feat: add sign-out redirect URL and enhance sign-in redirect handling

frontend/src/auth/redirects.test.ts

@@ -0,0 +1,44 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+import { resolveSignInRedirectUrl } from "@/auth/redirects";
+
+describe("resolveSignInRedirectUrl", () => {
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it("uses env fallback when redirect is missing", () => {
+    vi.stubEnv("NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL", "/boards");
+
+    expect(resolveSignInRedirectUrl(null)).toBe("/boards");
+  });
+
+  it("defaults to /dashboard when no env fallback is set", () => {
+    expect(resolveSignInRedirectUrl(null)).toBe("/dashboard");
+  });
+
+  it("allows safe relative paths", () => {
+    expect(resolveSignInRedirectUrl("/dashboard?tab=ops#queue")).toBe(
+      "/dashboard?tab=ops#queue",
+    );
+  });
+
+  it("rejects protocol-relative urls", () => {
+    vi.stubEnv("NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL", "/activity");
+
+    expect(resolveSignInRedirectUrl("//evil.example.com/path")).toBe("/activity");
+  });
+
+  it("rejects external absolute urls", () => {
+    vi.stubEnv("NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL", "/activity");
+
+    expect(resolveSignInRedirectUrl("https://evil.example.com/steal")).toBe(
+      "/activity",
+    );
+  });
+
+  it("accepts same-origin absolute urls and normalizes to path", () => {
+    const url = `${window.location.origin}/boards/new?src=invite#top`;
+    expect(resolveSignInRedirectUrl(url)).toBe("/boards/new?src=invite#top");
+  });
+});