Adds console url to redirection whitelist

packages/lib/constants.ts

@@ -2,6 +2,9 @@ export const WEBAPP_URL = process.env.NEXT_PUBLIC_WEBAPP_URL || `https://${proce
 /** @deprecated use `WEBAPP_URL` */
 export const BASE_URL = WEBAPP_URL;
 export const WEBSITE_URL = process.env.NEXT_PUBLIC_WEBSITE_URL || "https://cal.com";
+export const CONSOLE_URL = WEBAPP_URL.startsWith("http://localhost")
+  ? "http://localhost:3004"
+  : `https://console.cal.${process.env.VERCEL_ENV === "production" ? "com" : "dev"}`;
 export const IS_PRODUCTION = process.env.NODE_ENV === "production";
 export const TRIAL_LIMIT_DAYS = 14;
 export const HOSTED_CAL_FEATURES = process.env.HOSTED_CAL_FEATURES || BASE_URL === "https://app.cal.com";

packages/lib/getSafeRedirectUrl.ts

@@ -1,14 +1,13 @@
-import { WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
+import { CONSOLE_URL, WEBAPP_URL, WEBSITE_URL } from "@calcom/lib/constants";
 
 // It ensures that redirection URL safe where it is accepted through a query params or other means where user can change it.
-export const getSafeRedirectUrl = (url: string | undefined) => {
+export const getSafeRedirectUrl = (url: string = "") => {
-  url = url || "";
   if (url.search(/^https?:\/\//) === -1) {
     throw new Error("Pass an absolute URL");
   }
 
   // Avoid open redirection security vulnerability
-  if (!url.startsWith(WEBAPP_URL) && !url.startsWith(WEBSITE_URL)) {
+  if (![CONSOLE_URL, WEBAPP_URL, WEBSITE_URL].some((u) => url.startsWith(u))) {
     url = `${WEBAPP_URL}/`;
   }