[DEV-3703] Improve login redirect safety

[Sebastiano-Bertolin]

This pull request improves the login redirect logic to enhance security and prevent unsafe URL redirection. The main change is the introduction of a strict validation function for redirect URLs, ensuring users can only be redirected to safe, locale-specific paths within the application.

List of Changes

Login redirect security improvements:

• Added a new canRedirectToUrl helper in navigation.helpers.ts that validates redirect paths to prevent open redirects and restricts redirects to root or supported locale paths only.
• Updated the login page logic in page.tsx to use canRedirectToUrl before performing a redirect after authentication, falling back to / if the redirect is invalid.
• Imported the new canRedirectToUrl helper in the login page component.

Helper improvements:

• Added import for SUPPORTED_LOCALES to support locale-based redirect validation in auth.helpers.ts.

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Chore (nothing changes by a user perspective)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.

[changeset-bot]

🦋 Changeset detected

Latest commit: 65bf436

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
nextjs-website	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Copilot]

Pull request overview

This PR aims to harden the post-login redirect flow in the Next.js website by validating redirect targets and preventing unsafe redirections outside the app / outside expected locale scopes.

Changes:

• Added canRedirectToUrl helper to validate redirect paths against an allowlist.
• Updated the login page to validate the decoded redirect query param before calling router.replace, with a locale fallback.
• Added a changeset entry for the patch release.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
apps/nextjs-website/src/helpers/navigation.helpers.ts	Introduces canRedirectToUrl to validate redirect targets.
apps/nextjs-website/src/app/[locale]/auth/login/page.tsx	Uses canRedirectToUrl to gate post-auth redirects and adds locale fallback.
.changeset/petite-animals-bake.md	Records the change as a patch release for nextjs-website.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Jira Pull Request Link

This Pull Request refers to the following Jira issue DEV-3703