Overview

Read redirect_to and optional variant_id on the auth callback; prefer a safe internal path and hand off to Polar checkout when a product ID is present.

import { redirect } from 'next/navigation'
import { DashboardRoute } from '@/constants/routes'
import { startCheckoutAction } from '@/actions/startCheckoutAction'

export async function handlePostAuth(params: {
  redirect_to?: string | null
  variant_id?: string | null
}) {
  const { redirect_to, variant_id } = params

  if (variant_id) {
    const res = await startCheckoutAction({ variantId: variant_id })
    if (res?.success && res.data?.url) return redirect(res.data.url)
  }

  const safe = redirect_to?.startsWith('/')
    ? redirect_to
    : DashboardRoute.OverviewPage
  return redirect(safe)
}

Key conventions

  • Only redirect to redirect_to if it starts with / — this prevents open redirect attacks to external URLs.
  • A variant_id means the user clicked Subscribe before logging in. Create the Polar checkout session server-side and redirect; do not send the raw product ID to the client.
  • Fall back to DashboardRoute.OverviewPage when there is no valid redirect target — never leave a blank redirect.
  • startCheckoutAction is a server action that returns ActionResponse with data.url pointing to the Polar-hosted checkout page.