Skip to content

fix(auth): added same-origin validation to forget password route, added confirmation for disable auth FF #2447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
waleedlatif1 merged 2 commits into from
Dec 18, 2025
Merged

fix(auth): added same-origin validation to forget password route, added confirmation for disable auth FF #2447

waleedlatif1 merged 2 commits into from
Dec 18, 2025

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Dec 18, 2025

Summary

  • added same-origin validation to forget password route, added confirmation for disable auth FF

Type of Change

  • Other: Security

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Dec 18, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
docs Skipped Skipped Dec 18, 2025 7:00pm

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 18, 2025
edited
Loading

Greptile Summary

This PR implements critical security improvements to prevent open redirect vulnerabilities in the password reset flow and adds safeguards for the DISABLE_AUTH feature flag.

Key Changes:

  • Added same-origin validation to redirectTo parameter in forget password route using new isSameOrigin helper
  • Implemented isSameOrigin function with secure defaults (returns false on any error)
  • Added protection to prevent DISABLE_AUTH from working on hosted environments (isHosted check)
  • Added clear warning logs when DISABLE_AUTH is enabled, with error logs when blocked on hosted environments
  • Comprehensive test coverage for same-origin validation including rejection of external URLs
  • Improved test mocking strategy to preserve actual module exports

Security Impact:
The same-origin validation prevents attackers from exploiting the password reset flow to redirect users to phishing sites. The DISABLE_AUTH safeguard prevents accidental exposure of hosted production environments.

Confidence Score: 4/5

  • This PR is safe to merge with strong security improvements
  • The PR addresses critical security concerns with proper validation and safeguards. The implementation follows secure defaults (failing closed on errors). Test coverage validates the security controls. The only minor consideration is adding unit tests for the new isSameOrigin function to ensure all edge cases are covered.
  • No files require special attention - implementation is solid with good test coverage

Important Files Changed

Filename Overview
apps/sim/app/api/auth/forget-password/route.ts Added same-origin validation to prevent open redirect vulnerabilities in password reset flow
apps/sim/lib/core/utils/validation.ts New isSameOrigin helper function to validate URLs against app origin with secure defaults
apps/sim/lib/core/config/feature-flags.ts Added safety check to prevent disabling auth on hosted environments with clear warnings

Sequence Diagram

sequenceDiagram
    participant Client
    participant ForgetPasswordAPI
    participant ValidationSchema
    participant isSameOrigin
    participant getBaseUrl
    participant AuthService

    Client->>ForgetPasswordAPI: POST /api/auth/forget-password
    Note over Client,ForgetPasswordAPI: { email, redirectTo }
    
    ForgetPasswordAPI->>ValidationSchema: Validate request body
    
    alt redirectTo is empty string or undefined
        ValidationSchema->>ValidationSchema: Transform to undefined
    else redirectTo has value
        ValidationSchema->>ValidationSchema: Check if valid URL
        ValidationSchema->>isSameOrigin: Validate same-origin
        isSameOrigin->>getBaseUrl: Get app base URL
        getBaseUrl-->>isSameOrigin: NEXT_PUBLIC_APP_URL
        isSameOrigin->>isSameOrigin: Compare origins
        
        alt Different origin
            isSameOrigin-->>ValidationSchema: false
            ValidationSchema-->>ForgetPasswordAPI: Validation error
            ForgetPasswordAPI-->>Client: 400 - Invalid same-origin URL
        else Same origin
            isSameOrigin-->>ValidationSchema: true
        end
    end
    
    ValidationSchema-->>ForgetPasswordAPI: Validation passed
    ForgetPasswordAPI->>AuthService: Call forgetPassword API
    AuthService-->>ForgetPasswordAPI: Success
    ForgetPasswordAPI-->>Client: 200 - Success
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

waleedlatif1 commented Dec 18, 2025

@greptile

greptile-apps[bot]
greptile-apps bot reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 merged commit f3ad775 into staging Dec 18, 2025
11 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/auth branch December 18, 2025 19:07
@waleedlatif1 waleedlatif1 mentioned this pull request Dec 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waleedlatif1