Fix redirect url (#703)

<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->

<!-- ELLIPSIS_HIDDEN -->


----

> [!IMPORTANT]
> Adds redirect URL validation in sign-up process and updates test URL
to localhost.
> 
>   - **Behavior**:
> - Adds `validateRedirectUrl` check in `POST` handler in `route.tsx` to
ensure `verificationCallbackUrl` is whitelisted.
>     - Throws `RedirectUrlNotWhitelisted` error if URL is not valid.
>   - **Tests**:
> - Updates `verificationCallbackUrl` in `scaffoldProject` in
`js-helpers.ts` to `http://localhost:3000`.
> 
> <sup>This description was created by </sup>[<img alt="Ellipsis"
src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup>
for f25e26b9d3. You can
[customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this
summary. It will automatically update as commits are pushed.</sup>


<!-- ELLIPSIS_HIDDEN -->

---------

Co-authored-by: Konsti Wohlwend <n2d4xc@gmail.com>

apps/backend/src/app/api/latest/auth/password/sign-up/route.tsx

@@ -1,3 +1,4 @@
+import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { createAuthTokens } from "@/lib/tokens";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { runAsynchronouslyAndWaitUntil } from "@/utils/vercel";
@@ -39,6 +40,14 @@ export const POST = createSmartRouteHandler({
       throw new KnownErrors.PasswordAuthenticationNotEnabled();
     }
 
+    if (!validateRedirectUrl(
+      verificationCallbackUrl,
+      tenancy.config.domains,
+      tenancy.config.allow_localhost,
+    )) {
+      throw new KnownErrors.RedirectUrlNotWhitelisted();
+    }
+
     const passwordError = getPasswordError(password);
     if (passwordError) {
       throw passwordError;

apps/e2e/tests/backend/endpoints/api/v1/auth/password/sign-up.test.ts

@@ -56,6 +56,35 @@ it("should sign up new users", async ({ expect }) => {
   `);
 });
 
+it("should not sign up new users if verification callback url is not valid", async ({ expect }) => {
+  const mailbox = backendContext.value.mailbox;
+  const email = mailbox.emailAddress;
+  const password = generateSecureRandomString();
+  const response = await niceBackendFetch("/api/v1/auth/password/sign-up", {
+    method: "POST",
+    accessType: "client",
+    body: {
+      email,
+      password,
+      verification_callback_url: "http://invalid-domain.com",
+    },
+  });
+
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "REDIRECT_URL_NOT_WHITELISTED",
+        "error": "Redirect URL not whitelisted. Did you forget to add this domain to the trusted domains list on the Stack Auth dashboard?",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "REDIRECT_URL_NOT_WHITELISTED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
 it("should not allow signing up with an e-mail that already exists", async ({ expect }) => {
   await Auth.Password.signUpWithEmail();
   const res2 = await niceBackendFetch("/api/v1/auth/password/sign-up", {

apps/e2e/tests/js/js-helpers.ts

@@ -17,7 +17,7 @@ export async function scaffoldProject(body?: Omit<AdminProjectCreateOptions, 'di
   Result.orThrow(await internalApp.signUpWithCredential({
     email: fakeEmail,
     password: "password",
-    verificationCallbackUrl: "https://stack-js-test.example.com/verify",
+    verificationCallbackUrl: "http://localhost:3000",
   }));
   const adminUser = await internalApp.getUser({
     or: 'throw',