From 4051594b2f410f01e883febad22eb9001a84f90e Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Sun, 1 Feb 2026 17:20:17 +0000
Subject: feat: add support for redirectUrl after signup (#2439)

* feat: add support for redirectUrl after signup

* pr review

* more fixes

* format

* another fix
---
 packages/shared/utils/redirectUrl.test.ts | 89 +++++++++++++++++++++++++++++++
 packages/shared/utils/redirectUrl.ts      | 35 ++++++++++++
 packages/trpc/email.ts                    |  6 ++-
 packages/trpc/models/users.ts             | 12 +++--
 packages/trpc/routers/users.test.ts       |  1 +
 packages/trpc/routers/users.ts            | 17 ++++--
 6 files changed, 153 insertions(+), 7 deletions(-)
 create mode 100644 packages/shared/utils/redirectUrl.test.ts
 create mode 100644 packages/shared/utils/redirectUrl.ts

(limited to 'packages')

diff --git a/packages/shared/utils/redirectUrl.test.ts b/packages/shared/utils/redirectUrl.test.ts
new file mode 100644
index 00000000..97d52cf2
--- /dev/null
+++ b/packages/shared/utils/redirectUrl.test.ts
@@ -0,0 +1,89 @@
+import { describe, expect, it } from "vitest";
+
+import { isMobileAppRedirect, validateRedirectUrl } from "./redirectUrl";
+
+describe("validateRedirectUrl", () => {
+  it("should return undefined for null input", () => {
+    expect(validateRedirectUrl(null)).toBe(undefined);
+  });
+
+  it("should return undefined for undefined input", () => {
+    expect(validateRedirectUrl(undefined)).toBe(undefined);
+  });
+
+  it("should return undefined for empty string", () => {
+    expect(validateRedirectUrl("")).toBe(undefined);
+  });
+
+  it("should allow relative paths starting with '/'", () => {
+    expect(validateRedirectUrl("/")).toBe("/");
+    expect(validateRedirectUrl("/dashboard")).toBe("/dashboard");
+    expect(validateRedirectUrl("/settings/profile")).toBe("/settings/profile");
+    expect(validateRedirectUrl("/path?query=value")).toBe("/path?query=value");
+    expect(validateRedirectUrl("/path#hash")).toBe("/path#hash");
+  });
+
+  it("should reject protocol-relative URLs (//)", () => {
+    expect(validateRedirectUrl("//evil.com")).toBe(undefined);
+    expect(validateRedirectUrl("//evil.com/path")).toBe(undefined);
+  });
+
+  it("should allow karakeep:// scheme for mobile app", () => {
+    expect(validateRedirectUrl("karakeep://")).toBe("karakeep://");
+    expect(validateRedirectUrl("karakeep://callback")).toBe(
+      "karakeep://callback",
+    );
+    expect(validateRedirectUrl("karakeep://callback/path")).toBe(
+      "karakeep://callback/path",
+    );
+    expect(validateRedirectUrl("karakeep://callback?param=value")).toBe(
+      "karakeep://callback?param=value",
+    );
+  });
+
+  it("should reject http:// scheme", () => {
+    expect(validateRedirectUrl("http://example.com")).toBe(undefined);
+    expect(validateRedirectUrl("http://localhost:3000")).toBe(undefined);
+  });
+
+  it("should reject https:// scheme", () => {
+    expect(validateRedirectUrl("https://example.com")).toBe(undefined);
+    expect(validateRedirectUrl("https://evil.com/phishing")).toBe(undefined);
+  });
+
+  it("should reject javascript: scheme", () => {
+    expect(validateRedirectUrl("javascript:alert(1)")).toBe(undefined);
+  });
+
+  it("should reject data: scheme", () => {
+    expect(
+      validateRedirectUrl("data:text/html,<script>alert(1)</script>"),
+    ).toBe(undefined);
+  });
+
+  it("should reject other custom schemes", () => {
+    expect(validateRedirectUrl("file:///etc/passwd")).toBe(undefined);
+    expect(validateRedirectUrl("ftp://example.com")).toBe(undefined);
+    expect(validateRedirectUrl("mailto:test@example.com")).toBe(undefined);
+  });
+
+  it("should reject paths not starting with /", () => {
+    expect(validateRedirectUrl("dashboard")).toBe(undefined);
+    expect(validateRedirectUrl("path/to/page")).toBe(undefined);
+  });
+});
+
+describe("isMobileAppRedirect", () => {
+  it("should return true for karakeep:// URLs", () => {
+    expect(isMobileAppRedirect("karakeep://")).toBe(true);
+    expect(isMobileAppRedirect("karakeep://callback")).toBe(true);
+    expect(isMobileAppRedirect("karakeep://callback/path")).toBe(true);
+  });
+
+  it("should return false for other URLs", () => {
+    expect(isMobileAppRedirect("/")).toBe(false);
+    expect(isMobileAppRedirect("/dashboard")).toBe(false);
+    expect(isMobileAppRedirect("https://example.com")).toBe(false);
+    expect(isMobileAppRedirect("http://localhost")).toBe(false);
+  });
+});
diff --git a/packages/shared/utils/redirectUrl.ts b/packages/shared/utils/redirectUrl.ts
new file mode 100644
index 00000000..c2adffc0
--- /dev/null
+++ b/packages/shared/utils/redirectUrl.ts
@@ -0,0 +1,35 @@
+/**
+ * Validates a redirect URL to prevent open redirect attacks.
+ * Only allows:
+ * - Relative paths starting with "/" (but not "//" to prevent protocol-relative URLs)
+ * - The karakeep:// scheme for the mobile app
+ *
+ * @returns The validated URL if valid, otherwise undefined.
+ */
+export function validateRedirectUrl(
+  url: string | null | undefined,
+): string | undefined {
+  if (!url) {
+    return undefined;
+  }
+
+  // Allow relative paths starting with "/" but not "//" (protocol-relative URLs)
+  if (url.startsWith("/") && !url.startsWith("//")) {
+    return url;
+  }
+
+  // Allow karakeep:// scheme for mobile app deep links
+  if (url.startsWith("karakeep://")) {
+    return url;
+  }
+
+  // Reject all other schemes (http, https, javascript, data, etc.)
+  return undefined;
+}
+
+/**
+ * Checks if the redirect URL is a mobile app deep link.
+ */
+export function isMobileAppRedirect(url: string): boolean {
+  return url.startsWith("karakeep://");
+}
diff --git a/packages/trpc/email.ts b/packages/trpc/email.ts
index b837656e..15e1ef74 100644
--- a/packages/trpc/email.ts
+++ b/packages/trpc/email.ts
@@ -55,8 +55,12 @@ export const sendVerificationEmail = withTracing(
     email: string,
     name: string,
     token: string,
+    redirectUrl?: string,
   ) => {
-    const verificationUrl = `${serverConfig.publicUrl}/verify-email?token=${encodeURIComponent(token)}&email=${encodeURIComponent(email)}`;
+    let verificationUrl = `${serverConfig.publicUrl}/verify-email?token=${encodeURIComponent(token)}&email=${encodeURIComponent(email)}`;
+    if (redirectUrl) {
+      verificationUrl += `&redirectUrl=${encodeURIComponent(redirectUrl)}`;
+    }
 
     const mailOptions = {
       from: serverConfig.email.smtp!.from,
diff --git a/packages/trpc/models/users.ts b/packages/trpc/models/users.ts
index 5d3c3785..671f7d74 100644
--- a/packages/trpc/models/users.ts
+++ b/packages/trpc/models/users.ts
@@ -61,7 +61,7 @@ export class User {
 
   static async create(
     ctx: Context,
-    input: z.infer<typeof zSignUpSchema>,
+    input: z.infer<typeof zSignUpSchema> & { redirectUrl?: string },
     role?: "user" | "admin",
   ) {
     const salt = generatePasswordSalt();
@@ -76,7 +76,12 @@ export class User {
     if (serverConfig.auth.emailVerificationRequired) {
       const token = await User.genEmailVerificationToken(ctx.db, input.email);
       try {
-        await sendVerificationEmail(input.email, input.name, token);
+        await sendVerificationEmail(
+          input.email,
+          input.name,
+          token,
+          input.redirectUrl,
+        );
       } catch (error) {
         console.error("Failed to send verification email:", error);
       }
@@ -227,6 +232,7 @@ export class User {
   static async resendVerificationEmail(
     ctx: Context,
     email: string,
+    redirectUrl?: string,
   ): Promise<void> {
     if (
       !serverConfig.auth.emailVerificationRequired ||
@@ -255,7 +261,7 @@ export class User {
 
     const token = await User.genEmailVerificationToken(ctx.db, email);
     try {
-      await sendVerificationEmail(email, user.name, token);
+      await sendVerificationEmail(email, user.name, token, redirectUrl);
     } catch (error) {
       console.error("Failed to send verification email:", error);
       throw new TRPCError({
diff --git a/packages/trpc/routers/users.test.ts b/packages/trpc/routers/users.test.ts
index 605d14fc..ccde4c86 100644
--- a/packages/trpc/routers/users.test.ts
+++ b/packages/trpc/routers/users.test.ts
@@ -1116,6 +1116,7 @@ describe("User Routes", () => {
         "resend@test.com",
         "Test User",
         expect.any(String), // token
+        undefined, // redirectUrl
       );
     });
 
diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index abd50d63..c11a0ffd 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -11,6 +11,7 @@ import {
   zWhoAmIResponseSchema,
   zWrappedStatsResponseSchema,
 } from "@karakeep/shared/types/users";
+import { validateRedirectUrl } from "@karakeep/shared/utils/redirectUrl";
 
 import {
   adminProcedure,
@@ -31,7 +32,7 @@ export const usersAppRouter = router({
         maxRequests: 3,
       }),
     )
-    .input(zSignUpSchema)
+    .input(zSignUpSchema.and(z.object({ redirectUrl: z.string().optional() })))
     .output(
       z.object({
         id: z.string(),
@@ -65,7 +66,11 @@ export const usersAppRouter = router({
           });
         }
       }
-      const user = await User.create(ctx, input);
+      const validatedRedirectUrl = validateRedirectUrl(input.redirectUrl);
+      const user = await User.create(ctx, {
+        ...input,
+        redirectUrl: validatedRedirectUrl,
+      });
       return {
         id: user.id,
         name: user.name,
@@ -206,10 +211,16 @@ export const usersAppRouter = router({
     .input(
       z.object({
         email: z.string().email(),
+        redirectUrl: z.string().optional(),
       }),
     )
     .mutation(async ({ input, ctx }) => {
-      await User.resendVerificationEmail(ctx, input.email);
+      const validatedRedirectUrl = validateRedirectUrl(input.redirectUrl);
+      await User.resendVerificationEmail(
+        ctx,
+        input.email,
+        validatedRedirectUrl,
+      );
       return { success: true };
     }),
   forgotPassword: publicProcedure
-- 
cgit v1.2.3-70-g09d2