1 files changed, 43 insertions, 0 deletions

diff --git a/apps/web/app/auth/callback/route.ts b/apps/web/app/auth/callback/route.ts
new file mode 100644
index 0000000..a912da3
--- /dev/null
+++ b/apps/web/app/auth/callback/route.ts
@@ -0,0 +1,43 @@
+import { NextResponse } from "next/server"
+import { createSupabaseServerClient } from "@/lib/supabase/server"
+import type { EmailOtpType } from "@supabase/supabase-js"
+
+function sanitizeRedirectPath(rawPath: string | null): string {
+  if (!rawPath) return "/reader"
+  if (!rawPath.startsWith("/")) return "/reader"
+  if (rawPath.startsWith("//")) return "/reader"
+  if (rawPath.includes("\\")) return "/reader"
+
+  return rawPath
+}
+
+export async function GET(request: Request) {
+  const { searchParams, origin } = new URL(request.url)
+  const code = searchParams.get("code")
+  const tokenHash = searchParams.get("token_hash")
+  const type = searchParams.get("type") as EmailOtpType | null
+  const next = sanitizeRedirectPath(searchParams.get("next"))
+
+  const supabaseClient = await createSupabaseServerClient()
+
+  if (tokenHash && type) {
+    const { error } = await supabaseClient.auth.verifyOtp({
+      token_hash: tokenHash,
+      type,
+    })
+
+    if (!error) {
+      return NextResponse.redirect(`${origin}${next}`)
+    }
+  }
+
+  if (code) {
+    const { error } = await supabaseClient.auth.exchangeCodeForSession(code)
+
+    if (!error) {
+      return NextResponse.redirect(`${origin}${next}`)
+    }
+  }
+
+  return NextResponse.redirect(`${origin}/sign-in?error=auth`)
+}