add normalizeLocationHeader

Author: sommeeeer

.changeset/fluffy-dingos-tap.md

@@ -0,0 +1,10 @@
+---
+"@opennextjs/aws": patch
+---
+
+fix: Normalize the Location header in redirects
+
+Normalizes the Location header to either be a relative path or a full URL.
+If the Location header is relative to the host, it will return a relative path.
+If it is an absolute URL, it will return the full URL.
+Both cases will ensure that the Location value is properly encoded according to RFC

packages/open-next/src/core/routing/middleware.ts

@@ -15,6 +15,7 @@ import {
   convertBodyToReadableStream,
   getMiddlewareMatch,
   isExternal,
+  normalizeLocationHeader,
 } from "./util.js";
 
 const middlewareManifest = MiddlewareManifest;
@@ -94,6 +95,15 @@ export async function handleMiddleware(
     url,
     body: convertBodyToReadableStream(internalEvent.method, internalEvent.body),
   } as unknown as Request);
+  if (result.headers.has("Location")) {
+    result.headers.set(
+      "Location",
+      normalizeLocationHeader(
+        result.headers.get("Location") as string,
+        internalEvent.url,
+      ),
+    );
+  }
   const statusCode = result.status;
 
   /* Apply override headers from middleware

packages/open-next/src/core/routing/util.ts

@@ -437,3 +437,41 @@ export async function invalidateCDNOnRequest(
     ]);
   }
 }
+
+/**
+ * Normalizes the Location header to either be a relative path or a full URL.
+ * If the Location header is relative to the host, it will return a relative path.
+ * If it is an absolute URL, it will return the full URL.
+ * Both cases will ensure that the Location value is properly encoded according to RFC
+ *
+ * @param location The Location header value
+ * @param base The original request URL
+ * @returns An encoded absolute or relative Location header value
+ */
+export function normalizeLocationHeader(
+  location: string,
+  base: string,
+): string {
+  try {
+    const locationUrl = new URL(location);
+    const origin = new URL(base).origin;
+
+    // Encode the search parameters to ensure they are valid according to RFC
+    const encodedSearch = locationUrl.searchParams.toString()
+      ? `?${locationUrl.searchParams.toString()}`
+      : "";
+    const href =
+      locationUrl.origin +
+      locationUrl.pathname +
+      encodedSearch +
+      locationUrl.hash;
+    // The URL is relative if the origin is the same as the base URL's origin
+    if (locationUrl.origin === origin) {
+      return href.slice(origin.length);
+    }
+    return href;
+  } catch {
+    // If the location is not a valid URL, return it as-is
+    return location;
+  }
+}

packages/open-next/src/core/routingHandler.ts

@@ -28,7 +28,7 @@ import {
   dynamicRouteMatcher,
   staticRouteMatcher,
 } from "./routing/routeMatcher";
-import { constructNextUrl } from "./routing/util";
+import { constructNextUrl, normalizeLocationHeader } from "./routing/util";
 
 export const MIDDLEWARE_HEADER_PREFIX = "x-middleware-response-";
 export const MIDDLEWARE_HEADER_PREFIX_LEN = MIDDLEWARE_HEADER_PREFIX.length;
@@ -110,13 +110,13 @@ export default async function routingHandler(
     if (redirect) {
       // We need to encode the value in the Location header to make sure it is valid according to RFC
       // https://stackoverflow.com/a/7654605/16587222
-      redirect.headers.Location = new URL(
+      redirect.headers.Location = normalizeLocationHeader(
         redirect.headers.Location as string,
-      ).href;
+        event.url,
+      );
       debug("redirect", redirect);
       return redirect;
     }
-
     const middlewareEventOrResult = await handleMiddleware(
       eventOrResult,
       // We need to pass the initial search without any decoding