fix(auth): reorder CORS headers and handle missing redirectURI

waleedlatif1 · waleedlatif1 · commit e268bfbda44f · 2026-02-20T13:07:56.000-08:00
diff --git a/apps/sim/app/(auth)/oauth/consent/page.tsx b/apps/sim/app/(auth)/oauth/consent/page.tsx
@@ -87,6 +87,9 @@ export default function OAuthConsentPage() {
         const data = (await res.json()) as { redirectURI?: string }
         if (data.redirectURI) {
           window.location.href = data.redirectURI
+        } else {
+          setError('The server did not return a redirect. Please try again.')
+          setSubmitting(false)
         }
       } catch {
         setError('Something went wrong. Please try again.')
diff --git a/apps/sim/next.config.ts b/apps/sim/next.config.ts
@@ -129,6 +129,26 @@ const nextConfig: NextConfig = {
           { key: 'Access-Control-Allow-Headers', value: 'Content-Type, Accept' },
         ],
       },
+      {
+        // API routes CORS headers
+        source: '/api/:path*',
+        headers: [
+          { key: 'Access-Control-Allow-Credentials', value: 'true' },
+          {
+            key: 'Access-Control-Allow-Origin',
+            value: env.NEXT_PUBLIC_APP_URL || 'http://localhost:3001',
+          },
+          {
+            key: 'Access-Control-Allow-Methods',
+            value: 'GET,POST,OPTIONS,PUT,DELETE',
+          },
+          {
+            key: 'Access-Control-Allow-Headers',
+            value:
+              'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-API-Key, Authorization',
+          },
+        ],
+      },
       {
         source: '/api/auth/oauth2/:path*',
         headers: [
@@ -156,26 +176,6 @@ const nextConfig: NextConfig = {
           { key: 'Access-Control-Allow-Headers', value: 'Content-Type, Accept' },
         ],
       },
-      {
-        // API routes CORS headers
-        source: '/api/:path*',
-        headers: [
-          { key: 'Access-Control-Allow-Credentials', value: 'true' },
-          {
-            key: 'Access-Control-Allow-Origin',
-            value: env.NEXT_PUBLIC_APP_URL || 'http://localhost:3001',
-          },
-          {
-            key: 'Access-Control-Allow-Methods',
-            value: 'GET,POST,OPTIONS,PUT,DELETE',
-          },
-          {
-            key: 'Access-Control-Allow-Headers',
-            value:
-              'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-API-Key, Authorization',
-          },
-        ],
-      },
       // For workflow execution API endpoints
       {
         source: '/api/workflows/:id/execute',
