ack PR comments

waleedlatif1 · waleedlatif1 · commit 74be0850f4cd · 2025-12-18T10:56:36.000-08:00
diff --git a/apps/sim/app/api/auth/forget-password/route.test.ts b/apps/sim/app/api/auth/forget-password/route.test.ts
@@ -72,7 +72,7 @@ describe('Forget Password API Route', () => {
     const data = await response.json()
 
     expect(response.status).toBe(400)
-    expect(data.message).toBe('Redirect URL must be same-origin')
+    expect(data.message).toBe('Redirect URL must be a valid same-origin URL')
 
     const auth = await import('@/lib/auth')
     expect(auth.auth.api.forgetPassword).not.toHaveBeenCalled()
diff --git a/apps/sim/app/api/auth/forget-password/route.ts b/apps/sim/app/api/auth/forget-password/route.ts
@@ -14,13 +14,15 @@ const forgetPasswordSchema = z.object({
     .email('Please provide a valid email address'),
   redirectTo: z
     .string()
-    .url('Redirect URL must be a valid URL')
-    .refine((url) => isSameOrigin(url), {
-      message: 'Redirect URL must be same-origin',
-    })
     .optional()
     .or(z.literal(''))
-    .transform((val) => (val === '' ? undefined : val)),
+    .transform((val) => (val === '' || val === undefined ? undefined : val))
+    .refine(
+      (val) => val === undefined || (z.string().url().safeParse(val).success && isSameOrigin(val)),
+      {
+        message: 'Redirect URL must be a valid same-origin URL',
+      }
+    ),
 })
 
 export async function POST(request: NextRequest) {
diff --git a/apps/sim/lib/core/config/feature-flags.ts b/apps/sim/lib/core/config/feature-flags.ts
@@ -1,12 +1,8 @@
 /**
  * Environment utility functions for consistent environment detection across the application
  */
-
-import { createLogger } from '@/lib/logs/console/logger'
 import { env, getEnv, isTruthy } from './env'
 
-const logger = createLogger('FeatureFlags')
-
 /**
  * Is the application running in production mode
  */
@@ -46,16 +42,22 @@ export const isEmailVerificationEnabled = isTruthy(env.EMAIL_VERIFICATION_ENABLE
 export const isAuthDisabled = isTruthy(env.DISABLE_AUTH) && !isHosted
 
 if (isTruthy(env.DISABLE_AUTH)) {
-  if (isHosted) {
-    logger.error(
-      'DISABLE_AUTH is set but ignored on hosted environment. Authentication remains enabled for security.'
-    )
-  } else {
-    logger.warn(
-      'DISABLE_AUTH is enabled. Authentication is bypassed and all requests use an anonymous session. ' +
-        'Only use this in trusted private networks.'
-    )
-  }
+  import('@/lib/logs/console/logger')
+    .then(({ createLogger }) => {
+      const logger = createLogger('FeatureFlags')
+      if (isHosted) {
+        logger.error(
+          'DISABLE_AUTH is set but ignored on hosted environment. Authentication remains enabled for security.'
+        )
+      } else {
+        logger.warn(
+          'DISABLE_AUTH is enabled. Authentication is bypassed and all requests use an anonymous session. Only use this in trusted private networks.'
+        )
+      }
+    })
+    .catch(() => {
+      // Fallback during config compilation when logger is unavailable
+    })
 }
 
 /**
