e2b-dev · drankou · May 14, 2026
@@ -4,12 +4,13 @@ import { z } from 'zod'
 import { AUTH_URLS } from '@/configs/urls'
 import { OtpTypeSchema } from '@/core/modules/auth/models'
 import { l } from '@/core/shared/clients/logger/logger'
+import { httpUrlSchema } from '@/core/shared/schemas/url'
 import { encodedRedirect, isExternalOrigin } from '@/lib/utils/auth'
 
 const confirmSchema = z.object({
   token_hash: z.string().min(1),
   type: OtpTypeSchema,
-  next: z.httpUrl(),
+  next: httpUrlSchema,
 })
 
 /**

@@ -1,4 +1,5 @@
 import z from 'zod'
+import { httpUrlSchema } from '@/core/shared/schemas/url'
 
 export const OtpTypeSchema = z.enum([
   'signup',
@@ -14,7 +15,7 @@ export type OtpType = z.infer<typeof OtpTypeSchema>
 export const ConfirmEmailInputSchema = z.object({
   token_hash: z.string().min(1),
   type: OtpTypeSchema,
-  next: z.httpUrl(),
+  next: httpUrlSchema,
 })
 
 export type ConfirmEmailInput = z.infer<typeof ConfirmEmailInputSchema>

@@ -1,5 +1,18 @@
 import { z } from 'zod'
 
+/**
+ * Validates that a string is a well-formed HTTP or HTTPS URL.
+ *
+ * Unlike `z.httpUrl()`, this also accepts localhost / 127.0.0.1 URLs so the
+ * email-verification flow works against a local Supabase setup in development.
+ *
+ * The schema only validates URL structure — redirect safety is enforced
+ * downstream by `isExternalOrigin()` and `buildRedirectUrl()` in the auth
+ * route handlers, which reconstruct the redirect using the dashboard's own
+ * origin and preserve only `pathname` + `searchParams` from the input.
+ */
+export const httpUrlSchema = z.url({ protocol: /^https?$/ })
+
 export const relativeUrlSchema = z
   .string()
   .trim()

@@ -0,0 +1,73 @@
+import { describe, expect, it } from 'vitest'
+import { httpUrlSchema } from '@/core/shared/schemas/url'
+
+describe('httpUrlSchema', () => {
+  describe('accepts valid http/https URLs', () => {
+    it('accepts https production URLs', () => {
+      expect(httpUrlSchema.safeParse('https://e2b.dev/dashboard').success).toBe(
+        true
+      )
+    })
+
+    it('accepts https URLs with paths and query params', () => {
+      expect(
+        httpUrlSchema.safeParse('https://e2b.dev/dashboard?tab=settings')
+          .success
+      ).toBe(true)
+    })
+
+    it('accepts http localhost URLs', () => {
+      expect(
+        httpUrlSchema.safeParse('http://localhost:3000/dashboard').success
+      ).toBe(true)
+    })
+
+    it('accepts http localhost without port', () => {
+      expect(httpUrlSchema.safeParse('http://localhost').success).toBe(true)
+    })
+
+    it('accepts http 127.0.0.1 URLs', () => {
+      expect(httpUrlSchema.safeParse('http://127.0.0.1:3000').success).toBe(
+        true
+      )
+    })
+
+    it('accepts https URLs with subdomains', () => {
+      expect(
+        httpUrlSchema.safeParse('https://app.e2b.dev/dashboard').success
+      ).toBe(true)
+    })
+  })
+
+  describe('rejects non-http(s) schemes', () => {
+    it('rejects mailto URLs', () => {
+      expect(httpUrlSchema.safeParse('mailto:user@example.com').success).toBe(
+        false
+      )
+    })
+
+    it('rejects ftp URLs', () => {
+      expect(httpUrlSchema.safeParse('ftp://files.example.com').success).toBe(
+        false
+      )
+    })
+
+    it('rejects file URLs', () => {
+      expect(httpUrlSchema.safeParse('file:///etc/passwd').success).toBe(false)
+    })
+
+    it('rejects javascript URLs', () => {
+      expect(httpUrlSchema.safeParse('javascript:alert(1)').success).toBe(false)
+    })
+  })
+
+  describe('rejects invalid inputs', () => {
+    it('rejects plain strings', () => {
+      expect(httpUrlSchema.safeParse('not-a-url').success).toBe(false)
+    })
+
+    it('rejects empty strings', () => {
+      expect(httpUrlSchema.safeParse('').success).toBe(false)
+    })
+  })
+})