From 2d5d9ce7890e32ca7ed5ccad720a15e1d1b02c34 Mon Sep 17 00:00:00 2001 From: Yash Kewlani Date: Sun, 28 Jun 2026 17:49:25 +0530 Subject: [PATCH 1/2] fix(auth): intercept wrong-domain requests at proxy level, redirect to canonical URL --- src/proxy.ts | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/proxy.ts b/src/proxy.ts index 363eecd..b4d3039 100644 --- a/src/proxy.ts +++ b/src/proxy.ts @@ -1,7 +1,23 @@ import { createServerClient } from "@supabase/ssr"; import { NextResponse, type NextRequest } from "next/server"; +const CANONICAL = "https://studymapp.vercel.app"; +// Vercel auto-assigns this URL based on the team name — it can't be deleted, +// so we intercept every request on it and redirect to the canonical domain. +const WRONG_DOMAIN = "studymapp-student-suite.vercel.app"; + export async function proxy(request: NextRequest) { + // Domain enforcement — must happen before anything else so that OAuth + // callbacks landing on the wrong Vercel domain get bounced to the right one + // before the auth code exchange runs. + const host = + request.headers.get("x-forwarded-host") ?? request.nextUrl.hostname; + + if (host === WRONG_DOMAIN) { + const canonical = `${CANONICAL}${request.nextUrl.pathname}${request.nextUrl.search}`; + return NextResponse.redirect(canonical, { status: 301 }); + } + let proxyResponse = NextResponse.next({ request }); const supabase = createServerClient( @@ -26,7 +42,6 @@ export async function proxy(request: NextRequest) { ); // Refresh the session so it doesn't expire mid-visit. - // No auth enforcement — the site is fully public. await supabase.auth.getUser(); return proxyResponse; From 4ec24afce69a99cfa7c9c66c5354a58a6a4c6577 Mon Sep 17 00:00:00 2001 From: Yash Kewlani Date: Sun, 28 Jun 2026 18:01:38 +0530 Subject: [PATCH 2/2] chore(release): v1.2.1 --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4f71c7..803e19d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,18 @@ All notable changes to StudyMap are documented here. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.2.1] - 2026-06-28 + +### Added + +- Optional sign-in via Google OAuth and Supabase email/password auth. The site remains fully public - a Sign in button appears in the top-right navbar for users who want to authenticate. After sign-in, users are returned to the page they came from. + +### Fixed + +- Auth callbacks always redirect to `studymapp.vercel.app` regardless of which Vercel deployment URL receives the OAuth callback, preventing users from landing on the auto-assigned `studymapp-student-suite.vercel.app` domain. +- Contact email updated to `studentsuite0@gmail.com` in `CONTRIBUTING.md`, `SECURITY.md`, and issue templates. +- Canonical live URL corrected to `https://studymapp.vercel.app` in `README.md`. + ## [1.2.0] - 2026-06-27 ### Added