diff --git a/DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts b/DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts index d3878ae..5d90665 100644 --- a/DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts +++ b/DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts @@ -42,8 +42,13 @@ export class ErrorHanlderInterceptor implements HttpInterceptor { let snackBarRef = this.notificationService.showInfo(res); snackBarRef.afterDismissed().subscribe(() => { + let returnUrl = this.router.url; + // Only allow relative paths + if (!returnUrl.startsWith('/')) { + returnUrl = '/'; + } window.location.href = - '/account/login?returnUrl=' + this.router.url; + '/account/login?returnUrl=' + returnUrl; }); }); } diff --git a/DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts b/DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts index 597eceb..4a9b6fc 100644 --- a/DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts +++ b/DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts @@ -19,7 +19,13 @@ export class AppHeaderComponent implements OnInit { ngOnInit(): void { this.router.events.subscribe((event) => { if (event instanceof NavigationEnd) { - this.url = this.router.url; + let currentUrl = this.router.url; + // Only allow relative paths + if (currentUrl.startsWith('/')) { + this.url = currentUrl; + } else { + this.url = '/'; + } } }); } diff --git a/DocuSign.MyAPI/Controllers/AccountController.cs b/DocuSign.MyAPI/Controllers/AccountController.cs index 3ba4a35..ea5f709 100644 --- a/DocuSign.MyAPI/Controllers/AccountController.cs +++ b/DocuSign.MyAPI/Controllers/AccountController.cs @@ -27,6 +27,11 @@ public async Task> GetAccountId() [Route("login")] public IActionResult Login(string returnUrl = "/") { + if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl)) + { + returnUrl = "/"; + } + return Challenge(new AuthenticationProperties() { RedirectUri = returnUrl, AllowRefresh = true }); }