fix(privacy): scrub magic link URLs (#2359)

Author: jeanduplessis

apps/web/public/robots.txt

@@ -1,2 +1,3 @@
 User-agent: *
 Disallow: /users/sign_in
+Disallow: /auth/verify-magic-link

apps/web/src/app/auth/verify-magic-link/page.tsx

@@ -11,17 +11,14 @@ function VerifyMagicLinkContent() {
 
   useEffect(() => {
     const token = searchParams.get('token');
-    const email = searchParams.get('email');
     const callbackUrl = searchParams.get('callbackUrl') || '/users/after-sign-in';
 
-    if (!token || !email) {
+    if (!token) {
       window.location.href = '/users/sign_in?error=INVALID_VERIFICATION';
       return;
     }
 
-    // Sign in using the email provider with the token
     signIn('email', {
-      email,
       token,
       callbackUrl,
       redirect: true,

apps/web/src/components/PostHogProvider.tsx

@@ -5,6 +5,7 @@ import { PostHogProvider as PHProvider, usePostHog } from 'posthog-js/react';
 import { useSession } from 'next-auth/react';
 import { Suspense, useEffect, useRef } from 'react';
 import { usePathname, useSearchParams } from 'next/navigation';
+import { sanitizeAnalyticsUrl, sanitizeAnalyticsUrlValue } from '@/lib/sanitize-analytics-url';
 
 export function PostHogProvider({ children }: { children: React.ReactNode }) {
   useEffect(() => {
@@ -25,6 +26,18 @@ export function PostHogProvider({ children }: { children: React.ReactNode }) {
       disable_web_experiments: false,
       capture_pageview: false, // We capture pageviews manually
       capture_pageleave: true, // Enable pageleave capture
+      before_send: event => {
+        if (!event?.properties) return event;
+        return {
+          ...event,
+          properties: {
+            ...event.properties,
+            $current_url: sanitizeAnalyticsUrlValue(event.properties.$current_url),
+            $referrer: sanitizeAnalyticsUrlValue(event.properties.$referrer),
+            $referring_domain: sanitizeAnalyticsUrlValue(event.properties.$referring_domain),
+          },
+        };
+      },
       loaded: function (ph) {
         if (!isProduction) {
           // Opt out of capturing in non-production environments
@@ -69,11 +82,7 @@ function PostHogPageView() {
 
   useEffect(() => {
     if (pathname && posthog) {
-      let url = window.origin + pathname;
-      const search = searchParams.toString();
-      if (search) {
-        url += '?' + search;
-      }
+      const url = sanitizeAnalyticsUrl(window.origin, pathname, searchParams.toString());
       posthog.capture('$pageview', { $current_url: url });
     }
   }, [pathname, searchParams, posthog]);

apps/web/src/lib/auth/magic-link-tokens.test.ts

@@ -1,5 +1,9 @@
 import { describe, it, expect, beforeEach } from '@jest/globals';
-import { createMagicLinkToken, verifyAndConsumeMagicLinkToken } from './magic-link-tokens';
+import {
+  createMagicLinkToken,
+  getMagicLinkUrl,
+  verifyAndConsumeMagicLinkToken,
+} from './magic-link-tokens';
 import { db } from '@/lib/drizzle';
 import { sql } from 'drizzle-orm';
 
@@ -53,6 +57,18 @@ describe('Magic Link Tokens', () => {
     });
   });
 
+  describe('getMagicLinkUrl', () => {
+    it('does not include email addresses in magic link URLs', async () => {
+      const token = await createMagicLinkToken(testEmail);
+      const url = new URL(getMagicLinkUrl(token));
+
+      expect(url.pathname).toBe('/auth/verify-magic-link');
+      expect(url.searchParams.get('token')).toBe(token.plaintext_token);
+      expect(url.searchParams.has('email')).toBe(false);
+      expect(url.toString()).not.toContain(encodeURIComponent(testEmail));
+    });
+  });
+
   describe('verifyAndConsumeMagicLinkToken', () => {
     it('should verify and consume a valid token', async () => {
       const created = await createMagicLinkToken(testEmail);

apps/web/src/lib/auth/magic-link-tokens.ts

@@ -85,12 +85,11 @@ export async function verifyAndConsumeMagicLinkToken(
 }
 
 export function getMagicLinkUrl(
-  { plaintext_token, email }: MagicLinkTokenWithPlaintext,
+  { plaintext_token }: MagicLinkTokenWithPlaintext,
   callbackUrl?: string
 ): string {
   const url = new URL(`${NEXTAUTH_URL}/auth/verify-magic-link`);
   url.searchParams.set('token', plaintext_token);
-  url.searchParams.set('email', email);
   if (callbackUrl) {
     url.searchParams.set('callbackUrl', callbackUrl);
   }

apps/web/src/lib/auth/redirect-urls.test.ts

@@ -0,0 +1,24 @@
+import { authFailureRedirectUrl, ssoSignInRedirectUrl } from '@/lib/auth/redirect-urls';
+
+describe('auth redirect URLs', () => {
+  it('does not include email addresses on auth failure redirects', () => {
+    const url = authFailureRedirectUrl('BLOCKED', false);
+
+    expect(url).toBe('/users/sign_in?error=BLOCKED');
+    expect(new URL(url, 'https://app.kilo.ai').searchParams.has('email')).toBe(false);
+  });
+
+  it('does not include email addresses on account-linking failure redirects', () => {
+    const url = authFailureRedirectUrl('DIFFERENT-OAUTH', true);
+
+    expect(url).toBe('/connected-accounts?error=DIFFERENT-OAUTH');
+    expect(new URL(url, 'https://app.kilo.ai').searchParams.has('email')).toBe(false);
+  });
+
+  it('does not include email addresses on SSO enforcement redirects', () => {
+    const url = ssoSignInRedirectUrl('example.com');
+
+    expect(url).toBe('/users/sign_in?domain=example.com');
+    expect(new URL(url, 'https://app.kilo.ai').searchParams.has('email')).toBe(false);
+  });
+});

apps/web/src/lib/auth/redirect-urls.ts

@@ -0,0 +1,10 @@
+import { SSO_SIGNIN_PATH, type AuthErrorType } from '@/lib/auth/constants';
+
+export function authFailureRedirectUrl(error: AuthErrorType, isAccountLinking: boolean): string {
+  const baseUrl = isAccountLinking ? '/connected-accounts' : '/users/sign_in';
+  return `${baseUrl}?${new URLSearchParams({ error }).toString()}`;
+}
+
+export function ssoSignInRedirectUrl(domain: string): string {
+  return `${SSO_SIGNIN_PATH}?${new URLSearchParams({ domain }).toString()}`;
+}

apps/web/src/lib/email.ts

@@ -187,7 +187,7 @@ export async function sendMagicLinkEmail(
     templateVars: {
       magic_link_url: getMagicLinkUrl(magicLink, callbackUrl),
       email: magicLink.email,
-      expires_in: '24 hours',
+      expires_in: '30 minutes',
       expires_at: new Date(magicLink.expires_at).toISOString(),
       app_url: NEXTAUTH_URL,
     },

apps/web/src/lib/sanitize-analytics-url.test.ts

@@ -0,0 +1,42 @@
+import { sanitizeAnalyticsUrl, sanitizeAnalyticsUrlValue } from '@/lib/sanitize-analytics-url';
+
+describe('sanitizeAnalyticsUrl', () => {
+  it('drops all query params from magic link verification URLs', () => {
+    expect(
+      sanitizeAnalyticsUrl(
+        'https://app.kilo.ai',
+        '/auth/verify-magic-link',
+        'token=secret&email=user%40example.com&callbackUrl=%2Fprofile'
+      )
+    ).toBe('https://app.kilo.ai/auth/verify-magic-link');
+  });
+
+  it('removes sensitive query params from other URLs', () => {
+    expect(
+      sanitizeAnalyticsUrl(
+        'https://app.kilo.ai',
+        '/users/sign_in',
+        'email=user%40example.com&state=secret&foo=bar&Token=abc'
+      )
+    ).toBe('https://app.kilo.ai/users/sign_in?foo=bar');
+  });
+
+  it('preserves non-sensitive query params', () => {
+    expect(sanitizeAnalyticsUrl('https://app.kilo.ai', '/credits', 'tab=usage&page=2')).toBe(
+      'https://app.kilo.ai/credits?tab=usage&page=2'
+    );
+  });
+
+  it('sanitizes full analytics URL property values', () => {
+    expect(
+      sanitizeAnalyticsUrlValue(
+        'https://app.kilo.ai/users/sign_in?email=user%40example.com&state=secret&foo=bar'
+      )
+    ).toBe('https://app.kilo.ai/users/sign_in?foo=bar');
+  });
+
+  it('leaves non-URL property values unchanged', () => {
+    expect(sanitizeAnalyticsUrlValue('not a url')).toBe('not a url');
+    expect(sanitizeAnalyticsUrlValue(null)).toBeNull();
+  });
+});

apps/web/src/lib/sanitize-analytics-url.ts

@@ -0,0 +1,43 @@
+const SENSITIVE_QUERY_PARAMS = new Set(['callbackurl', 'code', 'email', 'state', 'token']);
+const SENSITIVE_PATHS = new Set(['/auth/verify-magic-link']);
+
+function sanitizeUrlParts(origin: string, pathname: string, searchParams: string): string {
+  const baseUrl = `${origin}${pathname}`;
+  if (SENSITIVE_PATHS.has(pathname) || !searchParams) {
+    return baseUrl;
+  }
+
+  const sanitizedParams = new URLSearchParams();
+  new URLSearchParams(searchParams).forEach((value, key) => {
+    if (!SENSITIVE_QUERY_PARAMS.has(key.toLowerCase())) {
+      sanitizedParams.append(key, value);
+    }
+  });
+
+  const sanitizedSearch = sanitizedParams.toString();
+  return sanitizedSearch ? `${baseUrl}?${sanitizedSearch}` : baseUrl;
+}
+
+export function sanitizeAnalyticsUrl(
+  origin: string,
+  pathname: string,
+  searchParams: string
+): string {
+  return sanitizeUrlParts(origin, pathname, searchParams);
+}
+
+export function sanitizeAnalyticsUrlValue(value: unknown): unknown {
+  if (typeof value !== 'string') return value;
+
+  if (!value.startsWith('http://') && !value.startsWith('https://') && !value.startsWith('/')) {
+    return value;
+  }
+
+  try {
+    const baseOrigin = typeof window === 'undefined' ? 'http://localhost' : window.origin;
+    const url = new URL(value, baseOrigin);
+    return sanitizeUrlParts(url.origin, url.pathname, url.searchParams.toString());
+  } catch {
+    return value;
+  }
+}