From dcde795e54f0e17e3bedcf8ed8df18ef8508d7c0 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Wed, 29 Oct 2025 14:16:00 +0800
Subject: [PATCH] fix(app-router): encode returnTo in login redirect to prevent
 OAuth param injection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

URLencode returnTo in appRouteHandlerFactory so the query params don’t break out into /auth/login and get forwarded to /authorize (e.g., scope, audience, etc).

This bug was found with ZeroPath.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
---
 src/server/helpers/with-page-auth-required.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts
index 41af2dfe..f07046b8 100644
--- a/src/server/helpers/with-page-auth-required.ts
+++ b/src/server/helpers/with-page-auth-required.ts
@@ -196,7 +196,7 @@ export const appRouteHandlerFactory =
           : opts.returnTo;
       const { redirect } = await import("next/navigation.js");
       redirect(
-        `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}`
+        `${config.loginUrl}${opts.returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}`
       );
     }
     return handler(params);