Fix security issue

apps/charterafrica/src/pages/api/v1/draft/disable-draft.js

@@ -0,0 +1,5 @@
+// By default, the Draft Mode session ends when the browser is closed.
+// This method clears it manually / on demand.
+export default function handler(req, res) {
+  res.setDraftMode({ enable: false });
+}

apps/charterafrica/src/pages/api/v1/draft/index.page.js

@@ -3,10 +3,18 @@ export default async function handler(req, res) {
   // make sure the user requesting to preview, is logged into Payload
   // See "Tip" on: https://payloadcms.com/docs/authentication/overview#token-based-auth
   if (!req.user) {
-    return res.status(500).json({ message: "UNAUTHORIZED_USER" });
+    return res.status(401).json({ message: "UNAUTHORIZED_USER" });
   }
   const { slug } = req.query;
   res.setDraftMode({ enable: true });
 
-  return res.redirect(slug);
+  // Guard against open redirect vulnerabilities
+  // Since slug will be a path, redirect to pathname instead of original slug
+  // just in case
+  const appUrl = new URL(process.env.NEXT_PUBLIC_APP_URL);
+  const requestedUrl = new URL(slug, appUrl);
+  if (requestedUrl.origin !== appUrl.origin) {
+    return res.status(401).json({ message: "UNAUTHORIZED_REDIRECT" });
+  }
+  return res.redirect(requestedUrl.pathname);
 }