Fix: Replace z.httpUrl() with z.url() for localhost compatibility#249
Fix: Replace z.httpUrl() with z.url() for localhost compatibility#249taheerahmed wants to merge 2 commits intoe2b-dev:mainfrom
Conversation
|
@taheerahmed is attempting to deploy a commit to the E2B Team on Vercel. A member of the Team first needs to authorize it. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e30060e057
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…ocalhost compatibility z.httpUrl() rejects localhost URLs, causing Zod validation errors during local development when verifying email. z.url() with a protocol constraint still restricts to http/https while accepting localhost. Existing isExternalOrigin checks already handle redirect security. Closes e2b-dev#241
taheerahmed
force-pushed
the
fix/zod-localhost-validation
branch
from
e30060e to
14a91a3
Compare
|
lgtm, can you add unit tests for this behavior and abstract the schema into |
|
will do this and update this was a miss from my end ! thanks for pointing it out ! |
… tests
- Extract shared httpUrlSchema into src/lib/schemas/url.ts alongside
existing relativeUrlSchema
- Both auth confirm route and ConfirmEmailInputSchema now import from
the shared schema instead of inlining z.url({ protocol: /^https?$/ })
- Add 12 unit tests covering http/https acceptance, localhost support,
non-http scheme rejection, and invalid input handling
|
Done! Updated with:
All 92 unit tests pass ( |
2 participants
Summary
z.httpUrl()withz.url()in the auth confirm route and sharedConfirmEmailInputSchemaz.httpUrl()rejectslocalhostURLs, causing Zod validation errors during local development email verificationz.url()validates URL structure while acceptinglocalhost— production URLs (https://e2b.dev/...) continue to passWhy this is safe
The Zod schema is only responsible for validating that
nextis a syntactically valid URL. The actual redirect security is handled downstream:isExternalOrigin()checks reject or reroute requests with a different originbuildRedirectUrl()reconstructs the redirect using the dashboard's own origin, only preserving pathname and search paramsSo switching from
z.httpUrl()toz.url()does not weaken security.Validation
z.httpUrl()(before)z.url()(after)http://localhost:3000/dashboardhttps://e2b.dev/dashboardnot-a-url(empty)Files changed
src/server/api/models/auth.models.ts—ConfirmEmailInputSchema.nextsrc/app/api/auth/confirm/route.ts—confirmSchema.nextCloses #241