Fix: Replace z.httpUrl() with z.url() constrained to http/https for localhost compatibility

taheerahmed · taheerahmed · commit 14a91a3f6aca · 2026-02-26T03:32:59.000+05:30
z.httpUrl() rejects localhost URLs, causing Zod validation errors during local development when verifying email. z.url() with a protocol constraint still restricts to http/https while accepting localhost. Existing isExternalOrigin checks already handle redirect security. Closes #241
diff --git a/src/app/api/auth/confirm/route.ts b/src/app/api/auth/confirm/route.ts
@@ -9,7 +9,7 @@ import { z } from 'zod'
 const confirmSchema = z.object({
   token_hash: z.string().min(1),
   type: OtpTypeSchema,
-  next: z.httpUrl(),
+  next: z.url({ protocol: /^https?$/ }),
 })
 
 /**
diff --git a/src/server/api/models/auth.models.ts b/src/server/api/models/auth.models.ts
@@ -14,7 +14,7 @@ export type OtpType = z.infer<typeof OtpTypeSchema>
 export const ConfirmEmailInputSchema = z.object({
   token_hash: z.string().min(1),
   type: OtpTypeSchema,
-  next: z.httpUrl(),
+  next: z.url({ protocol: /^https?$/ }),
 })
 
 export type ConfirmEmailInput = z.infer<typeof ConfirmEmailInputSchema>
