From cfb9af807aeeaece21d5c31270c85245f5ab1aea Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 01:05:43 +0000
Subject: [PATCH] fix: only trust https:// for built-with domain, not http://

Co-Authored-By: Konstantin Wohlwend <n2d4xc@gmail.com>
---
 apps/backend/src/lib/redirect-urls.test.tsx | 7 ++++---
 apps/backend/src/lib/redirect-urls.tsx      | 1 -
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/backend/src/lib/redirect-urls.test.tsx b/apps/backend/src/lib/redirect-urls.test.tsx
index 0e2faa71d..f2e327d4b 100644
--- a/apps/backend/src/lib/redirect-urls.test.tsx
+++ b/apps/backend/src/lib/redirect-urls.test.tsx
@@ -491,8 +491,8 @@ describe('validateRedirectUrl', () => {
       expect(validateRedirectUrl(`https://${projectId}.built-with-stack-auth.com/`, tenancy)).toBe(true);
       expect(validateRedirectUrl(`https://${projectId}.built-with-stack-auth.com/handler/oauth-callback`, tenancy)).toBe(true);
 
-      // HTTP on the built-with domain should also be trusted
-      expect(validateRedirectUrl(`http://${projectId}.built-with-stack-auth.com/callback`, tenancy)).toBe(true);
+      // HTTP on the built-with domain should NOT be trusted
+      expect(validateRedirectUrl(`http://${projectId}.built-with-stack-auth.com/callback`, tenancy)).toBe(false);
 
       // Different project IDs should NOT be trusted
       expect(validateRedirectUrl('https://other-project.built-with-stack-auth.com/callback', tenancy)).toBe(false);
@@ -513,8 +513,9 @@ describe('validateRedirectUrl', () => {
         },
       }, projectId);
 
-      expect(validateRedirectUrl(`http://${projectId}.localhost:8109/callback`, tenancy)).toBe(true);
+      // Only HTTPS should be trusted, even for localhost-based dev suffix
       expect(validateRedirectUrl(`https://${projectId}.localhost:8109/callback`, tenancy)).toBe(true);
+      expect(validateRedirectUrl(`http://${projectId}.localhost:8109/callback`, tenancy)).toBe(false);
 
       // Wrong port should NOT be trusted
       expect(validateRedirectUrl(`http://${projectId}.localhost:9999/callback`, tenancy)).toBe(false);
diff --git a/apps/backend/src/lib/redirect-urls.tsx b/apps/backend/src/lib/redirect-urls.tsx
index 972cfd6fc..3b83a7890 100644
--- a/apps/backend/src/lib/redirect-urls.tsx
+++ b/apps/backend/src/lib/redirect-urls.tsx
@@ -23,7 +23,6 @@ export function validateRedirectUrl(
     allowLocalhost: tenancy.config.domains.allowLocalhost,
     trustedDomains: [
       ...Object.values(tenancy.config.domains.trustedDomains).map(domain => domain.baseUrl),
-      `http://${hostedDomain}`,
       `https://${hostedDomain}`,
     ],
   });