Bug fix: When getting logged out, logging back in redirected you to /resources/platform-changelogs

Root cause recap: Background fetcher (useRecentChangelogs polling /resources/platform-changelogs every 60s) was the first thing to hit requireUserId after a session loss. That stuffed its own URL into ?redirectTo=..., the login flow stored it in a cookie, and /magic faithfully redirected the user to a JSON-only fetcher route after sign-in → blank page. Pre-existing bug, surfaced more often by the new session-expiry feature. Fixed by sanitizing redirectTo at three layers.

Author: samejr

apps/webapp/app/routes/login.magic/route.tsx

@@ -23,6 +23,7 @@ import { TextLink } from "~/components/primitives/TextLink";
 import { authenticator } from "~/services/auth.server";
 import { commitSession, getUserSession } from "~/services/sessionStorage.server";
 import { setRedirectTo, commitSession as commitRedirectSession } from "~/services/redirectTo.server";
+import { sanitizeRedirectPath } from "~/utils";
 import {
   checkMagicLinkEmailRateLimit,
   checkMagicLinkEmailDailyRateLimit,
@@ -60,11 +61,14 @@ export async function loader({ request }: LoaderFunctionArgs) {
   const session = await getUserSession(request);
   const error = session.get("auth:error");
 
-  // Get redirectTo from URL params and store in session if present
+  // Get redirectTo from URL params and store in session if present.
+  // Sanitize to drop non-page paths (fetcher routes, callbacks) which would
+  // render blank if the user was sent there post-login.
   const url = new URL(request.url);
-  const redirectTo = url.searchParams.get("redirectTo");
+  const sanitized = sanitizeRedirectPath(url.searchParams.get("redirectTo"));
+  const redirectTo = sanitized === "/" ? null : sanitized;
   const headers = new Headers();
-  
+
   if (redirectTo) {
     const redirectSession = await setRedirectTo(request, redirectTo);
     headers.append("Set-Cookie", await commitRedirectSession(redirectSession));

apps/webapp/app/routes/magic.tsx

@@ -8,9 +8,13 @@ import { getRedirectTo } from "~/services/redirectTo.server";
 import { commitSession, getSession } from "~/services/sessionStorage.server";
 import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  const redirectTo = await getRedirectTo(request);
+  // Defense-in-depth: sanitize the cookie value to drop non-page paths in case
+  // a stale cookie from before sanitization shipped is still in the browser.
+  const sanitized = sanitizeRedirectPath(await getRedirectTo(request));
+  const redirectTo = sanitized === "/" ? undefined : sanitized;
 
   const auth = await authenticator.authenticate("email-link", request, {
     failureRedirect: "/login/magic", // If auth fails, the failureRedirect will be thrown as a Response

apps/webapp/app/services/session.server.ts

@@ -1,5 +1,6 @@
 import { redirect } from "@remix-run/node";
 import { getUserById } from "~/models/user.server";
+import { sanitizeRedirectPath } from "~/utils";
 import { authenticator } from "./auth.server";
 import { getImpersonationId } from "./impersonation.server";
 import { getEffectiveSessionDuration, isSessionExpired } from "./sessionDuration.server";
@@ -50,9 +51,11 @@ export async function requireUserId(request: Request, redirectTo?: string) {
   const userId = await getUserId(request);
   if (!userId) {
     const url = new URL(request.url);
-    const searchParams = new URLSearchParams([
-      ["redirectTo", redirectTo ?? `${url.pathname}${url.search}`],
-    ]);
+    // Only propagate the originating URL when it's a real user-navigable page.
+    // Fetcher endpoints (e.g. /resources/*) and auth callbacks would render
+    // blank or loop if used as a post-login destination.
+    const finalRedirectTo = sanitizeRedirectPath(redirectTo ?? `${url.pathname}${url.search}`);
+    const searchParams = new URLSearchParams([["redirectTo", finalRedirectTo]]);
     throw redirect(`/login?${searchParams}`);
   }
   return userId;

apps/webapp/app/utils.ts

@@ -3,10 +3,22 @@ import { useMatches } from "@remix-run/react";
 
 const DEFAULT_REDIRECT = "/";
 
+// Pathnames that are NOT user-navigable destinations: fetcher endpoints,
+// OAuth/auth callbacks, JSON APIs, the magic-link redemption route, and the
+// auth flow routes themselves (which would create a redirect loop).
+const NON_NAVIGABLE_PREFIXES = ["/resources/", "/auth/", "/admin/", "/api/", "/engine/"];
+const NON_NAVIGABLE_EXACT = new Set(["/magic", "/logout", "/login", "/login/magic", "/login/mfa"]);
+
+function isNavigablePath(pathname: string): boolean {
+  if (NON_NAVIGABLE_EXACT.has(pathname)) return false;
+  return !NON_NAVIGABLE_PREFIXES.some((prefix) => pathname.startsWith(prefix));
+}
+
 /**
  * This should be used any time the redirect path is user-provided
  * (Like the query string on our login/signup pages). This avoids
- * open-redirect vulnerabilities.
+ * open-redirect vulnerabilities and prevents redirecting users to
+ * non-page routes (e.g. fetcher endpoints) that would render blank.
  * @param {string} path The redirect destination
  * @param {string} defaultRedirect The redirect to use if the to is unsafe.
  */
@@ -28,16 +40,21 @@ export function sanitizeRedirectPath(
     return defaultRedirect;
   } catch {}
 
+  let parsed: URL;
   try {
     // ensure it's a valid relative path
-    const url = new URL(path, "https://example.com");
-    if (url.hostname !== "example.com") {
+    parsed = new URL(path, "https://example.com");
+    if (parsed.hostname !== "example.com") {
       return defaultRedirect;
     }
   } catch {
     return defaultRedirect;
   }
 
+  if (!isNavigablePath(parsed.pathname)) {
+    return defaultRedirect;
+  }
+
   return path;
 }