Skip to content

740: Fixed diff host email verif success #749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
az2924 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

740: Fixed diff host email verif success #749

az2924 wants to merge 1 commit into from

Conversation

@az2924
Copy link
Collaborator

@az2924 az2924 commented Feb 8, 2026
edited
Loading

740

Description of changes

  • Added check for request Referer to validate domain
  • Updated and added additional test

Checklist before review

  • I have done a thorough self-review of the PR
  • Copilot has reviewed my latest changes, and all comments have been fixed and/or closed.
  • If I have made database changes, I have made sure I followed all the db repo rules listed in the wiki here. (check if no db changes)
  • All tests have passed
  • I have successfully deployed this PR to staging
  • I have done manual QA in both dev (and staging if possible) and attached screenshots below.

Screenshots

Dev

IMG_8738
IMG_8739

Staging

@az2924
Copy link
Collaborator Author

az2924 commented Feb 8, 2026

/deploy

@github-actions
Copy link
Contributor

github-actions bot commented Feb 8, 2026

Available PR Commands

  • /ai - Triggers all AI review commands at once
  • /review - AI review of the PR changes
  • /describe - AI-powered description of the PR
  • /improve - AI-powered suggestions
  • /deploy - Deploy to staging

See: https://github.com/tahminator/codebloom/wiki/CI-Commands

@github-actions
Copy link
Contributor

github-actions bot commented Feb 8, 2026

Title

740: Fixed diff host email verif success

PR Type

Bug fix, Tests

Description

  • Validate request origin via Referer

  • Early redirect on invalid verification origin

  • Update tests to include origin validation

  • Add test for invalid origin denial

Diagram Walkthrough

flowchart LR
  req["Incoming /school/verify request"]
  origin["Extract Referer and allowed URL"]
  check["Origin startsWith allowed URL?"]
  deny["Redirect to /settings with error"]
  proceed["Proceed with session and JWT checks"]
  ok["Redirect with success message"]
  fail["Redirect with error on failures"]

  req --> origin --> check
  check -- "no" --> deny
  check -- "yes" --> proceed
  proceed -- "success" --> ok
  proceed -- "failure" --> fail
Loading

File Walkthrough
Relevant files
Bug fix
AuthController.java
Add origin validation to email verification                           

src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java

  • Retrieve Referer and allowed domain URL
  • Validate origin via startsWith check
  • Early redirect on invalid request origin
  • Preserve existing verification flow otherwise
 +8/-0     
Tests
AuthControllerTest.java
Cover origin validation in controller tests                           

src/test/java/org/patinanetwork/codebloom/api/auth/AuthControllerTest.java

  • Mock Referer and allowed URL in tests
  • Add invalid origin test expecting error redirect
  • Update existing tests to pass origin check
  • Verify no session validation on invalid origin
 +29/-0   

@github-actions
Copy link
Contributor

github-actions bot commented Feb 8, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 PR contains tests
🔒 Security concerns

CSRF and weak origin validation:
The endpoint performs state-changing actions via GET. While adding a Referer check helps, it is not a robust CSRF defense and can be error-prone. Additionally, using startsWith() on the Referer allows prefix-matching issues (e.g., https://allowed.com.attacker.com). Prefer:

  • Parsing the Referer and comparing exact scheme/host/port against a strict allowlist.
  • Considering a POST with CSRF protection, or verifying a signed token audience/host claim.
  • Ensuring SameSite cookie settings align with this flow.
⚡ Recommended focus areas for review

Weak Origin Check

Using startsWith() on the Referer can be bypassed by lookalike domains (e.g., allowed.com.attacker.com). Parse the Referer URL and compare scheme/host/port exactly to serverUrlUtils.getUrl(), or use a strict allowlist.

 
String referer = request.getHeader("Referer");
String allowedDomain = serverUrlUtils.getUrl();
boolean validOrigin = (referer != null && referer.startsWith(allowedDomain));

if (!validOrigin) {
    return new RedirectView("/settings?success=false&message=Invalid request origin");
}
Referer Optional

Many clients (email apps, privacy settings) omit the Referer; this would cause false negatives and block legitimate verification attempts. Consider a fallback (e.g., Origin/Host checks, token audience claim) or make the Referer requirement explicit in UX and tests (add a test for null Referer).

 
String referer = request.getHeader("Referer");
String allowedDomain = serverUrlUtils.getUrl();
boolean validOrigin = (referer != null && referer.startsWith(allowedDomain));

if (!validOrigin) {
    return new RedirectView("/settings?success=false&message=Invalid request origin");
}

@az2924
740: Fixed diff host email verif success
99d7e12 
740: Updated valid origin type
@az2924
Copy link
Collaborator Author

az2924 commented Feb 8, 2026

/deploy

1 similar comment
@az2924
Copy link
Collaborator Author

az2924 commented Feb 12, 2026

/deploy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@az2924