Fix schema page loading

isTravis · isTravis · commit cdbe5d5acc2b · 2026-05-27T17:18:46.000-04:00
diff --git a/src/api/auth.server.ts b/src/api/auth.server.ts
@@ -1,3 +1,5 @@
+import crypto from 'node:crypto'
+
 import bcrypt from 'bcrypt'
 import { eq } from 'drizzle-orm'
 import type { Context, MiddlewareHandler } from 'hono'
@@ -21,17 +23,22 @@ const internalToken = process.env.INTERNAL_API_TOKEN ?? 'internal-dev-token'
 const authInternalApiKey = process.env.AUTH_INTERNAL_API_KEY ?? ''
 const sessionSecret = process.env.SESSION_SECRET ?? 'dev-secret-change-me'
 
+function timingSafeEquals(a: string, b: string): boolean {
+  if (a.length !== b.length) return false
+  return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))
+}
+
 export const authMiddleware = createMiddleware<AuthEnv>(async (c, next) => {
   // Internal service calls (legacy header)
   const internalHeader = c.req.header('x-internal-token')
-  if (internalHeader === internalToken) {
+  if (internalHeader && timingSafeEquals(internalHeader, internalToken)) {
     c.set('apiKeyScope', 'read')
     return next()
   }
 
   // Auth provider internal API key (used by /api/kf/* endpoints)
   const auth = c.req.header('authorization')
-  if (authInternalApiKey && auth === `Bearer ${authInternalApiKey}`) {
+  if (authInternalApiKey && auth && timingSafeEquals(auth, `Bearer ${authInternalApiKey}`)) {
     c.set('apiKeyScope', 'admin')
     return next()
   }
diff --git a/src/api/kf-auth.ts b/src/api/kf-auth.ts
@@ -162,9 +162,11 @@ export async function callback(c: Context<AuthEnv>) {
 
   setSessionCookie(c, sessionId)
 
-  // Redirect to saved return URL
-  const returnTo = getCookie(c, RETURN_COOKIE) ?? '/dashboard'
+  // Redirect to saved return URL (validate it's a safe relative path)
+  const rawReturn = getCookie(c, RETURN_COOKIE) ?? '/dashboard'
   deleteCookie(c, RETURN_COOKIE, { path: '/' })
+  const returnTo =
+    rawReturn.startsWith('/') && !rawReturn.startsWith('//') ? rawReturn : '/dashboard'
 
   return c.redirect(returnTo)
 }
diff --git a/src/routes/schemas/[id].tsx b/src/routes/schemas/[id].tsx
@@ -1,5 +1,5 @@
 import { useEffect, useState } from 'react'
-import { Link } from 'react-router'
+import { Link, useParams } from 'react-router'
 
 import BaseLayout from '~/components/BaseLayout'
 import SchemaLabelManager from '~/components/SchemaLabelManager'
@@ -15,7 +15,8 @@ interface SchemaData {
 }
 
 export default function SchemaDetailPage() {
-  const schemaId = useSSRData<string>('schemaId')
+  const params = useParams()
+  const schemaId = useSSRData<string>('schemaId') ?? params.id
   const [schema, setSchema] = useState<SchemaData | null>(null)
   const [loading, setLoading] = useState(true)
   const [error, setError] = useState('')
