Preserve protected app redirects

Author: hollandkevint

apps/web/app/app/layout.tsx

@@ -1,5 +1,7 @@
 import { redirect } from 'next/navigation';
+import { headers } from 'next/headers';
 import { checkBetaAccess } from '@/lib/auth/beta-access';
+import { getProtectedAppRedirectTarget } from '@/lib/auth/app-redirect';
 
 export const dynamic = 'force-dynamic';
 
@@ -9,14 +11,19 @@ export default async function AppLayout({
   children: React.ReactNode;
 }) {
   const { user, betaApproved, status } = await checkBetaAccess();
+  const requestHeaders = await headers();
+  const redirectTarget = getProtectedAppRedirectTarget(
+    requestHeaders.get('x-th-pathname'),
+    requestHeaders.get('x-th-search')
+  );
 
   if (status === 'unavailable') {
     throw new Error('Authentication service unavailable');
   }
 
   // Not authenticated
   if (!user || status === 'unauthenticated') {
-    redirect('/login?redirect=' + encodeURIComponent('/app'));
+    redirect('/login?redirect=' + encodeURIComponent(redirectTarget));
   }
 
   // Authenticated but not approved for beta

apps/web/lib/auth/app-redirect.ts

@@ -0,0 +1,18 @@
+export const APP_REDIRECT_FALLBACK = '/app'
+
+export function isProtectedAppPath(pathname: string) {
+  return pathname === '/app' || pathname.startsWith('/app/')
+}
+
+export function getProtectedAppRedirectTarget(
+  pathname: string | null,
+  search: string | null
+) {
+  const hasSafePathname = pathname != null && isProtectedAppPath(pathname)
+  const safePathname = hasSafePathname
+    ? pathname
+    : APP_REDIRECT_FALLBACK
+  const safeSearch = hasSafePathname && search?.startsWith('?') ? search : ''
+
+  return `${safePathname}${safeSearch}`
+}

apps/web/middleware.ts

@@ -1,8 +1,15 @@
 import { createServerClient } from '@supabase/ssr'
 import { NextResponse, type NextRequest } from 'next/server'
+import { isProtectedAppPath } from './lib/auth/app-redirect'
 
 export async function middleware(request: NextRequest) {
-  let supabaseResponse = NextResponse.next({ request })
+  const requestHeaders = new Headers(request.headers)
+  requestHeaders.set('x-th-pathname', request.nextUrl.pathname)
+  requestHeaders.set('x-th-search', request.nextUrl.search)
+
+  let supabaseResponse = NextResponse.next({
+    request: { headers: requestHeaders },
+  })
   const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL
   const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY
 
@@ -20,7 +27,9 @@ export async function middleware(request: NextRequest) {
         },
         setAll(cookiesToSet) {
           cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value))
-          supabaseResponse = NextResponse.next({ request })
+          supabaseResponse = NextResponse.next({
+            request: { headers: requestHeaders },
+          })
           cookiesToSet.forEach(({ name, value, options }) =>
             supabaseResponse.cookies.set(name, value, options)
           )
@@ -31,7 +40,20 @@ export async function middleware(request: NextRequest) {
 
   // IMPORTANT: getUser() validates JWT and refreshes if needed
   // Do NOT use getSession() - it only validates locally
-  await supabase.auth.getUser()
+  const {
+    data: { user },
+  } = await supabase.auth.getUser()
+
+  if (!user && isProtectedAppPath(request.nextUrl.pathname)) {
+    const url = new URL(request.nextUrl.toString())
+    url.pathname = '/login'
+    url.search = ''
+    url.searchParams.set(
+      'redirect',
+      `${request.nextUrl.pathname}${request.nextUrl.search}`
+    )
+    return NextResponse.redirect(url)
+  }
 
   return supabaseResponse
 }

apps/web/tests/app/app-layout.test.tsx

@@ -0,0 +1,49 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import AppLayout from '@/app/app/layout'
+import { checkBetaAccess } from '@/lib/auth/beta-access'
+import { headers } from 'next/headers'
+import { redirect } from 'next/navigation'
+
+vi.mock('@/lib/auth/beta-access', () => ({
+  checkBetaAccess: vi.fn(),
+}))
+
+vi.mock('next/headers', () => ({
+  headers: vi.fn(),
+}))
+
+vi.mock('next/navigation', () => ({
+  redirect: vi.fn((url: string) => {
+    throw new Error(`redirect:${url}`)
+  }),
+}))
+
+describe('AppLayout', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    vi.mocked(headers).mockResolvedValue(new Headers() as never)
+  })
+
+  it('preserves nested protected app routes in the login redirect', async () => {
+    vi.mocked(headers).mockResolvedValue(
+      new Headers([
+        ['x-th-pathname', '/app/admin/beta'],
+        ['x-th-search', ''],
+      ]) as never
+    )
+    vi.mocked(checkBetaAccess).mockResolvedValue({
+      user: null,
+      betaApproved: false,
+      status: 'unauthenticated',
+      isAdmin: false,
+      error: 'No authenticated user',
+    })
+
+    await expect(AppLayout({ children: <div /> })).rejects.toThrow(
+      'redirect:/login?redirect=%2Fapp%2Fadmin%2Fbeta'
+    )
+    expect(redirect).toHaveBeenCalledWith(
+      '/login?redirect=%2Fapp%2Fadmin%2Fbeta'
+    )
+  })
+})

apps/web/tests/integration/middleware-public-routes.test.ts

@@ -13,9 +13,17 @@ const nextResponse = {
   },
 }
 
+const redirectResponse = {
+  status: 307,
+  cookies: {
+    set: vi.fn(),
+  },
+}
+
 vi.mock('next/server', () => ({
   NextResponse: {
     next: vi.fn(() => nextResponse),
+    redirect: vi.fn(() => redirectResponse),
   },
 }))
 
@@ -73,4 +81,40 @@ describe('root middleware public-route resilience', () => {
     )
     expect(getUser).toHaveBeenCalled()
   })
+
+  it('forwards the attempted path to app layout redirects', async () => {
+    delete process.env.NEXT_PUBLIC_SUPABASE_URL
+    delete process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY
+
+    await middleware(requestFor('/app/admin/beta?tab=invites'))
+
+    const { NextResponse } = await import('next/server')
+    const nextOptions = vi.mocked(NextResponse.next).mock.calls[0]?.[0]
+    const headers = nextOptions?.request?.headers
+
+    expect(headers).toBeInstanceOf(Headers)
+    expect(headers?.get('x-th-pathname')).toBe('/app/admin/beta')
+    expect(headers?.get('x-th-search')).toBe('?tab=invites')
+  })
+
+  it('preserves the protected app path in the login redirect', async () => {
+    process.env.NEXT_PUBLIC_SUPABASE_URL = 'https://example.supabase.co'
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY = 'anon-key'
+    vi.mocked(createServerClient).mockReturnValue({
+      auth: {
+        getUser: vi.fn().mockResolvedValue({ data: { user: null }, error: null }),
+      },
+    } as unknown as SupabaseClient)
+
+    const response = await middleware(requestFor('/app/admin/beta'))
+
+    expect(response.status).toBe(307)
+    const { NextResponse } = await import('next/server')
+    expect(NextResponse.redirect).toHaveBeenCalledWith(
+      expect.objectContaining({
+        pathname: '/login',
+        search: `?redirect=${encodeURIComponent('/app/admin/beta')}`,
+      })
+    )
+  })
 })

apps/web/tests/lib/auth/app-redirect.test.ts

@@ -0,0 +1,26 @@
+import { describe, expect, it } from 'vitest'
+import {
+  getProtectedAppRedirectTarget,
+  isProtectedAppPath,
+} from '@/lib/auth/app-redirect'
+
+describe('getProtectedAppRedirectTarget', () => {
+  it('preserves nested app routes and query strings', () => {
+    expect(
+      getProtectedAppRedirectTarget('/app/admin/beta', '?tab=invites')
+    ).toBe('/app/admin/beta?tab=invites')
+  })
+
+  it('keeps the app dashboard as a valid target', () => {
+    expect(getProtectedAppRedirectTarget('/app', '')).toBe('/app')
+  })
+
+  it('falls back to app dashboard for non-app paths', () => {
+    expect(getProtectedAppRedirectTarget('/login', '?redirect=/evil')).toBe('/app')
+  })
+
+  it('does not treat app-like public paths as protected app routes', () => {
+    expect(isProtectedAppPath('/apple')).toBe(false)
+    expect(isProtectedAppPath('/appetite')).toBe(false)
+  })
+})