Fix: Replace z.httpUrl() with z.url() for localhost compatibility#249
Fix: Replace z.httpUrl() with z.url() for localhost compatibility#249taheerahmed wants to merge 2 commits into
Conversation
|
@taheerahmed is attempting to deploy a commit to the E2B Team on Vercel. A member of the Team first needs to authorize it. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e30060e057
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…ocalhost compatibility z.httpUrl() rejects localhost URLs, causing Zod validation errors during local development when verifying email. z.url() with a protocol constraint still restricts to http/https while accepting localhost. Existing isExternalOrigin checks already handle redirect security. Closes e2b-dev#241
taheerahmed
force-pushed
the
fix/zod-localhost-validation
branch
from
e30060e to
14a91a3
Compare
|
lgtm, can you add unit tests for this behavior and abstract the schema into |
|
will do this and update this was a miss from my end ! thanks for pointing it out ! |
… tests
- Extract shared httpUrlSchema into src/lib/schemas/url.ts alongside
existing relativeUrlSchema
- Both auth confirm route and ConfirmEmailInputSchema now import from
the shared schema instead of inlining z.url({ protocol: /^https?$/ })
- Add 12 unit tests covering http/https acceptance, localhost support,
non-http scheme rejection, and invalid input handling
|
Done! Updated with:
All 92 unit tests pass ( |
## Summary Fixes [#241](#241): Zod validation error blocks email verification on local-dev Supabase setups. - Replaces `z.httpUrl()` with a shared `httpUrlSchema` that uses `z.url({ protocol: /^https?$/ })` — still requires http/https, but accepts `http://localhost:3000/...`. - Schema lives in `src/core/shared/schemas/url.ts` alongside the existing `relativeUrlSchema`, and both the auth confirm route handler and `ConfirmEmailInputSchema` consume it. - Webhook URL validation (`src/core/server/functions/webhooks/schema.ts`) intentionally kept on `z.httpUrl()` — webhooks should not accept localhost. ## Files changed - `src/core/shared/schemas/url.ts` — adds `httpUrlSchema` alongside existing `relativeUrlSchema` - `src/core/modules/auth/models.ts` — `ConfirmEmailInputSchema.next` uses the shared schema - `src/app/api/auth/confirm/route.ts` — same for the route's inline `confirmSchema` - `tests/unit/url-schema.test.ts` *(new)* — 12 unit tests covering accept/reject cases ## Tests ``` bun run test:unit bun run lint ``` ## Credits Adapted from #249 by @taheerahmed
|
Fixed in #327 |
3 participants
Summary
z.httpUrl()withz.url()in the auth confirm route and sharedConfirmEmailInputSchemaz.httpUrl()rejectslocalhostURLs, causing Zod validation errors during local development email verificationz.url()validates URL structure while acceptinglocalhost— production URLs (https://e2b.dev/...) continue to passWhy this is safe
The Zod schema is only responsible for validating that
nextis a syntactically valid URL. The actual redirect security is handled downstream:isExternalOrigin()checks reject or reroute requests with a different originbuildRedirectUrl()reconstructs the redirect using the dashboard's own origin, only preserving pathname and search paramsSo switching from
z.httpUrl()toz.url()does not weaken security.Validation
z.httpUrl()(before)z.url()(after)http://localhost:3000/dashboardhttps://e2b.dev/dashboardnot-a-url(empty)Files changed
src/server/api/models/auth.models.ts—ConfirmEmailInputSchema.nextsrc/app/api/auth/confirm/route.ts—confirmSchema.nextCloses #241