Comprehensive admin + user dashboards (production-ready)

lib/utils.ts

@@ -22,3 +22,23 @@ export function periodKey(date: Date): string {
   const m = String(date.getUTCMonth() + 1).padStart(2, "0");
   return `${y}-${m}`;
 }
+
+/**
+ * Returns `path` only if it is a safe same-origin relative path; otherwise
+ * falls back to "/dashboard". Guards against open-redirect attacks by rejecting
+ * protocol-relative ("//", "/\"), absolute ("https://…"), and backslash URLs.
+ */
+export function safeRedirect(path: string | null | undefined): string {
+  if (!path) return "/dashboard";
+  // Must be a single-slash-rooted relative path with no scheme or backslash escapes.
+  if (
+    !path.startsWith("/") ||
+    path.startsWith("//") ||
+    path.startsWith("/\\") ||
+    path.startsWith("\\") ||
+    path.includes("://")
+  ) {
+    return "/dashboard";
+  }
+  return path;
+}