ack PR comments

Author: waleedlatif1

apps/sim/app/api/auth/forget-password/route.test.ts

@@ -6,13 +6,8 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { createMockRequest, setupAuthApiMocks } from '@/app/api/__test-utils__/utils'
 
-vi.mock('@/lib/core/config/env', () => ({
-  getEnv: vi.fn((key: string) => {
-    if (key === 'NEXT_PUBLIC_APP_URL') {
-      return 'https://app.example.com'
-    }
-    return undefined
-  }),
+vi.mock('@/lib/core/utils/urls', () => ({
+  getBaseUrl: vi.fn(() => 'https://app.example.com'),
 }))
 
 describe('Forget Password API Route', () => {
@@ -72,7 +67,7 @@ describe('Forget Password API Route', () => {
     const data = await response.json()
 
     expect(response.status).toBe(400)
-    expect(data.message).toBe('Redirect URL must be same-origin')
+    expect(data.message).toBe('Redirect URL must be a valid same-origin URL')
 
     const auth = await import('@/lib/auth')
     expect(auth.auth.api.forgetPassword).not.toHaveBeenCalled()

apps/sim/app/api/auth/forget-password/route.ts

@@ -14,13 +14,15 @@ const forgetPasswordSchema = z.object({
     .email('Please provide a valid email address'),
   redirectTo: z
     .string()
-    .url('Redirect URL must be a valid URL')
-    .refine((url) => isSameOrigin(url), {
-      message: 'Redirect URL must be same-origin',
-    })
     .optional()
     .or(z.literal(''))
-    .transform((val) => (val === '' ? undefined : val)),
+    .transform((val) => (val === '' || val === undefined ? undefined : val))
+    .refine(
+      (val) => val === undefined || (z.string().url().safeParse(val).success && isSameOrigin(val)),
+      {
+        message: 'Redirect URL must be a valid same-origin URL',
+      }
+    ),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/lib/core/config/feature-flags.ts

@@ -1,12 +1,8 @@
 /**
  * Environment utility functions for consistent environment detection across the application
  */
-
-import { createLogger } from '@/lib/logs/console/logger'
 import { env, getEnv, isTruthy } from './env'
 
-const logger = createLogger('FeatureFlags')
-
 /**
  * Is the application running in production mode
  */
@@ -46,16 +42,22 @@ export const isEmailVerificationEnabled = isTruthy(env.EMAIL_VERIFICATION_ENABLE
 export const isAuthDisabled = isTruthy(env.DISABLE_AUTH) && !isHosted
 
 if (isTruthy(env.DISABLE_AUTH)) {
-  if (isHosted) {
-    logger.error(
-      'DISABLE_AUTH is set but ignored on hosted environment. Authentication remains enabled for security.'
-    )
-  } else {
-    logger.warn(
-      'DISABLE_AUTH is enabled. Authentication is bypassed and all requests use an anonymous session. ' +
-        'Only use this in trusted private networks.'
-    )
-  }
+  import('@/lib/logs/console/logger')
+    .then(({ createLogger }) => {
+      const logger = createLogger('FeatureFlags')
+      if (isHosted) {
+        logger.error(
+          'DISABLE_AUTH is set but ignored on hosted environment. Authentication remains enabled for security.'
+        )
+      } else {
+        logger.warn(
+          'DISABLE_AUTH is enabled. Authentication is bypassed and all requests use an anonymous session. Only use this in trusted private networks.'
+        )
+      }
+    })
+    .catch(() => {
+      // Fallback during config compilation when logger is unavailable
+    })
 }
 
 /**

apps/sim/lib/core/utils/validation.ts

@@ -1,4 +1,4 @@
-import { getEnv } from '@/lib/core/config/env'
+import { getBaseUrl } from './urls'
 
 /**
  * Checks if a URL is same-origin with the application's base URL.
@@ -9,12 +9,8 @@ import { getEnv } from '@/lib/core/config/env'
  */
 export function isSameOrigin(url: string): boolean {
   try {
-    const appBaseUrl = getEnv('NEXT_PUBLIC_APP_URL')
-    if (!appBaseUrl) {
-      return false
-    }
     const targetUrl = new URL(url)
-    const appUrl = new URL(appBaseUrl)
+    const appUrl = new URL(getBaseUrl())
     return targetUrl.origin === appUrl.origin
   } catch {
     return false