fix(proxy): validate host against allowlist to prevent open redirect (fixes #65)

FuturMix · FuturMix · commit 876ccdae5fb6 · 2026-06-14T12:20:57.000+08:00
diff --git a/apps/logicsrc-web/src/proxy.ts b/apps/logicsrc-web/src/proxy.ts
@@ -4,12 +4,13 @@ import type { NextRequest } from "next/server";
 // Canonical host: 301 www.* to the bare apex domain over https, preserving
 // path + query (e.g. https://www.logicsrc.com/foo -> https://logicsrc.com/foo).
 // This is the Next 16 "proxy" (formerly middleware) entrypoint.
+const ALLOWED_APEX = process.env.PUBLIC_DOMAIN || "logicsrc.com";
+
 export function proxy(request: NextRequest): NextResponse {
   const host = request.headers.get("host") ?? "";
-  if (host.startsWith("www.")) {
-    const apexHost = host.slice("www.".length);
+  if (host === `www.${ALLOWED_APEX}`) {
     const { pathname, search } = request.nextUrl;
-    return NextResponse.redirect(`https://${apexHost}${pathname}${search}`, 301);
+    return NextResponse.redirect(`https://${ALLOWED_APEX}${pathname}${search}`, 301);
   }
   return NextResponse.next();
 }
