt-web/routes/web/login.js b/apps/juxtaposition-ui/src/services/juxt-web/routes/web/login.js
@@ -65,7 +65,8 @@ router.post('/', async (req, res) => {
 	res.cookie('access_token', login.accessToken, { domain: cookieDomain, maxAge: expiration });
 	res.cookie('refresh_token', login.refreshToken, { domain: cookieDomain });
 	res.cookie('token_type', 'Bearer', { domain: cookieDomain });
-	res.redirect(redirect);
+
+	res.redirect(/^\/[^/.]/.test(redirect) ? redirect : '/');
 });
 
 module.exports = router;
