From f43edeb703a2facd7cd36741bf37bb75de75d90f Mon Sep 17 00:00:00 2001
From: Chris <wtc.justin82@gmail.com>
Date: Fri, 3 Apr 2026 05:27:14 +0800
Subject: [PATCH] fix: guard invalid oidc authorize url

---
 src/pages/LoginPage.vue | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/pages/LoginPage.vue b/src/pages/LoginPage.vue
index 2971b1e..4c481c6 100644
--- a/src/pages/LoginPage.vue
+++ b/src/pages/LoginPage.vue
@@ -86,13 +86,21 @@ async function redirectToOidc(options = {}) {
     codeChallenge: pkce.codeChallenge,
     codeChallengeMethod: 'S256'
   })
-  const authorizeUrl = res.data.authorize_url
-  const parsed = new URL(authorizeUrl)
+  const authorizeUrl = res?.data?.authorize_url
+  if (!authorizeUrl) {
+    throw new Error('登入設定錯誤：未取得授權網址')
+  }
+  let parsed
+  try {
+    parsed = new URL(authorizeUrl, window.location.origin)
+  } catch (_err) {
+    throw new Error(`登入設定錯誤：授權網址無效 (${authorizeUrl})`)
+  }
   const state = parsed.searchParams.get('state')
   if (state) {
     sessionStorage.setItem('oidc_expected_state', state)
   }
-  window.location.href = authorizeUrl
+  window.location.href = parsed.toString()
 }
 
 async function generatePkcePair() {