fix(privacy): scrub magic link URLs

[jeanduplessis]

Summary

Pentest L2 identified archived Wayback Machine URLs where magic-link verification links exposed both login tokens and user email addresses in the query string. This PR keeps the existing magic-link token model but removes email PII from generated verification URLs and reduces future leakage paths.

L2: Magic-link URL privacy

• Why needed: Magic-link emails generated /auth/verify-magic-link?token=...&email=... URLs. If email clients, browser tooling, analytics, or archive crawlers observe the URL, the email address becomes permanently visible in external URL logs/archives.
• Solution chosen: Removed the email query parameter from generated magic-link URLs. The token already maps to the email in magic_link_tokens, so the credentials provider now verifies the token and derives the user email from the consumed token row.
• Redirect hardening: Auth failure redirects and SSO-enforcement redirects no longer append email=. This avoids reintroducing browser-visible email query strings after the initial magic-link URL has been scrubbed.
• UX fallback: The sign-in flow already stores the last entered auth email in the existing signin_hint localStorage record. That keeps same-browser returning-user and SSO prefill behavior without sending email through server-generated URLs.
• Analytics hardening: PostHog pageview capture now sanitizes sensitive query params (token, email, callbackUrl, code, state) and drops all query params for /auth/verify-magic-link before sending $current_url.
• Crawler/archive controls: Added Disallow: /auth/verify-magic-link to robots.txt and sets Cache-Control: no-store plus X-Robots-Tag: noindex, noarchive, nofollow on the verification route.
• Copy fix: Magic-link email copy now says links expire in 30 minutes, matching the token default instead of saying 24 hours.
• Trade-off: This cannot remove already archived Wayback Machine URLs; those still need operational archive.org cleanup. It prevents the repo-owned app from generating the email-bearing URL shape going forward.

This is intentionally separate from #2352 so the Wayback/magic-link remediation can be reviewed, deployed, and rolled back independently.

Verification

• Spec alignment: matched .plans/pentest-findings.md for code-related L1 scope.
• Code evaluations: security, logic, types, data, resource, and style review agents ran across the implementation. Security review found a GTM dataLayer PII issue, the issue was fixed, and security re-review reported no findings.
• Browser evaluations: agent-browser verified fake user login, CSP presence with nonce/Stripe sources, /api/user returning 401 after revocation with stale cookie, re-login after revocation, and stale admin route rejection for /admin/api/credit-categories.

Visual Changes

N/A

Reviewer Notes

Code Reviewer Notes

• Magic-link URLs still contain the one-time plaintext token because the email recipient needs it to authenticate, but they no longer include the user's email address.
• verifyAndConsumeMagicLinkToken already returns the DB row with email, so removing the client-supplied email avoids redundant PII without changing the token trust boundary.
• Auth error and SSO redirects intentionally omit email even though URL prefill is common UX; existing client-side signin_hint preserves same-browser prefill without URL PII.
• Sensitive analytics URL sanitization is generic and covers OAuth-style query params in addition to magic-link params.
• Robots/noarchive headers are defense-in-depth; archive.org or third-party tooling may not honor them in every path, but app-owned headers now express the intended no-archive policy.
• Existing archived URLs from the pentest report require separate operational removal requests with archive.org.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (3 files)

• apps/web/src/lib/auth/redirect-urls.test.ts
• apps/web/src/lib/auth/redirect-urls.ts
• apps/web/src/lib/user.server.ts

---

_{Reviewed by gpt-5.4-2026-03-05 · 393,916 tokens}