Context
This issue tracks a security and contract-clarity concern found while reviewing PR #546 (generated OpenAPI sync). The Connected Accounts verification flow introduces/uses:
- connected_accountsGetMagicLinkForConnectedAccountRequest.user_verify_url (request)
- connected_accountsVerifyConnectedAccountUserResponse.post_user_verify_redirect_url (response)
Observation
- user_verify_url is currently a free-form string in the generated spec, and a later redirect URL is derived from that flow.
- Without an explicit constraint (URI + destination rules) and documented validation behaviour, integrators can unknowingly configure open-redirects.
Impact
- Potential open-redirect risk for integrators.
- Contract underspecification (unclear what destinations are accepted, how validation is applied).
Requested outcome (tracking)
- Upstream generator/contract to declare user_verify_url/post_user_verify_redirect_url as URIs and document destination/validation rules (e.g., HTTPS, same-origin/allowlist).
- Server to enforce the same validation and error semantics.
- After upstream change merges, regenerate the public/api specs here.
Backlinks
Notes
- This repository contains generated OpenAPI artifacts under public/api/**. The actual fix should happen in the upstream APIs/generator repository; this issue exists here to track the change for docs sync.
- Requested by: @saif-at-scalekit
Context
This issue tracks a security and contract-clarity concern found while reviewing PR #546 (generated OpenAPI sync). The Connected Accounts verification flow introduces/uses:
Observation
Impact
Requested outcome (tracking)
Backlinks
Notes