[server/auth] ensure safe returnTo param

Author: AlexTugarev

components/server/src/user/user-controller.ts

@@ -81,13 +81,15 @@ export class UserController {
             }
 
             // Proceed with login
+            this.ensureSafeReturnToParam(req);
             await this.authenticator.authenticate(req, res, next);
         });
         router.get("/authorize", (req: express.Request, res: express.Response, next: express.NextFunction) => {
             if (!User.is(req.user)) {
                 res.sendStatus(401);
                 return;
             }
+            this.ensureSafeReturnToParam(req);
             this.authenticator.authorize(req, res, next);
         });
         const branding = this.env.brandingConfig;
@@ -483,6 +485,10 @@ export class UserController {
         }
     }
 
+    protected ensureSafeReturnToParam(req: express.Request) {
+        req.query.returnTo = this.getSafeReturnToParam(req);
+    }
+
     protected getSafeReturnToParam(req: express.Request) {
         const returnToURL: string | undefined = req.query.redirect || req.query.returnTo;
         if (returnToURL) {