From 04fd0ea233abdd47d8173d23e6b917c4d66232a5 Mon Sep 17 00:00:00 2001
From: barsa <tumurbarsnarantuya@gmail.com>
Date: Tue, 20 Jan 2026 11:28:03 +0900
Subject: [PATCH] feat: Implement safe redirect handling in CompleteAccountStep
 and SuccessStep components

---
 .../GetStartedForm/steps/CompleteAccountStep.tsx          | 8 ++++++--
 .../components/GetStartedForm/steps/SuccessStep.tsx       | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/apps/portal/src/features/get-started/components/GetStartedForm/steps/CompleteAccountStep.tsx b/apps/portal/src/features/get-started/components/GetStartedForm/steps/CompleteAccountStep.tsx
index 8316d79f..6d95f136 100644
--- a/apps/portal/src/features/get-started/components/GetStartedForm/steps/CompleteAccountStep.tsx
+++ b/apps/portal/src/features/get-started/components/GetStartedForm/steps/CompleteAccountStep.tsx
@@ -16,6 +16,7 @@ import {
   type JapanAddressFormData,
 } from "@/features/address/components/JapanAddressForm";
 import { prepareWhmcsAddressFields } from "@customer-portal/domain/address";
+import { getSafeRedirect } from "@/features/auth/utils/route-protection";
 import { useGetStartedStore } from "../../../stores/get-started.store";
 import { useRouter } from "next/navigation";
 
@@ -47,8 +48,11 @@ export function CompleteAccountStep() {
     serviceContext,
   } = useGetStartedStore();
 
-  // Compute effective redirect URL from store state
-  const effectiveRedirectTo = redirectTo || serviceContext?.redirectTo || "/account/dashboard";
+  // Compute effective redirect URL from store state (with validation)
+  const effectiveRedirectTo = getSafeRedirect(
+    redirectTo || serviceContext?.redirectTo,
+    "/account/dashboard"
+  );
 
   // Check if this is a new customer (needs full form) or SF-only (has prefill)
   const isNewCustomer = accountStatus === "new_customer";
diff --git a/apps/portal/src/features/get-started/components/GetStartedForm/steps/SuccessStep.tsx b/apps/portal/src/features/get-started/components/GetStartedForm/steps/SuccessStep.tsx
index fd5b18f1..e769c8ff 100644
--- a/apps/portal/src/features/get-started/components/GetStartedForm/steps/SuccessStep.tsx
+++ b/apps/portal/src/features/get-started/components/GetStartedForm/steps/SuccessStep.tsx
@@ -6,13 +6,17 @@
 
 import { Button } from "@/components/atoms";
 import { CheckCircleIcon, ArrowRightIcon } from "@heroicons/react/24/outline";
+import { getSafeRedirect } from "@/features/auth/utils/route-protection";
 import { useGetStartedStore } from "../../../stores/get-started.store";
 
 export function SuccessStep() {
   const { redirectTo, serviceContext } = useGetStartedStore();
 
-  // Compute effective redirect URL from store state
-  const effectiveRedirectTo = redirectTo || serviceContext?.redirectTo || "/account/dashboard";
+  // Compute effective redirect URL from store state (with validation)
+  const effectiveRedirectTo = getSafeRedirect(
+    redirectTo || serviceContext?.redirectTo,
+    "/account/dashboard"
+  );
 
   // Determine if redirecting to dashboard (default) or a specific service
   const isDefaultRedirect = effectiveRedirectTo === "/account/dashboard";