From 4f76654813be5639da20cb0ccab007dacf082061 Mon Sep 17 00:00:00 2001
From: zomars <zomars@me.com>
Date: Tue, 16 Aug 2022 13:55:50 -0600
Subject: [PATCH] Whitelist only cal domain as callbackUrls

---
 apps/web/middleware.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts
index 084a1bdae0..796be0cedc 100644
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@@ -2,6 +2,7 @@ import { collectEvents } from "next-collect/server";
 // eslint-disable-next-line @next/next/no-server-import-in-page
 import { NextMiddleware, NextResponse, userAgent } from "next/server";
 
+import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
 import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
 
 const V2_WHITELIST = ["/settings/admin"];
@@ -12,7 +13,11 @@ const middleware: NextMiddleware = async (req) => {
   if (url.pathname.startsWith("/api/auth")) {
     const callbackUrl = url.searchParams.get("callbackUrl");
     const { isBot } = userAgent(req);
-    if (isBot || (callbackUrl && !callbackUrl.startsWith("https://") && !callbackUrl.startsWith("http://"))) {
+
+    if (
+      isBot ||
+      (callbackUrl && ![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => callbackUrl.startsWith(u)))
+    ) {
       // DDOS Prevention: Immediately end request with no response - Avoids a redirect as well initiated by NextAuth on invalid callback
       const res = new NextResponse("hey", { status: 400, statusText: "Please don't" });
       return res;