akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Fix logout redirect to 0.0.0.0 instead of configured BASE_URL

Browse Source 
Closes #113

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-20 09:51:40 +02:00
parent 521a059414
commit dbfc340ea4
2 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/api/auth/logout/route.ts
View File

@@ -1,6 +1,7 @@
import { NextRequest, NextResponse } from "next/server"; import { NextRequest, NextResponse } from "next/server";
import { getAuth } from "@/src/lib/auth-server"; import { getAuth } from "@/src/lib/auth-server";
import { checkSameOrigin } from "@/src/lib/auth"; import { checkSameOrigin } from "@/src/lib/auth";
import { config } from "@/src/lib/config";
import { headers } from "next/headers"; import { headers } from "next/headers";
export const dynamic = "force-dynamic"; export const dynamic = "force-dynamic";
@@ -10,5 +11,5 @@ export async function POST(request: NextRequest) {
if (originCheck) return originCheck; if (originCheck) return originCheck;
await getAuth().api.signOut({ headers: await headers() }); await getAuth().api.signOut({ headers: await headers() });
return NextResponse.redirect(new URL("/login", request.url)); return NextResponse.redirect(new URL("/login", config.baseUrl));
} }

19
tests/e2e/auth.spec.ts
View File

@@ -40,6 +40,25 @@ test.describe('Authentication', () => {
await expect(page).not.toHaveURL(/\/login/, { timeout: 10000 }); await expect(page).not.toHaveURL(/\/login/, { timeout: 10000 });
}); });
test('logout redirects to /login on the correct host (not 0.0.0.0)', async ({ page }) => {
// Regression test: logout used request.url as redirect base, which inside
// Docker resolves to 0.0.0.0 instead of the configured BASE_URL.
await page.goto('/login');
await page.getByRole('textbox', { name: /username/i }).fill('testadmin');
await page.getByRole('textbox', { name: /password/i }).fill('TestPassword2026!');
await page.getByRole('button', { name: /sign in/i }).click();
await expect(page).not.toHaveURL(/\/login/, { timeout: 10000 });
// Click logout
await page.getByRole('button', { name: /log\s*out|sign\s*out/i }).click();
// Should land on /login on localhost, not 0.0.0.0
await expect(page).toHaveURL(/\/login/, { timeout: 10000 });
const url = new URL(page.url());
expect(url.hostname).not.toBe('0.0.0.0');
expect(url.hostname).toBe('localhost');
});
test('hyphenated username passes validation (not rejected as invalid)', async ({ page }) => { test('hyphenated username passes validation (not rejected as invalid)', async ({ page }) => {
// Regression test for #112: better-auth default username validator rejects hyphens. // Regression test for #112: better-auth default username validator rejects hyphens.
// A non-existent hyphenated user should get 401 (wrong credentials), not 422 (invalid username). // A non-existent hyphenated user should get 401 (wrong credentials), not 422 (invalid username).