From 0594046e74d4d58cb0601010bdc3c940a55f9eba Mon Sep 17 00:00:00 2001 From: Sebastian Hasler Date: Tue, 6 Feb 2024 21:57:55 +0100 Subject: [PATCH] fix: handle cross-origin redirects in server function redirect hook In client-side navigation we now handle redirects returned from server functions by resolving the location against the current origin as a base. The base is only relevant if the location doesn't already include an origin. This fixes cross-origin redirects. Note: in order to handle redirects in the same way as the browser would handle them, we need to use the server function's URL (typically `/api/something`) as a base. I leave this as a TODO for a future leptos version, because it probably requires changing the signature of the `server_fn` redirect hook. In order to not be affected by a future breaking change, users should already start making sure that their redirect locations either include an origin or at least start with a single slash (e.g. `Location: /foo`). --- router/src/components/form.rs | 16 ++++++++++------ router/src/components/router.rs | 32 +++++++++++++++++++++----------- router/src/hooks.rs | 29 +++++++++++++++++++++++++++-- server_fn/src/redirect.rs | 6 +++--- 4 files changed, 61 insertions(+), 22 deletions(-) diff --git a/router/src/components/form.rs b/router/src/components/form.rs index b128ac8306..98e90408a9 100644 --- a/router/src/components/form.rs +++ b/router/src/components/form.rs @@ -1,6 +1,6 @@ use crate::{ - hooks::has_router, use_navigate, use_resolved_path, NavigateOptions, - ToHref, Url, + hooks::has_router, resolve_redirect_url, use_navigate, use_resolved_path, + NavigateOptions, ToHref, Url, }; use leptos::{ html::form, @@ -447,8 +447,10 @@ where { let has_router = has_router(); if !has_router { - _ = server_fn::redirect::set_redirect_hook(|path: &str| { - _ = window().location().set_href(path); + _ = server_fn::redirect::set_redirect_hook(|loc: &str| { + if let Some(url) = resolve_redirect_url(loc) { + _ = window().location().set_href(&url.href()); + } }); } let action_url = if let Some(url) = action.url() { @@ -545,8 +547,10 @@ where { let has_router = has_router(); if !has_router { - _ = server_fn::redirect::set_redirect_hook(|path: &str| { - _ = window().location().set_href(path); + _ = server_fn::redirect::set_redirect_hook(|loc: &str| { + if let Some(url) = resolve_redirect_url(loc) { + _ = window().location().set_href(&url.href()); + } }); } let action_url = if let Some(url) = action.url() { diff --git a/router/src/components/router.rs b/router/src/components/router.rs index 55056a7b2a..5ec2e04c3f 100644 --- a/router/src/components/router.rs +++ b/router/src/components/router.rs @@ -1,7 +1,7 @@ use crate::{ - create_location, matching::resolve_path, scroll_to_el, use_location, - use_navigate, Branch, History, Location, LocationChange, RouteContext, - RouterIntegrationContext, State, + create_location, matching::resolve_path, resolve_redirect_url, + scroll_to_el, use_location, use_navigate, Branch, History, Location, + LocationChange, RouteContext, RouterIntegrationContext, State, }; #[cfg(not(feature = "ssr"))] use crate::{unescape, Url}; @@ -24,6 +24,7 @@ use std::{ use thiserror::Error; #[cfg(not(feature = "ssr"))] use wasm_bindgen::JsCast; +use wasm_bindgen::UnwrapThrowExt; static GLOBAL_ROUTERS_COUNT: AtomicUsize = AtomicUsize::new(0); @@ -56,15 +57,24 @@ pub fn Router( // set server function redirect hook let navigate = use_navigate(); let navigate = SendWrapper::new(navigate); - let router_hook = Box::new(move |path: &str| { - let path = path.to_string(); - // delay by a tick here, so that the Action updates *before* the redirect - request_animation_frame({ + let router_hook = Box::new(move |loc: &str| { + let Some(url) = resolve_redirect_url(loc) else { + return; // resolve_redirect_url() already logs an error + }; + let current_origin = + leptos_dom::helpers::location().origin().unwrap_throw(); + if url.origin() == current_origin { let navigate = navigate.clone(); - move || { - navigate(&path, Default::default()); - } - }); + // delay by a tick here, so that the Action updates *before* the redirect + request_animation_frame(move || { + navigate(&url.pathname(), Default::default()); + }); + // Use set_href() if the conditions for client-side navigation were not satisfied + } else if let Err(e) = + leptos_dom::helpers::location().set_href(&url.href()) + { + leptos::logging::error!("Failed to redirect: {e:#?}"); + } }) as RedirectHook; _ = server_fn::redirect::set_redirect_hook(router_hook); diff --git a/router/src/hooks.rs b/router/src/hooks.rs index d9a9fc1236..0c53689ac5 100644 --- a/router/src/hooks.rs +++ b/router/src/hooks.rs @@ -3,8 +3,8 @@ use crate::{ RouterContext, }; use leptos::{ - create_memo, request_animation_frame, signal_prelude::*, use_context, Memo, - Oco, + create_memo, request_animation_frame, signal_prelude::*, use_context, + window, Memo, Oco, }; use std::{rc::Rc, str::FromStr}; @@ -216,3 +216,28 @@ pub(crate) fn use_is_back_navigation() -> ReadSignal { let router = use_router(); router.inner.is_back.read_only() } + +/// Resolves a redirect location to an (absolute) URL. +pub(crate) fn resolve_redirect_url(loc: &str) -> Option { + let origin = match window().location().origin() { + Ok(origin) => origin, + Err(e) => { + leptos::logging::error!("Failed to get origin: {:#?}", e); + return None; + } + }; + + // TODO: Use server function's URL as base instead. + let base = origin; + + match web_sys::Url::new_with_base(loc, &base) { + Ok(url) => Some(url), + Err(e) => { + leptos::logging::error!( + "Invalid redirect location: {}", + e.as_string().unwrap_or_default(), + ); + None + } + } +} diff --git a/server_fn/src/redirect.rs b/server_fn/src/redirect.rs index aa279d3936..e20968a115 100644 --- a/server_fn/src/redirect.rs +++ b/server_fn/src/redirect.rs @@ -25,9 +25,9 @@ pub fn set_redirect_hook( REDIRECT_HOOK.set(Box::new(hook)) } -/// Calls the hook that has been set by [`set_redirect_hook`] to redirect to `path`. -pub fn call_redirect_hook(path: &str) { +/// Calls the hook that has been set by [`set_redirect_hook`] to redirect to `loc`. +pub fn call_redirect_hook(loc: &str) { if let Some(hook) = REDIRECT_HOOK.get() { - hook(path) + hook(loc) } }