fix: prevent verify-email token consumption by link scanners (#343)

mbarrenechea · web-flow · commit 342cea4fb1c6 · 2026-05-07T17:23:36.000+02:00
* fix: prevent verify-email token consumption by link scanners

Verification was triggered server-side on GET render with no error
handling, so corporate email scanners (Safe Links, Proofpoint) could
consume the single-use token before the user clicked, leaving the page
broken. Move verification to a server action triggered by an explicit
"Confirm my email" button (POST), wrap the SDK call in try/catch with
server-side logging, and render a dedicated error state when the token
is no longer valid.

* style: format VerifyEmailResult union per prettier

* fix: don't redirect back to auth pages after sign-in

After a successful sign-in we were honouring the `redirectUrl` query
param even when it pointed to /auth/* pages — most notably
/auth/verify-email, where the token has already been consumed by then,
landing the user on a broken page.

- Sanitize `redirectUrl` in the sign-in form: reject any value that
  isn't a same-origin absolute path or that targets /auth/*, falling
  back to /private/my-reports.
- Stop the header from emitting `redirectUrl` when the current page is
  itself under /auth/, so the dirty value never enters the URL in the
  first place.
diff --git a/client/src/app/(frontend)/[locale]/(app)/auth/verify-email/actions.ts b/client/src/app/(frontend)/[locale]/(app)/auth/verify-email/actions.ts
@@ -0,0 +1,31 @@
+"use server";
+
+import { sdk } from "@/services/sdk";
+
+export type VerifyEmailResult =
+  | { success: true }
+  | { success: false; reason: "invalid" | "unknown" };
+
+export async function verifyEmailAction(token: string): Promise<VerifyEmailResult> {
+  if (!token) {
+    return { success: false, reason: "invalid" };
+  }
+
+  try {
+    await sdk.verifyEmail({
+      collection: "users",
+      token,
+    });
+    return { success: true };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    const isInvalid = /invalid/i.test(message) || /403/.test(message);
+
+    console.error("[verify-email] verification failed", {
+      reason: isInvalid ? "invalid" : "unknown",
+      message,
+    });
+
+    return { success: false, reason: isInvalid ? "invalid" : "unknown" };
+  }
+}
diff --git a/client/src/app/(frontend)/[locale]/(app)/auth/verify-email/page.tsx b/client/src/app/(frontend)/[locale]/(app)/auth/verify-email/page.tsx
@@ -7,8 +7,6 @@ import { VerifyEmail } from "@/containers/auth/verify-email";
 
 import { redirect } from "@/i18n/navigation";
 
-import { sdk } from "@/services/sdk";
-
 export const dynamic = "force-dynamic";
 
 type Params = Promise<{ locale: Locale }>;
@@ -41,17 +39,10 @@ export default async function VerifyEmailPage({
     });
   }
 
-  if (!!token && !Array.isArray(token)) {
-    await sdk.verifyEmail({
-      collection: "users",
-      token,
-    });
-  }
-
   return (
     <section className="flex grow items-center justify-center">
       <div className="mx-auto w-full max-w-lg">
-        <VerifyEmail />
+        <VerifyEmail token={token as string} />
       </div>
     </section>
   );
diff --git a/client/src/containers/auth/sign-in.tsx b/client/src/containers/auth/sign-in.tsx
@@ -27,6 +27,19 @@ export type SignInFormProps = React.ComponentProps<"div"> & {
   redirectUrl?: string;
 };
 
+const DEFAULT_REDIRECT = "/private/my-reports";
+
+function safeRedirect(url: string | null | undefined): string {
+  if (!url) return DEFAULT_REDIRECT;
+  // Reject anything that isn't a same-origin absolute path
+  if (!url.startsWith("/") || url.startsWith("//")) return DEFAULT_REDIRECT;
+  // Reject auth pages — signing in shouldn't bounce back to verify-email,
+  // sign-in itself, sign-up, password flows, etc.
+  const pathname = url.split("?")[0];
+  if (pathname.startsWith("/auth/")) return DEFAULT_REDIRECT;
+  return url;
+}
+
 export function SignInForm(props: SignInFormProps) {
   const router = useRouter();
   const searchParams = useSearchParams();
@@ -55,9 +68,7 @@ export function SignInForm(props: SignInFormProps) {
           if (r?.error) {
             throw new Error(r.error);
           }
-          router.push(
-            props.redirectUrl || searchParams.get("redirectUrl") || "/private/my-reports",
-          );
+          router.push(safeRedirect(props.redirectUrl || searchParams.get("redirectUrl")));
         }),
         {
           loading: t("auth-toast-logging-in"),
diff --git a/client/src/containers/auth/verify-email.tsx b/client/src/containers/auth/verify-email.tsx
@@ -1,29 +1,92 @@
 "use client";
 
+import { useState, useTransition } from "react";
+
 import { useTranslations } from "next-intl";
 
+import { verifyEmailAction } from "@/app/(frontend)/[locale]/(app)/auth/verify-email/actions";
+
 import { Button } from "@/components/ui/button";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 
 import { Link } from "@/i18n/navigation";
 
-export function VerifyEmail(props: React.ComponentProps<"div">) {
+type Status = "idle" | "success" | "error";
+
+interface VerifyEmailProps extends React.ComponentProps<"div"> {
+  token: string;
+}
+
+export function VerifyEmail({ token, ...props }: VerifyEmailProps) {
   const t = useTranslations();
+  const [status, setStatus] = useState<Status>("idle");
+  const [isPending, startTransition] = useTransition();
+
+  const handleConfirm = () => {
+    startTransition(async () => {
+      const result = await verifyEmailAction(token);
+      setStatus(result.success ? "success" : "error");
+    });
+  };
+
+  if (status === "success") {
+    return (
+      <Card className="border-none shadow-none" {...props}>
+        <CardHeader>
+          <CardTitle className="text-3xl text-primary">{t("auth-verify-email-title")}</CardTitle>
+          <CardDescription className="font-medium">
+            {t("auth-verify-email-description")}
+          </CardDescription>
+        </CardHeader>
+        <CardContent>
+          <Link href="/auth/sign-in">
+            <Button size="lg" className="w-full">
+              {t("auth-link-back-to-sign-in")}
+            </Button>
+          </Link>
+        </CardContent>
+      </Card>
+    );
+  }
+
+  if (status === "error") {
+    return (
+      <Card className="border-none shadow-none" {...props}>
+        <CardHeader>
+          <CardTitle className="text-3xl text-primary">
+            {t("auth-verify-email-error-title")}
+          </CardTitle>
+          <CardDescription className="font-medium">
+            {t("auth-verify-email-error-description")}
+          </CardDescription>
+        </CardHeader>
+        <CardContent>
+          <Link href="/auth/sign-in">
+            <Button size="lg" className="w-full">
+              {t("auth-link-back-to-sign-in")}
+            </Button>
+          </Link>
+        </CardContent>
+      </Card>
+    );
+  }
 
   return (
     <Card className="border-none shadow-none" {...props}>
       <CardHeader>
-        <CardTitle className="text-3xl text-primary">{t("auth-verify-email-title")}</CardTitle>
+        <CardTitle className="text-3xl text-primary">
+          {t("auth-verify-email-confirm-title")}
+        </CardTitle>
         <CardDescription className="font-medium">
-          {t("auth-verify-email-description")}
+          {t("auth-verify-email-confirm-description")}
         </CardDescription>
       </CardHeader>
       <CardContent>
-        <Link href="/auth/sign-in">
-          <Button size="lg" className="w-full">
-            {t("auth-link-back-to-sign-in")}
-          </Button>
-        </Link>
+        <Button size="lg" className="w-full" onClick={handleConfirm} disabled={isPending}>
+          {isPending
+            ? t("auth-verify-email-confirm-button-pending")
+            : t("auth-verify-email-confirm-button")}
+        </Button>
       </CardContent>
     </Card>
   );
diff --git a/client/src/containers/header/auth/desktop.tsx b/client/src/containers/header/auth/desktop.tsx
@@ -24,7 +24,10 @@ const AuthHeader = () => {
   const pathname = usePathname();
   const searchParams = useSearchParams();
   const currentUrl = `${pathname}${searchParams?.toString() ? `?${searchParams.toString()}` : ""}`;
-  const signInHref = `/auth/sign-in?redirectUrl=${encodeURIComponent(currentUrl)}`;
+  const isAuthPage = pathname.startsWith("/auth/");
+  const signInHref = isAuthPage
+    ? "/auth/sign-in"
+    : `/auth/sign-in?redirectUrl=${encodeURIComponent(currentUrl)}`;
 
   if (session && session.user.collection === "users") {
     // Get user initials for fallback
diff --git a/client/src/i18n/translations/en.json b/client/src/i18n/translations/en.json
@@ -189,6 +189,12 @@
   "auth-reset-password-description": "Enter your new password below",
   "auth-verify-email-title": "Your email has been verified",
   "auth-verify-email-description": "You can now sign in to your account using your credentials.",
+  "auth-verify-email-confirm-title": "Verify your email",
+  "auth-verify-email-confirm-description": "Click the button below to confirm your email address and activate your account.",
+  "auth-verify-email-confirm-button": "Confirm my email",
+  "auth-verify-email-confirm-button-pending": "Verifying...",
+  "auth-verify-email-error-title": "Verification link is no longer valid",
+  "auth-verify-email-error-description": "This link may have already been used or has expired. Try signing in to access your account.",
   "auth-check-email-title": "Check your email",
   "auth-check-email-description": "An email with instruction has been sent to your inbox. Please check your email. If you haven't received it, feel free to request another one.",
   "auth-field-name": "Name",
diff --git a/client/src/i18n/translations/es.json b/client/src/i18n/translations/es.json
@@ -189,6 +189,12 @@
   "auth-reset-password-description": "Introduce tu nueva contraseña a continuación",
   "auth-verify-email-title": "Tu correo electrónico ha sido verificado",
   "auth-verify-email-description": "Ya puedes iniciar sesión en tu cuenta usando tus credenciales.",
+  "auth-verify-email-confirm-title": "Verifica tu correo electrónico",
+  "auth-verify-email-confirm-description": "Haz clic en el botón para confirmar tu dirección de correo y activar tu cuenta.",
+  "auth-verify-email-confirm-button": "Confirmar mi correo",
+  "auth-verify-email-confirm-button-pending": "Verificando...",
+  "auth-verify-email-error-title": "El enlace de verificación ya no es válido",
+  "auth-verify-email-error-description": "Es posible que este enlace ya haya sido utilizado o haya expirado. Intenta iniciar sesión para acceder a tu cuenta.",
   "auth-check-email-title": "Revisa tu correo electrónico",
   "auth-check-email-description": "Se ha enviado un correo con instrucciones a tu bandeja de entrada. Por favor, revisa tu correo electrónico. Si no lo has recibido, puedes solicitar otro.",
   "auth-field-name": "Nombre",
diff --git a/client/src/i18n/translations/pt.json b/client/src/i18n/translations/pt.json
@@ -189,6 +189,12 @@
   "auth-reset-password-description": "Digite sua nova senha abaixo",
   "auth-verify-email-title": "Seu e-mail foi verificado",
   "auth-verify-email-description": "Agora você pode fazer login em sua conta usando suas credenciais.",
+  "auth-verify-email-confirm-title": "Verifique seu e-mail",
+  "auth-verify-email-confirm-description": "Clique no botão abaixo para confirmar seu endereço de e-mail e ativar sua conta.",
+  "auth-verify-email-confirm-button": "Confirmar meu e-mail",
+  "auth-verify-email-confirm-button-pending": "Verificando...",
+  "auth-verify-email-error-title": "O link de verificação não é mais válido",
+  "auth-verify-email-error-description": "Este link pode já ter sido utilizado ou expirou. Tente fazer login para acessar sua conta.",
   "auth-check-email-title": "Verifique seu e-mail",
   "auth-check-email-description": "Um e-mail com instruções foi enviado para sua caixa de entrada. Por favor, verifique seu e-mail. Se não recebeu, pode solicitar outro.",
   "auth-field-name": "Nome",
