Fix redirect url (stack-auth#703)

fomalhautb · N2D4 · web-flow · commit 9f794854106b · 2025-06-27T04:00:12.000+02:00
---- > [!IMPORTANT] > Adds redirect URL validation in sign-up process and updates test URL to localhost. > > - **Behavior**: > - Adds `validateRedirectUrl` check in `POST` handler in `route.tsx` to ensure `verificationCallbackUrl` is whitelisted. > - Throws `RedirectUrlNotWhitelisted` error if URL is not valid. > - **Tests**: > - Updates `verificationCallbackUrl` in `scaffoldProject` in `js-helpers.ts` to `http://localhost:3000`. > > <sup>This description was created by </sup>[<img alt="Ellipsis" src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup> for f25e26b. You can [customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this summary. It will automatically update as commits are pushed.</sup>  --------- Co-authored-by: Konsti Wohlwend <n2d4xc@gmail.com>
diff --git a/apps/backend/src/app/api/latest/auth/password/sign-up/route.tsx b/apps/backend/src/app/api/latest/auth/password/sign-up/route.tsx
@@ -1,3 +1,4 @@
+import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { createAuthTokens } from "@/lib/tokens";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { runAsynchronouslyAndWaitUntil } from "@/utils/vercel";
@@ -39,6 +40,14 @@ export const POST = createSmartRouteHandler({
       throw new KnownErrors.PasswordAuthenticationNotEnabled();
     }
 
+    if (!validateRedirectUrl(
+      verificationCallbackUrl,
+      tenancy.config.domains,
+      tenancy.config.allow_localhost,
+    )) {
+      throw new KnownErrors.RedirectUrlNotWhitelisted();
+    }
+
     const passwordError = getPasswordError(password);
     if (passwordError) {
       throw passwordError;
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/password/sign-up.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/password/sign-up.test.ts
@@ -56,6 +56,35 @@ it("should sign up new users", async ({ expect }) => {
   `);
 });
 
+it("should not sign up new users if verification callback url is not valid", async ({ expect }) => {
+  const mailbox = backendContext.value.mailbox;
+  const email = mailbox.emailAddress;
+  const password = generateSecureRandomString();
+  const response = await niceBackendFetch("/api/v1/auth/password/sign-up", {
+    method: "POST",
+    accessType: "client",
+    body: {
+      email,
+      password,
+      verification_callback_url: "http://invalid-domain.com",
+    },
+  });
+
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "REDIRECT_URL_NOT_WHITELISTED",
+        "error": "Redirect URL not whitelisted. Did you forget to add this domain to the trusted domains list on the Stack Auth dashboard?",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "REDIRECT_URL_NOT_WHITELISTED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
 it("should not allow signing up with an e-mail that already exists", async ({ expect }) => {
   await Auth.Password.signUpWithEmail();
   const res2 = await niceBackendFetch("/api/v1/auth/password/sign-up", {
diff --git a/apps/e2e/tests/js/js-helpers.ts b/apps/e2e/tests/js/js-helpers.ts
@@ -17,7 +17,7 @@ export async function scaffoldProject(body?: Omit<AdminProjectCreateOptions, 'di
   Result.orThrow(await internalApp.signUpWithCredential({
     email: fakeEmail,
     password: "password",
-    verificationCallbackUrl: "https://stack-js-test.example.com/verify",
+    verificationCallbackUrl: "http://localhost:3000",
   }));
   const adminUser = await internalApp.getUser({
     or: 'throw',
diff --git a/packages/template/src/generated/quetzal-translations.ts b/packages/template/src/generated/quetzal-translations.ts
