chore(web): harden post-auth redirects and legacy URL rewrite

[brendan-kellam]

Fixes SOU-945

Summary

• Add an explicit redirect callback to the NextAuth config in packages/web/src/auth.ts. It restricts post-auth redirects (sign-in / sign-out, callbackUrl, redirectTo) to the same origin as the application. This mirrors the documented Auth.js default (reference), but makes the protection visible in code rather than relying on upstream defaults staying stable across major versions.
• Switch the legacy /~/... rewrite in packages/web/src/proxy.ts from 308 to 301. The rewrite is a backwards-compat shim for v3.0.0–v4.16.8 page URLs, which are virtually all GETs. 301 has matching cache/permanence semantics but downgrades any stray POST to GET and drops the body, which is the right behavior for a path-rewrite shim.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Enhanced post-authentication security by restricting login redirects to same-origin URLs only, with fallback handling for invalid targets.
  • Updated redirect HTTP status codes to align with standard behavior.

[coderabbitai]

Walkthrough

The pull request updates the authentication redirect behavior and HTTP status codes in the proxy layer. NextAuth's post-authentication redirects are now constrained to same-origin targets through a new redirect callback, and the /~/ rewrite endpoint changes its HTTP redirect code from 308 to 301.

Changes

Cohort / File(s)	Summary
Authentication redirect constraint CHANGELOG.md, packages/web/src/auth.ts	Adds a redirect callback to NextAuth configuration that restricts post-auth redirects to same-origin URLs. Relative URLs are converted to absolute URLs using baseUrl; absolute URLs are validated against the base origin before being returned, with fallback to baseUrl for mismatched or malformed URLs.
Proxy HTTP status code update packages/web/src/proxy.ts	Changes redirect responses for /~/... paths and the /~ endpoint from hardcoded status code 308 to the constant StatusCodes.MOVED_PERMANENTLY (HTTP 301), maintaining the same redirect targets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• chore(web): Upgrade to next 16 #970: Also modifies packages/web/src/proxy.ts; PR #970 renames the exported function while this PR updates the redirect status code used by the same proxy function.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(web): harden post-auth redirects and legacy URL rewrite' accurately summarizes the main changes: adding security to post-auth redirects and updating the legacy URL rewrite HTTP status code.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/harden-auth-redirects-SOU-945

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}