Skip to content

fix(plugin-auth): harden all user-facing auth URLs to an absolute https origin#2865

Merged
os-zhuang merged 1 commit into
mainfrom
claude/invitation-link-https-prefix-wc05nn
Jul 13, 2026
Merged

fix(plugin-auth): harden all user-facing auth URLs to an absolute https origin#2865
os-zhuang merged 1 commit into
mainfrom
claude/invitation-link-https-prefix-wc05nn

Conversation

@os-zhuang

Copy link
Copy Markdown
Contributor

Context

Follow-up to #2847 (invitation accept link). That PR fixed the invitation URL; this one audits every other backend site that builds a user-facing link and fixes the same latent flaw.

Problem

Several links were built from the raw config.baseUrl with no scheme guarantee, so a bare-host baseUrl (e.g. cloud.objectos.ai) produced relative-looking, unclickable links:

Site File:line Feeds
better-auth baseURL auth-manager.ts:583 reset-password / verify-email / magic-link email links
loginPage / consentPage auth-manager.ts:1723-1724 OAuth login / consent redirects
verificationUri auth-manager.ts:1811 device-authorization flow
phone-invite SMS {{baseUrl}} sendPhoneInviteSms (:2201) account-invite SMS

Fix

All four now flow through the hardened getCanonicalOrigin() (introduced in #2847), which prepends https:// when the scheme is missing and trims a trailing slash. Deployments that already set an absolute baseUrl are unaffected (scheme preserved, only the trailing slash trimmed).

Tests

  • getAuthIssuer locks the normalization: bare host → https://…, explicit scheme + trailing slash preserved/trimmed (no doubling).
  • better-auth baseURL carries the scheme when configured as a bare host.
  • Full @objectstack/plugin-auth suite passes (406 tests).

Not included (need a product decision — flagged separately)

  • Phone-invite SMS landing path: currently points at the bare origin; arguably should point at ${origin}${uiBasePath}/login (or a set-password page). Only the scheme is fixed here.
  • @objectstack/client signInWithProvider default callbackURL (client/src/index.ts:1667) defaults to origin + '/login', missing the /_console prefix — left out because it changes a shared SDK's default behavior.

Changeset

@objectstack/plugin-auth: patch.

🤖 Generated with Claude Code


Generated by Claude Code

…ps origin

Follow-up to the invitation-link fix (#2847). Audited every backend site that
builds a user-facing link and found the same latent flaw: they read the raw
`config.baseUrl`, so a bare-host value (no scheme) yielded relative-looking,
unclickable links. Routed them all through the hardened getCanonicalOrigin():

- better-auth `baseURL` (583) — source of the reset-password / verify-email /
  magic-link email links.
- OAuth `loginPage` / `consentPage` (1723-1724).
- Device-authorization `verificationUri` (1811).
- Phone-invite SMS `{{baseUrl}}` (sendPhoneInviteSms, 2201).

Added tests: bare host promoted to https, explicit scheme/trailing slash
preserved (getAuthIssuer), and better-auth baseURL carries the scheme.
Full @objectstack/plugin-auth suite passes (406 tests).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NT4mx1fHXtkxery6MtLTsp
@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Ready Ready Preview, Comment Jul 13, 2026 2:32am

Request Review

@github-actions github-actions Bot added documentation Improvements or additions to documentation tests tooling size/s labels Jul 13, 2026
@github-actions

Copy link
Copy Markdown
Contributor

📓 Docs Drift Check

This PR changes 1 package(s): @objectstack/plugin-auth.

9 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:

  • content/docs/deployment/production-readiness.mdx (via @objectstack/plugin-auth)
  • content/docs/getting-started/cli.mdx (via @objectstack/plugin-auth)
  • content/docs/kernel/services-checklist.mdx (via @objectstack/plugin-auth)
  • content/docs/permissions/authentication.mdx (via @objectstack/plugin-auth)
  • content/docs/permissions/sso.mdx (via @objectstack/plugin-auth)
  • content/docs/plugins/index.mdx (via @objectstack/plugin-auth)
  • content/docs/plugins/packages.mdx (via @objectstack/plugin-auth)
  • content/docs/releases/implementation-status.mdx (via @objectstack/plugin-auth)
  • content/docs/releases/v9.mdx (via @objectstack/plugin-auth)

Advisory only. To re-verify, run the docs-accuracy-audit workflow scoped to these files:
node scripts/docs-audit/affected-docs.mjs origin/main → pass the list as args.docs.

@os-zhuang os-zhuang marked this pull request as ready for review July 13, 2026 02:49
@os-zhuang os-zhuang merged commit 160d565 into main Jul 13, 2026
16 checks passed
@os-zhuang os-zhuang deleted the claude/invitation-link-https-prefix-wc05nn branch July 13, 2026 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation size/s tests tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants