feat: forward the complete mail-link query to the confirm API call#21
Merged
Conversation
The confirm page built the API URL from only email/code/user, dropping any other param the Aktionariat mail link carries before it could reach the API's audit log. Forward the full incoming query instead: keep the existing handling of the three known params (email lowercased, code/user untouched) and append every other param verbatim, stripping only the web's own control knobs (api, mock). hasRequiredParams still gates on email/code/user. Counterpart to the API raw-request logging; no visual or CSP change (same API host, no new connect-src).
…ation gate hasRequiredParams gates the confirm request on the first-occurrence email/code/user (URLSearchParams.get), but the forwarded query was built from a forEach map that keeps the LAST value of a duplicated key. A crafted link repeating a modelled key (e.g. ?email=a&...&email=b) therefore validated one value but forwarded the other. Pin the three modelled params in the forwarded object back to the already validated first-occurrence locals. Every other, unmodelled param keeps being forwarded verbatim, and the web-only api/mock knobs are still stripped; the single-valued link is byte-identical. Adds a Playwright case proving the duplicate-key link forwards the first occurrence, not the last.
Contributor
Author
|
Reviews complete — conformance + logic, adversarial (each finding independently verified):
CI green: Quality (incl. coverage gate, 100% on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Forward the complete mail-link query to the API confirm call so no param is dropped before the API can audit it.
buildConfirmUrlpreviously hardcoded?email=&code=&user=. The confirm flow now sends every param present inwindow.location.search:emaillowercased,code/useruntouched.lang) is appended verbatim, URL-encoded.api(local-preview API-base override) andmock(preview hook) — are stripped, as they are not part of the Aktionariat mail-link data.hasRequiredParamsstill gates the flow onemail/code/user.Why
This is the counterpart to the API's raw-request logging: without it, any extra param the Aktionariat link carries never reaches the API and can't be audited.
Not changed
connect-src.Verification (on the build host)
format:check,validate:html,check:site: clean.public/js/lib/**(incl. the newbuildConfirmUrlbranches).site.spec.mjs+behavior.spec.mjs): 31 passed, 0 failed. Adds one confirm-flow test asserting an extra param reaches the API while the web-onlyapiknob is not forwarded.