Comprehensive admin + user dashboards (production-ready)

components/auth/sign-in-form.tsx

@@ -10,12 +10,14 @@ import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Card, CardContent, CardHeader, CardTitle, CardDescription } from "@/components/ui/card";
 import { signIn } from "@/lib/auth/auth-client";
+import { safeRedirect } from "@/lib/utils";
 import { GoogleButton } from "./google-button";
 
 export function SignInForm({ googleEnabled }: { googleEnabled: boolean }) {
   const router = useRouter();
   const params = useSearchParams();
-  const redirectTo = params.get("redirect") || "/dashboard";
+  // Validate the ?redirect param to prevent open-redirect attacks.
+  const redirectTo = safeRedirect(params.get("redirect"));
   const [loading, setLoading] = useState(false);
 
   async function onSubmit(e: React.FormEvent<HTMLFormElement>) {

components/auth/sign-up-form.tsx

@@ -26,6 +26,9 @@ export function SignUpForm({ googleEnabled }: { googleEnabled: boolean }) {
       password: String(form.get("password")),
     });
     if (error) {
+      // Accepted tradeoff (L8): the raw Better Auth message can reveal that an
+      // email is already registered (account enumeration). We keep the specific
+      // message for UX clarity; the signup endpoint is rate-limited server-side.
       toast.error(error.message ?? "Could not create account");
       setLoading(false);
       return;