Merge pull request #624 from CodeForAfrica/fix/charterafrica_draft_mode

Fix @/charterafrica security issue

apps/charterafrica/contrib/dokku/Dockerfile

@@ -1 +1 @@
-FROM codeforafrica/charterafrica-ui:0.1.9
+FROM codeforafrica/charterafrica-ui:0.1.10

apps/charterafrica/package.json

@@ -1,6 +1,6 @@
 {
   "name": "charterafrica",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "private": true,
   "author": "Code for Africa <[email protected]>",
   "description": "This is the official code for https://charter.africa site",

apps/charterafrica/src/pages/api/v1/disable-draft.page.js

@@ -0,0 +1,5 @@
+// By default, the Draft Mode session ends when the browser is closed.
+// This method clears it manually / on demand.
+export default function handler(req, res) {
+  res.setDraftMode({ enable: false });
+}

apps/charterafrica/src/pages/api/v1/draft/index.page.js

@@ -3,10 +3,18 @@ export default async function handler(req, res) {
   // make sure the user requesting to preview, is logged into Payload
   // See "Tip" on: https://payloadcms.com/docs/authentication/overview#token-based-auth
   if (!req.user) {
-    return res.status(500).json({ message: "UNAUTHORIZED_USER" });
+    return res.status(401).json({ message: "UNAUTHORIZED_USER" });
   }
   const { slug } = req.query;
   res.setDraftMode({ enable: true });
 
-  return res.redirect(slug);
+  // Guard against open redirect vulnerabilities
+  // Since slug will be a path, redirect to pathname instead of original slug
+  // just in case
+  const appUrl = new URL(process.env.NEXT_PUBLIC_APP_URL);
+  const requestedUrl = new URL(slug, appUrl);
+  if (requestedUrl.origin !== appUrl.origin) {
+    return res.status(401).json({ message: "UNAUTHORIZED_REDIRECT" });
+  }
+  return res.redirect(requestedUrl.pathname);
 }