Merge branch 'dev' into feat/resource-policies

src/lib/api/cookies.ts

@@ -2,31 +2,20 @@ import { headers } from "next/headers";
 
 export async function authCookieHeader() {
     const otherHeaders = await headers();
-    const otherHeadersObject = Object.fromEntries(otherHeaders.entries());
+    const otherHeadersObject = Object.fromEntries(
+        Array.from(otherHeaders.entries()).map(([k, v]) => [k.toLowerCase(), v])
+    );
 
     return {
         headers: {
-            cookie:
-                otherHeadersObject["cookie"] || otherHeadersObject["Cookie"],
-            host: otherHeadersObject["host"] || otherHeadersObject["Host"],
-            "user-agent":
-                otherHeadersObject["user-agent"] ||
-                otherHeadersObject["User-Agent"],
-            "x-forwarded-for":
-                otherHeadersObject["x-forwarded-for"] ||
-                otherHeadersObject["X-Forwarded-For"],
-            "x-forwarded-host":
-                otherHeadersObject["fx-forwarded-host"] ||
-                otherHeadersObject["Fx-Forwarded-Host"],
-            "x-forwarded-port":
-                otherHeadersObject["x-forwarded-port"] ||
-                otherHeadersObject["X-Forwarded-Port"],
-            "x-forwarded-proto":
-                otherHeadersObject["x-forwarded-proto"] ||
-                otherHeadersObject["X-Forwarded-Proto"],
-            "x-real-ip":
-                otherHeadersObject["x-real-ip"] ||
-                otherHeadersObject["X-Real-IP"]
+            cookie: otherHeadersObject["cookie"],
+            host: otherHeadersObject["host"],
+            "user-agent": otherHeadersObject["user-agent"],
+            "x-forwarded-for": otherHeadersObject["x-forwarded-for"],
+            "x-forwarded-host": otherHeadersObject["x-forwarded-host"],
+            "x-forwarded-port": otherHeadersObject["x-forwarded-port"],
+            "x-forwarded-proto": otherHeadersObject["x-forwarded-proto"],
+            "x-real-ip": otherHeadersObject["x-real-ip"]
         }
     };
 }

src/lib/api/isOrgSubscribed.ts

@@ -20,7 +20,7 @@ export const isOrgSubscribed = cache(async (orgId: string) => {
         try {
             const subRes = await getCachedSubscription(orgId);
             subscribed =
-                (subRes.data.data.tier == "tier1" || subRes.data.data.tier == "tier2" || subRes.data.data.tier == "tier3") &&
+                (subRes.data.data.tier == "tier1" || subRes.data.data.tier == "tier2" || subRes.data.data.tier == "tier3" || subRes.data.data.tier == "enterprise") &&
                 subRes.data.data.active;
         } catch {}
     }

src/lib/internalRedirect.ts

@@ -41,11 +41,12 @@ export function consumeInternalRedirectPath(): string | null {
 }
 
 /**
- * Returns the full redirect target for an org: either `/${orgId}` or
- * `/${orgId}${path}` if a valid internal_redirect was stored. Consumes the
- * stored value.
+ * Returns the full redirect target if a valid internal_redirect was stored
+ * (consumes the stored value). Returns null if none was stored or expired.
+ * Paths starting with /auth/ are returned as-is; others are prefixed with orgId.
  */
-export function getInternalRedirectTarget(orgId: string): string {
+export function getInternalRedirectTarget(orgId: string): string | null {
     const path = consumeInternalRedirectPath();
-    return path ? `/${orgId}${path}` : `/${orgId}`;
+    if (!path) return null;
+    return path.startsWith("/auth/") ? path : `/${orgId}${path}`;
 }

src/lib/validateLocalPath.ts

@@ -0,0 +1,16 @@
+export function validateLocalPath(value: string) {
+    try {
+        const url = new URL("https://pangoling.net" + value);
+        if (
+            url.pathname !== value ||
+            value.includes("..") ||
+            value.includes("*")
+        ) {
+            throw new Error("Invalid Path");
+        }
+    } catch {
+        throw new Error(
+            "should be a valid pathname starting with `/` and not containing query parameters, `..` or `*`"
+        );
+    }
+}