fix(privacy): scrub magic link URLs

[jeanduplessis]

Summary

Pentest L2 identified archived Wayback Machine URLs where magic-link verification links exposed both login tokens and user email addresses in the query string. This PR keeps the existing magic-link token model but removes email PII from generated verification URLs and reduces future leakage paths.

L2: Magic-link URL privacy

• Removed the email query parameter from generated magic-link URLs. The token already maps to the email in magic_link_tokens, so the credentials provider verifies the token and derives the email from the consumed token row.
• Auth failure redirects and SSO-enforcement redirects no longer append email=.
• Preserves same-browser prefill through existing signin_hint localStorage behavior instead of server-generated email query strings.
• PostHog manual pageviews sanitize sensitive query params (token, email, callbackUrl, code, state) and drop all query params for /auth/verify-magic-link.
• Mitigated remaining analytics leakage by adding a PostHog before_send sanitizer for default event URL properties ($current_url, $referrer, $referring_domain), covering pageleave/autocapture-style events in addition to manual pageviews.
• Added Disallow: /auth/verify-magic-link to robots.txt and sets Cache-Control: no-store plus X-Robots-Tag: noindex, noarchive, nofollow on the verification route.
• Fixed magic-link email copy to say links expire in 30 minutes, matching token default.

Verification

• pnpm --filter web exec jest src/lib/sanitize-analytics-url.test.ts --runInBand
• pnpm format

Visual Changes

N/A

Reviewer Notes

• Magic-link URLs still contain the one-time plaintext token because the email recipient needs it to authenticate, but they no longer include the user's email address.
• Existing old links with email= remain accepted because the extra query param is ignored.
• Rollback caveat: email-less links generated after this deploy may fail under old code until token expiry (30 minutes).
• Existing archived URLs from the pentest report still require separate operational removal requests with archive.org.
• Rollout watchpoints: /api/auth/callback/email errors, /auth/verify-magic-link failures, magic-link request-to-consumption rate, SSO-domain sign-in completion, PostHog $current_url values containing token= or email=.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (3 files)

• apps/web/src/components/PostHogProvider.tsx
• apps/web/src/lib/sanitize-analytics-url.test.ts
• apps/web/src/lib/sanitize-analytics-url.ts

---

_{Reviewed by gpt-5.4-2026-03-05 · 869,118 tokens}