improvement(platform): landing page cleanup, MX cache fixes, and auth util extraction

[waleedlatif1]

Summary

• Removed dead variables in enterprise.tsx: `RESOURCE_TYPE_LABEL`, `resourceLabel`, `CHECK_PATH`, `allFeatures`
• Fixed `#pricing` anchor links in navbar and footer to use `/#pricing` so they work from non-landing pages (e.g. /integrations)
• Fixed duplicate page titles (`Integrations | Sim | Sim`) by removing the hardcoded `| Sim` suffix from integration page metadata — the root layout template already appends it
• Fixed template matching for versioned block types (e.g. `gmail_v2` now correctly matches `gmail` templates)
• Added bounded MX DNS result cache (1,000 entries, FIFO eviction) with TTL — prevents redundant DNS queries on repeated/concurrent sign-ups and caches timeout results with a shorter 60s TTL
• Evict stale MX cache entries on lookup instead of just skipping them
• Extracted duplicate `validateCallbackUrl` from `login-form.tsx` and `sso-form.tsx` into `lib/auth/validate-callback-url.ts`
• Deduplicated `validateCallbackUrl` call in login form (was called twice per render)

Type of Change

• Bug fix
• Improvement

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 19, 2026 8:59pm

[cursor]

PR Summary

Medium Risk
Moderate risk because it touches authentication redirect handling and server-side email MX caching behavior, which could affect post-login redirects and signup validation if the new utility or cache eviction behaves unexpectedly.

Overview
Auth redirect safety was refactored by extracting duplicated validateCallbackUrl logic into lib/auth/validate-callback-url.ts, updating both login-form.tsx and sso-form.tsx to use it, and avoiding repeated validation in login-form.tsx when deriving the callbackUrl.

Email MX disposable-backend caching was tightened by adding a bounded (FIFO-evicted) MX cache, explicitly evicting expired entries on lookup, and caching failures/timeouts for a short TTL to reduce repeated DNS work.

Landing page cleanup removes unused constants/variables from enterprise.tsx.

^{Written by Cursor Bugbot for commit 730c9ae. Configure here.}

[greptile-apps]

Greptile Summary

This PR is a clean-up and improvement pass covering dead code removal in the enterprise landing component, anchor link fixes for /#pricing deep links from non-root pages, MX DNS cache bounding with FIFO eviction and TTL, and extraction of a duplicated validateCallbackUrl helper into a shared lib/auth/ utility.

Key changes:

• Dead code removal (enterprise.tsx): RESOURCE_TYPE_LABEL, resourceLabel, CHECK_PATH, and allFeatures were defined but never consumed — all safely deleted.
• validateCallbackUrl extraction (lib/auth/validate-callback-url.ts): Deduplicates identical logic that lived in both login-form.tsx and sso-form.tsx. The shared utility inherits a latent open-redirect issue: when window is undefined, currentOrigin becomes '' and url.startsWith('') is always true in JavaScript, meaning any URL would pass validation in a server-side context. Both current consumers are 'use client' components so this is not currently exploitable, but should be fixed before the utility is reused outside the browser.
• Bounded MX cache (validation.ts): The unbounded Map is capped at 1,000 entries with FIFO eviction and a shorter 60 s TTL for timeout failures. The eviction helper setMxCache has a minor edge case: when called for a domain already present in a full map (concurrent same-domain lookups), it evicts an unrelated entry unnecessarily. Adding a !mxCache.has(domain) guard to the size check would close this.
• Login form deduplication (login-form.tsx): The validateCallbackUrl call that previously ran twice per render is collapsed into a single isValidCallbackUrl constant. A secondary call inside onSubmit on line 178 is redundant since callbackUrl was already validated, but is harmless.

Confidence Score: 3/5

• Safe to merge after addressing the open-redirect fallback in the new shared utility.
• The MX cache and dead-code changes are solid. The main concern is the extracted validateCallbackUrl utility, which allows any URL when window is undefined — a pre-existing flaw that is now in a shared, reusable location and more likely to be called server-side in the future. The redundant validation call in onSubmit is harmless. No automated tests were added for the new utility or the cache eviction logic.
• apps/sim/lib/auth/validate-callback-url.ts needs a server-side guard before the utility is reused outside client components.

Important Files Changed

Filename	Overview
apps/sim/lib/auth/validate-callback-url.ts	New shared utility for callback URL validation — correctly extracted from two duplicate implementations, but inherits a latent open-redirect bug: url.startsWith('') returns true for any URL when window is undefined (server-side execution).
apps/sim/lib/messaging/email/validation.ts	Adds bounded FIFO MX cache (1,000 entries) with TTL and stale-entry eviction on lookup. Logic is sound, but setMxCache can unnecessarily evict an unrelated entry in the concurrent same-domain update case.
apps/sim/app/(auth)/login/login-form.tsx	Deduplicated validateCallbackUrl import and eliminated a redundant double-call per render. One remaining redundant validation call inside onSubmit is harmless but unnecessary.
apps/sim/ee/sso/components/sso-form.tsx	Clean removal of the local validateCallbackUrl duplicate; replaced with the shared import. No new issues introduced.
apps/sim/app/(home)/components/enterprise/enterprise.tsx	Dead code removed (RESOURCE_TYPE_LABEL, resourceLabel, CHECK_PATH, allFeatures) — all were defined but never used. Clean, no functional changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Login / SSO Form renders] --> B{callbackUrl param present?}
    B -- No --> C[callbackUrl = '/workspace']
    B -- Yes --> D[validateCallbackUrl]
    D --> E{url starts with '/'?}
    E -- Yes --> F[valid ✓]
    E -- No --> G{window defined?}
    G -- Yes --> H{url starts with window.location.origin?}
    H -- Yes --> F
    H -- No --> I[invalid ✗ → fallback '/workspace']
    G -- No --> J["currentOrigin = '' → url.startsWith('') = true ⚠️"]
    J --> F
    F --> K[callbackUrl = validated param]
    I --> C
    C --> L[Auth sign-in with safe callbackUrl]
    K --> L

Loading

Comments Outside Diff (1)

1. apps/sim/app/(auth)/login/login-form.tsx, line 178 (link)

   Redundant validateCallbackUrl call

   callbackUrl was already determined safe at component initialization: it is either the validated callbackUrlParam (which passed validateCallbackUrl) or the fallback '/workspace' (which starts with / and always passes). Re-validating it here will always return true and can be simplified:

_{Last reviewed commit: "refactor: extract va..."}

[waleedlatif1]

The redundant validateCallbackUrl call on line 178 has been removed (see commit 1d7652c3). callbackUrl is already safe by construction — it is either the validated callbackUrlParam (which already passed validateCallbackUrl at initialization) or the '/workspace' fallback (which starts with / and always passes). Re-validating in onSubmit was unnecessary and has been cleaned up.