diff options
| author | Fuwn <[email protected]> | 2026-04-18 09:14:14 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-04-18 09:14:14 +0000 |
| commit | 13226aaeb7c4dc1ce01074ef1ba1eeb87b53d5f5 (patch) | |
| tree | b8b8ed967686145dc7f7ff727015de17828169f9 | |
| parent | fix(easter-event): drop dead resize/scroll listener cleanup (diff) | |
| download | due.moe-13226aaeb7c4dc1ce01074ef1ba1eeb87b53d5f5.tar.xz due.moe-13226aaeb7c4dc1ce01074ef1ba1eeb87b53d5f5.zip | |
fix(api): drop unused redirect query param from oauth refresh
The refresh endpoint accepted a ?redirect query param and, when
present, called redirect(303, "/") instead of returning the refreshed
token as JSON. The target was hardcoded to "/" regardless of the
param's value, so the feature was dead — and the pattern of reading
a "redirect" param invited future open-redirect bugs if someone wired
the value through to redirect() directly.
The sole in-tree caller (feeds/activity-notifications) reads the JSON
response, so always return JSON and drop the redirect import.
| -rw-r--r-- | src/routes/api/oauth/refresh/+server.ts | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/routes/api/oauth/refresh/+server.ts b/src/routes/api/oauth/refresh/+server.ts index 13e7ab09..1a18c7d4 100644 --- a/src/routes/api/oauth/refresh/+server.ts +++ b/src/routes/api/oauth/refresh/+server.ts @@ -1,6 +1,5 @@ import { env } from "$env/dynamic/private"; import { env as env2 } from "$env/dynamic/public"; -import { redirect } from "@sveltejs/kit"; export const GET = async ({ url, cookies }) => { const formData = new FormData(); @@ -25,6 +24,5 @@ export const GET = async ({ url, cookies }) => { secure: false, }); - if (url.searchParams.get("redirect")) redirect(303, "/"); - else return Response.json(newUser); + return Response.json(newUser); }; |