From c63ef1c4e92f2601219857e14efa68acfd7a2684 Mon Sep 17 00:00:00 2001
From: MananTank <manantankm@gmail.com>
Date: Mon, 17 Nov 2025 13:09:54 +0000
Subject: [PATCH] [MNY-310] Dashboard: Improve login redirect path validation
 (#8422)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!--

## title your PR with this format: "[SDK/Dashboard/Portal] Feature/Fix: Concise title for the changes"

If you did not copy the branch name from Linear, paste the issue tag here (format is TEAM-0000):

## Notes for the reviewer

Anything important to call out? Be sure to also clarify these in your comments.

## How to test

Unit tests, playground, etc.

-->

<!-- start pr-codex -->

---

## PR-Codex overview
This PR modifies the `isValidEncodedRedirectPath` function to enhance its validation logic for decoded paths, ensuring they start with a single slash and belong to the `thirdweb.com` domain.

### Detailed summary
- Removed comments about decoding URI components and path validation.
- Added a check to ensure `decodedPath` starts with a single slash.
- Introduced a `URL` object to validate that the hostname is `thirdweb.com`.
- Simplified the return logic for invalid paths.

> ✨ Ask PR-Codex anything about this PR by commenting with `/codex {your question}`

<!-- end pr-codex -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

* **Bug Fixes**
  * Enhanced login redirect validation to ensure redirects are properly verified and authenticated for the correct domain.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .../src/app/login/isValidEncodedRedirectPath.ts          | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts b/apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts
index 79f8255975f..b74f2375d1f 100644
--- a/apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts
+++ b/apps/dashboard/src/app/login/isValidEncodedRedirectPath.ts
@@ -1,10 +1,11 @@
 export function isValidEncodedRedirectPath(encodedPath: string): boolean {
   try {
-    // Decode the URI component
     const decodedPath = decodeURIComponent(encodedPath);
-    // ensure the path always starts with a _single_ slash
-    // double slash could be interpreted as `//example.com` which is not allowed
-    return decodedPath.startsWith("/") && !decodedPath.startsWith("//");
+    if (!decodedPath.startsWith("/")) {
+      return false;
+    }
+    const url = new URL(decodedPath, "https://thirdweb.com");
+    return url.hostname === "thirdweb.com";
   } catch {
     // If decoding fails, return false
     return false;