Code Room
Code reviewHardcr-g442
Subject Open redirectLevel Senior–Staff~22 minCommon in Code quality & review interviewsIndustries Software development

Question

Review this Node post-login redirect that already rejects `//` and absolute URLs.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewjs
app.get('/login/callback', async (req, res) => {  const user = await exchangeCode(req.query.code);  if (!user) return res.redirect('/login?error=1');  req.session.userId = user.id;   const next = req.query.next || '/';  if (!next.startsWith('/') || next.startsWith('//')) {    return res.redirect('/');  }  res.redirect(next);});
Run or narrate your approach, then ask the coach.