updates

karissarjacobsen · karissarjacobsen · commit bf317018320f · 2025-06-06T12:43:57.000-07:00
diff --git a/DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts b/DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts
@@ -40,20 +40,15 @@ export class ErrorHanlderInterceptor implements HttpInterceptor {
           } else if (error.status === 401) {
             this.translateService.get('ERRORS.401').subscribe((res: string) => {
               let snackBarRef = this.notificationService.showInfo(res);
+
               snackBarRef.afterDismissed().subscribe(() => {
-                const allowedHosts = ['myapicalls.sampleapps.docusign.com', 'myapicalls-t.sampleapps.docusign.com']; // Add allowed hostnames here
                 let returnUrl = this.router.url;
-                console.log('returnUrl:', returnUrl); // This will show in the browser console
-                try {
-                  const url = new URL(returnUrl, window.location.origin);
-                  if (!allowedHosts.includes(url.hostname)) {
-                    returnUrl = '/'; // fallback to home if not allowed
-                  }
-                } catch {
+                // Only allow relative paths
+                if (!returnUrl.startsWith('/')) {
                   returnUrl = '/';
                 }
-
-                window.location.href = `/account/login?returnUrl=${encodeURIComponent(returnUrl)}`;
+                window.location.href =
+                  '/account/login?returnUrl=' + returnUrl;
               });
             });
           }
diff --git a/DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts b/DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts
@@ -17,12 +17,18 @@ export class AppHeaderComponent implements OnInit {
   ) {}
 
   ngOnInit(): void {
-    this.router.events.subscribe((event) => {
-      if (event instanceof NavigationEnd) {
-        this.url = this.router.url;
+  this.router.events.subscribe((event) => {
+    if (event instanceof NavigationEnd) {
+      let currentUrl = this.router.url;
+      // Only allow relative paths
+      if (currentUrl.startsWith('/')) {
+        this.url = currentUrl;
+      } else {
+        this.url = '/';
       }
-    });
-  }
+    }
+  });
+}
   get isLoggedIn(): Observable<boolean> {
     return this.accountService.isLoggedIn();
   }
diff --git a/DocuSign.MyAPI/Controllers/AccountController.cs b/DocuSign.MyAPI/Controllers/AccountController.cs
@@ -27,6 +27,11 @@ public async Task<ActionResult<String>> GetAccountId()
         [Route("login")]
         public IActionResult Login(string returnUrl = "/")
         {
+            if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl))
+            {
+                returnUrl = "/";
+            }
+            
             return Challenge(new AuthenticationProperties() { RedirectUri = returnUrl, AllowRefresh = true });
         }
 

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,11 @@ public async Task<ActionResult<String>> GetAccountId()`
`27`	`27`	`[Route("login")]`
`28`	`28`	`public IActionResult Login(string returnUrl = "/")`
`29`	`29`	`{`
	`30`	`+ if (string.IsNullOrEmpty(returnUrl) \|\| !Url.IsLocalUrl(returnUrl))`
	`31`	`+ {`
	`32`	`+ returnUrl = "/";`
	`33`	`+ }`
	`34`	`+`
`30`	`35`	`return Challenge(new AuthenticationProperties() { RedirectUri = returnUrl, AllowRefresh = true });`
`31`	`36`	`}`
`32`	`37`