From 0022b57c887886d8dc94af9981ac2ea84ae9b6e1 Mon Sep 17 00:00:00 2001
From: Matthias <matthias@example.com>
Date: Wed, 1 Apr 2026 12:03:16 +0200
Subject: [PATCH] Fix auth redirect origin and guard dashboard against missing
 session

---
 app/dashboard/page.tsx |  6 ++++++
 convex/auth.ts         | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/dashboard/page.tsx b/app/dashboard/page.tsx
index 913ba62..9803046 100644
--- a/app/dashboard/page.tsx
+++ b/app/dashboard/page.tsx
@@ -67,6 +67,12 @@ export default function DashboardPage() {
     setHasClientMounted(true);
   }, []);
 
+  useEffect(() => {
+    if (!isSessionPending && !session?.user) {
+      router.replace("/auth/sign-in");
+    }
+  }, [isSessionPending, router, session?.user]);
+
   const displayName = session?.user.name?.trim() || session?.user.email || "Nutzer";
   const initials = getInitials(displayName);
 
diff --git a/convex/auth.ts b/convex/auth.ts
index 42bc6d2..8e49e68 100644
--- a/convex/auth.ts
+++ b/convex/auth.ts
@@ -29,6 +29,12 @@ export const authComponent = createClient<DataModel>(components.betterAuth);
 export const createAuth = (ctx: GenericCtx<DataModel>) => {
   const authAppUrl = appUrl ?? siteUrl;
   const signInRedirectUrl = `${authAppUrl}/dashboard`;
+  const authAppOrigin = new URL(authAppUrl).origin;
+
+  const toAuthAppUrl = (url: string) => {
+    const incoming = new URL(url);
+    return new URL(`${incoming.pathname}${incoming.search}`, authAppOrigin);
+  };
 
   return betterAuth({
     baseURL: siteUrl,
@@ -42,7 +48,7 @@ export const createAuth = (ctx: GenericCtx<DataModel>) => {
     emailVerification: {
       sendOnSignUp: true,
       sendVerificationEmail: async ({ user, url }) => {
-        const verificationUrl = new URL(url);
+        const verificationUrl = toAuthAppUrl(url);
 
         if (appUrl) {
           verificationUrl.searchParams.set("callbackURL", `${appUrl}/dashboard`);
@@ -92,7 +98,7 @@ export const createAuth = (ctx: GenericCtx<DataModel>) => {
             return;
           }
 
-          const magicLinkUrl = new URL(url);
+          const magicLinkUrl = toAuthAppUrl(url);
           magicLinkUrl.searchParams.set("callbackURL", signInRedirectUrl);
           magicLinkUrl.searchParams.set("errorCallbackURL", `${authAppUrl}/auth/sign-in`);