fix(auth): added same-origin validation to forget password route, added confirmation for disable auth FF

Author: waleedlatif1

apps/sim/app/api/auth/forget-password/route.test.ts

@@ -6,6 +6,15 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { createMockRequest, setupAuthApiMocks } from '@/app/api/__test-utils__/utils'
 
+vi.mock('@/lib/core/config/env', () => ({
+  getEnv: vi.fn((key: string) => {
+    if (key === 'NEXT_PUBLIC_APP_URL') {
+      return 'https://app.example.com'
+    }
+    return undefined
+  }),
+}))
+
 describe('Forget Password API Route', () => {
   beforeEach(() => {
     vi.resetModules()
@@ -15,7 +24,7 @@ describe('Forget Password API Route', () => {
     vi.clearAllMocks()
   })
 
-  it('should send password reset email successfully', async () => {
+  it('should send password reset email successfully with same-origin redirectTo', async () => {
     setupAuthApiMocks({
       operations: {
         forgetPassword: { success: true },
@@ -24,7 +33,7 @@ describe('Forget Password API Route', () => {
 
     const req = createMockRequest('POST', {
       email: 'test@example.com',
-      redirectTo: 'https://example.com/reset',
+      redirectTo: 'https://app.example.com/reset',
     })
 
     const { POST } = await import('@/app/api/auth/forget-password/route')
@@ -39,12 +48,36 @@ describe('Forget Password API Route', () => {
     expect(auth.auth.api.forgetPassword).toHaveBeenCalledWith({
       body: {
         email: 'test@example.com',
-        redirectTo: 'https://example.com/reset',
+        redirectTo: 'https://app.example.com/reset',
       },
       method: 'POST',
     })
   })
 
+  it('should reject external redirectTo URL', async () => {
+    setupAuthApiMocks({
+      operations: {
+        forgetPassword: { success: true },
+      },
+    })
+
+    const req = createMockRequest('POST', {
+      email: 'test@example.com',
+      redirectTo: 'https://evil.com/phishing',
+    })
+
+    const { POST } = await import('@/app/api/auth/forget-password/route')
+
+    const response = await POST(req)
+    const data = await response.json()
+
+    expect(response.status).toBe(400)
+    expect(data.message).toBe('Redirect URL must be same-origin')
+
+    const auth = await import('@/lib/auth')
+    expect(auth.auth.api.forgetPassword).not.toHaveBeenCalled()
+  })
+
   it('should send password reset email without redirectTo', async () => {
     setupAuthApiMocks({
       operations: {

apps/sim/app/api/auth/forget-password/route.ts

@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { auth } from '@/lib/auth'
+import { isSameOrigin } from '@/lib/core/utils/validation'
 import { createLogger } from '@/lib/logs/console/logger'
 
 export const dynamic = 'force-dynamic'
@@ -14,6 +15,9 @@ const forgetPasswordSchema = z.object({
   redirectTo: z
     .string()
     .url('Redirect URL must be a valid URL')
+    .refine((url) => isSameOrigin(url), {
+      message: 'Redirect URL must be same-origin',
+    })
     .optional()
     .or(z.literal(''))
     .transform((val) => (val === '' ? undefined : val)),

apps/sim/lib/core/config/feature-flags.ts

@@ -1,8 +1,12 @@
 /**
  * Environment utility functions for consistent environment detection across the application
  */
+
+import { createLogger } from '@/lib/logs/console/logger'
 import { env, getEnv, isTruthy } from './env'
 
+const logger = createLogger('FeatureFlags')
+
 /**
  * Is the application running in production mode
  */
@@ -37,8 +41,22 @@ export const isEmailVerificationEnabled = isTruthy(env.EMAIL_VERIFICATION_ENABLE
 
 /**
  * Is authentication disabled (for self-hosted deployments behind private networks)
+ * This flag is blocked when isHosted is true.
  */
-export const isAuthDisabled = isTruthy(env.DISABLE_AUTH)
+export const isAuthDisabled = isTruthy(env.DISABLE_AUTH) && !isHosted
+
+if (isTruthy(env.DISABLE_AUTH)) {
+  if (isHosted) {
+    logger.error(
+      'DISABLE_AUTH is set but ignored on hosted environment. Authentication remains enabled for security.'
+    )
+  } else {
+    logger.warn(
+      'DISABLE_AUTH is enabled. Authentication is bypassed and all requests use an anonymous session. ' +
+        'Only use this in trusted private networks.'
+    )
+  }
+}
 
 /**
  * Is user registration disabled

apps/sim/lib/core/utils/validation.ts

@@ -1,3 +1,26 @@
+import { getEnv } from '@/lib/core/config/env'
+
+/**
+ * Checks if a URL is same-origin with the application's base URL.
+ * Used to prevent open redirect vulnerabilities.
+ *
+ * @param url - The URL to validate
+ * @returns True if the URL is same-origin, false otherwise (secure default)
+ */
+export function isSameOrigin(url: string): boolean {
+  try {
+    const appBaseUrl = getEnv('NEXT_PUBLIC_APP_URL')
+    if (!appBaseUrl) {
+      return false
+    }
+    const targetUrl = new URL(url)
+    const appUrl = new URL(appBaseUrl)
+    return targetUrl.origin === appUrl.origin
+  } catch {
+    return false
+  }
+}
+
 /**
  * Validates a name by removing any characters that could cause issues
  * with variable references or node naming.