Implement client confirmation endpoint and success page#4
Implement client confirmation endpoint and success page#4
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const protocol = (req.headers['x-forwarded-proto'] as string | undefined) ?? 'http'; | ||
| const host = req.headers.host ?? 'localhost:3000'; | ||
| const baseUrl = process.env.NEXT_PUBLIC_APP_URL ?? process.env.APP_URL ?? `${protocol}://${host}`; | ||
| const confirmationUrl = `${baseUrl.replace(/\/$/, '')}/registration/success?id=${clientId}`; |
There was a problem hiding this comment.
The confirmation endpoint constructs confirmationUrl from x-forwarded-proto and host whenever NEXT_PUBLIC_APP_URL/APP_URL are absent. Both headers are fully controllable by the caller, so a crafted POST can cause the API (or any email that reuses the returned preview) to contain attacker-controlled links and schemes. This is a classic host-header injection issue; the URL should be derived from a trusted configuration value or validated against an allow-list before use.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
https://chatgpt.com/codex/tasks/task_b_69026209006c83288f6e30a61df92a48