fix: harden auth origin and verification flows

Author: DeliciousBuding

apps/web/package.json

@@ -26,7 +26,7 @@
     "next": "16.2.6",
     "otpauth": "^9.5.0",
     "qrcode": "^1.5.4",
-    "react": "^19.2.4",
+    "react": "19.2.4",
     "react-dom": "19.2.4",
     "recharts": "^3.8.1",
     "undici": "^7.25.0"

apps/web/src/app/api/auth/email-verification/route.test.ts

@@ -0,0 +1,60 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const createEmailVerificationRequest = vi.fn();
+const getCurrentUserProfile = vi.fn();
+const cookiesGet = vi.fn();
+
+vi.mock("next/headers", () => ({
+  cookies: vi.fn(async () => ({
+    get: cookiesGet,
+  })),
+}));
+
+vi.mock("@/lib/auth", () => ({
+  createEmailVerificationRequest,
+  getCurrentUserProfile,
+  SESSION_COOKIE_NAME: "diffaudit_session",
+}));
+
+describe("email verification route", () => {
+  beforeEach(() => {
+    vi.resetModules();
+    createEmailVerificationRequest.mockReset();
+    getCurrentUserProfile.mockReset();
+    cookiesGet.mockReset();
+  });
+
+  it("keeps unauthenticated requests rejected", async () => {
+    cookiesGet.mockReturnValue(undefined);
+    const route = await import("./route");
+
+    const response = await route.POST();
+    const payload = await response.json();
+
+    expect(response.status).toBe(401);
+    expect(payload).toEqual({ message: "Unauthorized." });
+    expect(createEmailVerificationRequest).not.toHaveBeenCalled();
+  });
+
+  it("does not create or return browser-visible verification tokens", async () => {
+    cookiesGet.mockReturnValue({ value: "session-token" });
+    getCurrentUserProfile.mockReturnValue({
+      id: "user-1",
+      username: "reviewer",
+      pendingEmail: "reviewer@example.test",
+    });
+    const route = await import("./route");
+
+    const response = await route.POST();
+    const payload = await response.json();
+
+    expect(response.status).toBe(501);
+    expect(payload).toEqual({
+      message: "Email verification is not available.",
+      code: "email_verification_unavailable",
+    });
+    expect(getCurrentUserProfile).toHaveBeenCalledWith("session-token");
+    expect(createEmailVerificationRequest).not.toHaveBeenCalled();
+    expect(JSON.stringify(payload)).not.toContain("verificationUrl");
+  });
+});

apps/web/src/app/api/auth/email-verification/route.ts

@@ -2,7 +2,6 @@ import { cookies } from "next/headers";
 import { NextResponse } from "next/server";
 
 import {
-  createEmailVerificationRequest,
   getCurrentUserProfile,
   SESSION_COOKIE_NAME,
 } from "@/lib/auth";
@@ -16,16 +15,8 @@ export async function POST() {
     return NextResponse.json({ message: "Unauthorized." }, { status: 401 });
   }
 
-  const platformUrl = process.env.DIFFAUDIT_PLATFORM_URL ?? "http://localhost:3000";
-  const request = createEmailVerificationRequest(profile.id, platformUrl);
-
-  if (!request) {
-    return NextResponse.json({ message: "No pending email to verify." }, { status: 400 });
-  }
-
   return NextResponse.json({
-    ok: true,
-    email: request.email,
-    verificationUrl: request.verificationUrl,
-  });
+    message: "Email verification is not available.",
+    code: "email_verification_unavailable",
+  }, { status: 501 });
 }

apps/web/src/app/api/auth/github/callback/route.ts

@@ -70,6 +70,10 @@ export async function GET(request: Request) {
   const clientSecret = process.env.GITHUB_CLIENT_SECRET;
   const platformUrl = resolvePlatformUrl(request);
 
+  if (!platformUrl) {
+    return NextResponse.json({ message: "Platform public URL is not configured." }, { status: 500 });
+  }
+
   const cookieStore = await cookies();
   const storedState = readStoredState(cookieStore.get(STATE_COOKIE)?.value);
   cookieStore.delete(STATE_COOKIE);

apps/web/src/app/api/auth/github/route.ts

@@ -21,13 +21,17 @@ export async function GET(request: Request) {
     return NextResponse.json({ message: "GitHub OAuth is not configured." }, { status: 500 });
   }
 
+  if (!platformUrl) {
+    return NextResponse.json({ message: "Platform public URL is not configured." }, { status: 500 });
+  }
+
   const state = crypto.randomBytes(16).toString("hex");
   const cookieStore = await cookies();
   const currentUser = getCurrentUserProfile(cookieStore.get(SESSION_COOKIE_NAME)?.value);
   const mode = intent === "connect" && currentUser ? "connect" : "login";
 
   if (intent === "connect" && !currentUser) {
-    return NextResponse.redirect(new URL(`/login?redirectTo=${encodeURIComponent(redirectTo)}`, request.url));
+    return NextResponse.redirect(new URL(`/login?redirectTo=${encodeURIComponent(redirectTo)}`, platformUrl));
   }
 
   const payload = Buffer.from(JSON.stringify({

apps/web/src/app/api/auth/google/callback/route.ts

@@ -86,6 +86,10 @@ export async function GET(request: Request) {
   const clientSecret = process.env.GOOGLE_CLIENT_SECRET;
   const platformUrl = resolvePlatformUrl(request);
 
+  if (!platformUrl) {
+    return NextResponse.json({ message: "Platform public URL is not configured." }, { status: 500 });
+  }
+
   const cookieStore = await cookies();
   const storedState = readStoredState(cookieStore.get(STATE_COOKIE)?.value);
   cookieStore.delete(STATE_COOKIE);

apps/web/src/app/api/auth/google/route.ts

@@ -21,13 +21,17 @@ export async function GET(request: Request) {
     return NextResponse.json({ message: "Google OAuth is not configured." }, { status: 500 });
   }
 
+  if (!platformUrl) {
+    return NextResponse.json({ message: "Platform public URL is not configured." }, { status: 500 });
+  }
+
   const state = crypto.randomBytes(16).toString("hex");
   const cookieStore = await cookies();
   const currentUser = getCurrentUserProfile(cookieStore.get(SESSION_COOKIE_NAME)?.value);
   const mode = intent === "connect" && currentUser ? "connect" : "login";
 
   if (intent === "connect" && !currentUser) {
-    return NextResponse.redirect(new URL(`/login?redirectTo=${encodeURIComponent(redirectTo)}`, request.url));
+    return NextResponse.redirect(new URL(`/login?redirectTo=${encodeURIComponent(redirectTo)}`, platformUrl));
   }
 
   const storedState = Buffer.from(JSON.stringify({

apps/web/src/app/api/auth/oauth-public-origin.test.ts

@@ -0,0 +1,113 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+const cookiesMock = vi.fn();
+
+vi.mock("next/headers", () => ({
+  cookies: cookiesMock,
+}));
+
+const originalNodeEnv = process.env.NODE_ENV;
+
+function hostileRequest(path: string) {
+  return new Request(`https://internal.invalid${path}`, {
+    headers: {
+      host: "attacker.example.test",
+      "x-forwarded-host": "attacker.example.test",
+      "x-forwarded-proto": "https",
+    },
+  });
+}
+
+describe("OAuth public origin", () => {
+  beforeEach(() => {
+    vi.resetModules();
+    cookiesMock.mockReset();
+    cookiesMock.mockResolvedValue({
+      get: vi.fn(),
+      set: vi.fn(),
+      delete: vi.fn(),
+    });
+    process.env.NODE_ENV = "production";
+    process.env.GITHUB_CLIENT_ID = "github-client";
+    process.env.GITHUB_CLIENT_SECRET = "github-secret";
+    process.env.GOOGLE_CLIENT_ID = "google-client";
+    process.env.GOOGLE_CLIENT_SECRET = "google-secret";
+    delete process.env.DIFFAUDIT_PLATFORM_URL;
+  });
+
+  afterEach(() => {
+    process.env.NODE_ENV = originalNodeEnv;
+    delete process.env.GITHUB_CLIENT_ID;
+    delete process.env.GITHUB_CLIENT_SECRET;
+    delete process.env.GOOGLE_CLIENT_ID;
+    delete process.env.GOOGLE_CLIENT_SECRET;
+    delete process.env.DIFFAUDIT_PLATFORM_URL;
+  });
+
+  it("fails GitHub OAuth closed instead of deriving redirect_uri from Host headers", async () => {
+    const route = await import("./github/route");
+
+    const response = await route.GET(hostileRequest("/api/auth/github"));
+    const payload = await response.json();
+
+    expect(response.status).toBe(500);
+    expect(response.headers.get("location")).toBeNull();
+    expect(payload).toEqual({ message: "Platform public URL is not configured." });
+    expect(cookiesMock).not.toHaveBeenCalled();
+  });
+
+  it("fails Google OAuth closed instead of deriving redirect_uri from Host headers", async () => {
+    const route = await import("./google/route");
+
+    const response = await route.GET(hostileRequest("/api/auth/google"));
+    const payload = await response.json();
+
+    expect(response.status).toBe(500);
+    expect(response.headers.get("location")).toBeNull();
+    expect(payload).toEqual({ message: "Platform public URL is not configured." });
+    expect(cookiesMock).not.toHaveBeenCalled();
+  });
+
+  it("uses the configured public URL for GitHub OAuth redirect_uri", async () => {
+    process.env.DIFFAUDIT_PLATFORM_URL = "https://diffaudit.example.test";
+    const route = await import("./github/route");
+
+    const response = await route.GET(hostileRequest("/api/auth/github"));
+    const location = response.headers.get("location");
+    const redirect = new URL(location ?? "");
+
+    expect(response.status).toBe(307);
+    expect(redirect.origin).toBe("https://github.com");
+    expect(redirect.searchParams.get("redirect_uri")).toBe(
+      "https://diffaudit.example.test/api/auth/github/callback",
+    );
+  });
+
+  it("uses the configured public URL for unauthenticated connect redirects", async () => {
+    process.env.DIFFAUDIT_PLATFORM_URL = "https://diffaudit.example.test";
+    const route = await import("./github/route");
+
+    const response = await route.GET(
+      hostileRequest("/api/auth/github?intent=connect&redirectTo=/workspace/account"),
+    );
+    const location = response.headers.get("location");
+    const redirect = new URL(location ?? "");
+
+    expect(response.status).toBe(307);
+    expect(redirect.origin).toBe("https://diffaudit.example.test");
+    expect(redirect.pathname).toBe("/login");
+    expect(redirect.searchParams.get("redirectTo")).toBe("/workspace/account");
+  });
+
+  it("does not redirect callback errors to Host-derived origins", async () => {
+    const route = await import("./github/callback/route");
+
+    const response = await route.GET(hostileRequest("/api/auth/github/callback?error=denied"));
+    const payload = await response.json();
+
+    expect(response.status).toBe(500);
+    expect(response.headers.get("location")).toBeNull();
+    expect(payload).toEqual({ message: "Platform public URL is not configured." });
+    expect(cookiesMock).not.toHaveBeenCalled();
+  });
+});

apps/web/src/lib/auth.test.ts

@@ -13,13 +13,15 @@ import {
   googleOAuthConfigured,
   protectedApiPath,
   protectedPagePath,
+  resolveConfiguredPlatformUrl,
   resolvePlatformUrl,
   sanitizeRedirectPath,
   verifyCredentials,
 } from "./auth";
 import { resetDbForTests } from "./db";
 
 let tempDir = "";
+const originalNodeEnv = process.env.NODE_ENV;
 
 beforeEach(() => {
   tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "diffaudit-auth-"));
@@ -36,6 +38,7 @@ afterEach(() => {
   delete process.env.DIFFAUDIT_SHARED_USERNAME;
   delete process.env.DIFFAUDIT_SHARED_PASSWORD;
   delete process.env.DIFFAUDIT_PLATFORM_URL;
+  process.env.NODE_ENV = originalNodeEnv;
   fs.rmSync(tempDir, { recursive: true, force: true });
 });
 
@@ -66,6 +69,19 @@ describe("auth route helpers", () => {
     expect(sanitizeRedirectPath("//evil.example/path")).toBe(DEFAULT_REDIRECT_PATH);
   });
 
+  it("rejects redirect targets that can be normalized into external origins", () => {
+    expect(sanitizeRedirectPath("/\\\\evil.example/path")).toBe(DEFAULT_REDIRECT_PATH);
+    expect(sanitizeRedirectPath("/%5C%5Cevil.example/path")).toBe(DEFAULT_REDIRECT_PATH);
+    expect(sanitizeRedirectPath("/%5c%5cevil.example/path")).toBe(DEFAULT_REDIRECT_PATH);
+  });
+
+  it("rejects redirect targets with whitespace or control characters", () => {
+    expect(sanitizeRedirectPath(" /workspace")).toBe(DEFAULT_REDIRECT_PATH);
+    expect(sanitizeRedirectPath("/workspace ")).toBe(DEFAULT_REDIRECT_PATH);
+    expect(sanitizeRedirectPath("/\t/evil.example")).toBe(DEFAULT_REDIRECT_PATH);
+    expect(sanitizeRedirectPath("/%09/evil.example")).toBe(DEFAULT_REDIRECT_PATH);
+  });
+
   it("protects only the workspace routes and not the marketing pages", () => {
     expect(protectedPagePath("/")).toBe(false);
     expect(protectedPagePath("/trial")).toBe(false);
@@ -95,17 +111,49 @@ describe("auth route helpers", () => {
     ).toBe(true);
   });
 
-  it("resolves oauth public URL from the request when configured URL is bind-only", () => {
+  it("rejects bind-only configured platform URLs in production", () => {
+    process.env.NODE_ENV = "production";
     process.env.DIFFAUDIT_PLATFORM_URL = "http://0.0.0.0:3000";
 
     const request = new Request("http://127.0.0.1:3000/api/auth/google", {
       headers: {
-        host: "diffaudit.example.test",
+        host: "attacker.example.test",
+        "x-forwarded-host": "attacker.example.test",
         "x-forwarded-proto": "https",
       },
     });
 
-    expect(resolvePlatformUrl(request)).toBe("https://diffaudit.example.test");
+    expect(resolvePlatformUrl(request)).toBeNull();
+    expect(resolveConfiguredPlatformUrl()).toBeNull();
+  });
+
+  it("rejects unconfigured production platform URLs instead of trusting forwarded hosts", () => {
+    process.env.NODE_ENV = "production";
+
+    const request = new Request("https://internal.invalid/api/auth/google", {
+      headers: {
+        host: "attacker.example.test",
+        "x-forwarded-host": "attacker.example.test",
+        "x-forwarded-proto": "https",
+      },
+    });
+
+    expect(resolvePlatformUrl(request)).toBeNull();
+  });
+
+  it("keeps localhost origin fallback for local development only", () => {
+    process.env.NODE_ENV = "development";
+
+    const request = new Request("http://127.0.0.1:3000/api/auth/google", {
+      headers: {
+        host: "attacker.example.test",
+        "x-forwarded-host": "attacker.example.test",
+        "x-forwarded-proto": "https",
+      },
+    });
+
+    expect(resolvePlatformUrl(request)).toBe("http://127.0.0.1:3000");
+    expect(resolveConfiguredPlatformUrl()).toBe("http://localhost:3000");
   });
 
   it("prefers a valid configured public platform URL for oauth redirects", () => {