From 13226aaeb7c4dc1ce01074ef1ba1eeb87b53d5f5 Mon Sep 17 00:00:00 2001 From: Fuwn Date: Sat, 18 Apr 2026 09:14:14 +0000 Subject: fix(api): drop unused redirect query param from oauth refresh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The refresh endpoint accepted a ?redirect query param and, when present, called redirect(303, "/") instead of returning the refreshed token as JSON. The target was hardcoded to "/" regardless of the param's value, so the feature was dead — and the pattern of reading a "redirect" param invited future open-redirect bugs if someone wired the value through to redirect() directly. The sole in-tree caller (feeds/activity-notifications) reads the JSON response, so always return JSON and drop the redirect import. --- src/routes/api/oauth/refresh/+server.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/routes/api/oauth/refresh/+server.ts b/src/routes/api/oauth/refresh/+server.ts index 13e7ab09..1a18c7d4 100644 --- a/src/routes/api/oauth/refresh/+server.ts +++ b/src/routes/api/oauth/refresh/+server.ts @@ -1,6 +1,5 @@ import { env } from "$env/dynamic/private"; import { env as env2 } from "$env/dynamic/public"; -import { redirect } from "@sveltejs/kit"; export const GET = async ({ url, cookies }) => { const formData = new FormData(); @@ -25,6 +24,5 @@ export const GET = async ({ url, cookies }) => { secure: false, }); - if (url.searchParams.get("redirect")) redirect(303, "/"); - else return Response.json(newUser); + return Response.json(newUser); }; -- cgit v1.2.3