feat: automatically trust project's hosted handler domain (built-with domain)

[N2D4]

Automatically accept <project-id>.built-with-stack-auth.com (or whatever the configured hosted handler domain suffix is) as a trusted domain for each project, without requiring it to be explicitly added in the project config.

Changes:

• redirect-urls.tsx: Include hosted handler domain (both HTTP and HTTPS) in trusted domains for redirect URL validation — this covers OAuth callbacks, passkeys, and all other redirect checks
• turnstile.tsx: Accept the hosted handler hostname for Turnstile verification
• oauth/model.tsx: Include hosted handler URL in OAuth client redirect URIs
• Added unit tests for the new behavior

Link to Devin session: https://app.devin.ai/sessions/11f027a384674ca9b703b14db1a80d46
Requested by: @N2D4

---

Note

Medium Risk
Expands the set of automatically trusted redirect/hostname origins based on an env-configured suffix and project ID, affecting OAuth redirect validation and bot-challenge hostname checks. Risk is moderate because mistakes could unintentionally widen redirect URI acceptance.

Overview
Automatically trusts the project hosted handler domain (<project-id>${NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX}) without requiring it in tenancy config.

validateRedirectUrl now always includes https://<project-id>.<suffix> in its trusted domain list (with a new getHostedHandlerDomainSuffix() helper), OAuthModel.getClient always adds the hosted handler /handler URL to redirectUris, and Turnstile hostname validation now treats the hosted handler hostname as allowed.

Adds unit tests covering default/custom suffix behavior and ensuring only the correct project/HTTPS hosted domain is accepted.

^{Reviewed by Cursor Bugbot for commit cfb9af8. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• New Features

  • Added support for platform-provided hosted handler domains as trusted endpoints across redirect URL validation, OAuth configuration, and Turnstile verification.
  • Hosted handler domains are now configurable via environment variables with a default built-with domain suffix.

• Tests

  • Added test coverage for hosted handler domain validation behavior.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 22, 2026 1:15am
stack-auth-mcp	Ready	Preview, Comment	May 22, 2026 1:15am
stack-auth-skills	Ready	Preview, Comment	May 22, 2026 1:15am
stack-backend	Ready	Preview, Comment	May 22, 2026 1:15am
stack-dashboard	Ready	Preview, Comment	May 22, 2026 1:15am
stack-demo	Ready	Preview, Comment	May 22, 2026 1:15am
stack-docs	Ready	Preview, Comment	May 22, 2026 1:15am
stack-preview-backend	Ready	Preview, Comment	May 22, 2026 1:15am
stack-preview-dashboard	Ready	Preview, Comment	May 22, 2026 1:15am

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Backend validation endpoints now trust a project-specific hosted handler domain derived from an environment-configurable suffix. A new shared helper getHostedHandlerDomainSuffix() is integrated into redirect URL validation, Turnstile hostname checking, and OAuth redirect URI configuration, with test coverage verifying the feature works as expected.

Changes

Hosted Handler Domain Trust Configuration

Layer / File(s)	Summary
Hosted handler domain suffix helper apps/backend/src/lib/redirect-urls.tsx	New exported getHostedHandlerDomainSuffix() function reads NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX environment variable with a default fallback to .built-with-stack-auth.com.
Redirect URL validation with hosted handler support apps/backend/src/lib/redirect-urls.tsx, apps/backend/src/lib/redirect-urls.test.tsx	validateRedirectUrl constructs the project-hosted handler domain and adds it to the trusted domains list. Test setup is updated to support parameterized projectId in createMockTenancy. New tests verify the hosted handler domain is trusted over HTTPS but rejected over HTTP or with wrong project IDs, and coexists with other trusted domains.
Turnstile hostname validation with hosted handler apps/backend/src/lib/turnstile.tsx	isAllowedTurnstileHostname imports the suffix helper and constructs the project-hosted handler URL as a trusted hostname when the Turnstile response hostname matches.
OAuth redirect URI configuration with hosted handler apps/backend/src/oauth/model.tsx	OAuthModel.getClient imports the suffix helper and appends the project-hosted handler /handler endpoint to the redirectUris list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• hexclave/stack-auth#1458: Both PRs modify validateRedirectUrl behavior—this PR extends trustedDomains with the project hosted-handler domain, while the retrieved PR refactors validateRedirectUrl to delegate trusted-domain validation to the shared redirect-urls utility.

Suggested reviewers

• Copilot

Poem

🐰 A project domain, now trusted and true,
Built with Stack Auth, in the hosted queue,
From redirects to OAuth flows that gleam,
One suffix to rule the validation dream! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: automatically trusting the project's hosted handler domain without explicit configuration.
Description check	✅ Passed	The description comprehensively covers the changes across multiple files, explains the rationale, lists affected areas (OAuth, Turnstile, redirect validation), and mentions added tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1779411645-trust-hosted-handler-domain

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit cfb9af8. Configure here.}

[cursor]

Dev suffix breaks hosted trust

High Severity

The getHostedHandlerDomainSuffix function returns the raw NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX env var. In local dev, this includes an unresolved ${NEXT_PUBLIC_STACK_PORT_PREFIX:-81} placeholder. This causes the backend to trust a malformed hosted domain, leading to automatic redirect URL trust failures due to a mismatch with client-used domains.

 

^{Reviewed by Cursor Bugbot for commit cfb9af8. Configure here.}

[cursor]

Ignores hosted handler URL template

Medium Severity

Redirect, OAuth, and Turnstile trust only https://{projectId}{domainSuffix}, but hosted handler URLs come from NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE when set (e.g. path-based http://localhost:PORT/{projectId}/handler/...). Those real URLs can stay untrusted despite this change.

Additional Locations (2)

• apps/backend/src/oauth/model.tsx#L78-L81
• apps/backend/src/lib/turnstile.tsx#L54-L58

 

^{Reviewed by Cursor Bugbot for commit cfb9af8. Configure here.}

[Copilot]

Pull request overview

This PR updates the backend’s domain/redirect validation logic to automatically treat each project’s hosted handler domain (<project-id><suffix>, e.g. <project-id>.built-with-stack-auth.com) as trusted without requiring explicit tenancy configuration, aligning redirect URL validation, OAuth redirect URI registration, and Turnstile hostname checks.

Changes:

• Add getHostedHandlerDomainSuffix() and include the hosted handler HTTPS origin in validateRedirectUrl trusted domains.
• Always append the hosted handler /handler URL to OAuth client redirectUris.
• Allow the hosted handler hostname in Turnstile hostname validation.
• Add unit tests for hosted handler redirect URL trust behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
apps/backend/src/lib/redirect-urls.tsx	Adds hosted handler suffix helper and auto-trusts hosted handler domain for redirect validation.
apps/backend/src/oauth/model.tsx	Adds hosted handler /handler URL to OAuth client redirect URIs.
apps/backend/src/lib/turnstile.tsx	Allows hosted handler hostname during Turnstile verification.
apps/backend/src/lib/redirect-urls.test.tsx	Adds tests to validate hosted handler domain redirect behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR automatically trusts each project's hosted handler domain (<project-id>.<suffix>) as a redirect URL, Turnstile hostname, and OAuth redirect URI, removing the requirement to manually add it in project settings.

• redirect-urls.tsx injects https://<project-id><suffix> into the trusted-domain list used for all redirect URL validation (OAuth callbacks, passkeys, etc.), and turnstile.tsx mirrors this for Turnstile hostname checks.
• oauth/model.tsx pushes the hosted-domain URI into the OAuth client's redirectUris list, but because this push is unconditional it makes the existing allowLocalhost empty-list guard permanently unreachable — the http://localhost fallback will never be added for projects using allowLocalhost: true with no configured trusted domains.

Confidence Score: 3/5

Safe to merge for HTTPS-only hosted-handler flows, but the localhost OAuth fallback in the OAuth model is now unreachable, which may silently break allowLocalhost-only projects depending on how the oauth2-server library behaves.

The redirect-URL and Turnstile changes are clean and well-tested. The concern in oauth/model.tsx is that the unconditional hosted-domain push makes the allowLocalhost guard permanently dead code, so the localhost URI is never added to client.redirectUris for projects with no configured trusted domains.

apps/backend/src/oauth/model.tsx — the allowLocalhost empty-list fallback block needs verification or removal.

Important Files Changed

Filename	Overview
apps/backend/src/lib/redirect-urls.tsx	Adds getHostedHandlerDomainSuffix() helper and injects https://. into the trusted-domain list; straightforward and correct.
apps/backend/src/lib/turnstile.tsx	Adds hosted-handler hostname check inside isAllowedTurnstileHostname; uses createUrlIfValid safely and mirrors the redirect-URL trust logic correctly.
apps/backend/src/oauth/model.tsx	Always pushes hosted-domain URI into redirectUris, making the subsequent allowLocalhost empty-list guard permanently dead. http://localhost will never be added to the OAuth client's redirectUris for projects that relied on that fallback.
apps/backend/src/lib/redirect-urls.test.tsx	Good coverage for the new hosted-handler trust paths; one test case for wrong port inadvertently passes for the wrong reason (HTTP instead of HTTPS).

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
apps/backend/src/lib/redirect-urls.test.tsx:519-520
**"Wrong port" test case uses HTTP, not HTTPS — it tests the wrong thing**

The assertion passes because the protocol is HTTP, not because the port is wrong. Since only `https://…` is added to trusted domains, any HTTP URL returns `false` regardless of the port. The test comment says "Wrong port should NOT be trusted" but it never reaches port-matching logic. To actually verify the port-mismatch rejection, the URL should use `https://`.

### Issue 2 of 2
apps/backend/src/oauth/model.tsx:83-85
**Dead code — localhost fallback is never reached**

The hosted domain URI is pushed unconditionally on line 81, so `redirectUris.length` is always `>= 1` when this guard is evaluated — the `length === 0` condition can never be true and the localhost fallback is unreachable. For projects that rely on `allowLocalhost: true` with no configured trusted domains, the localhost URI no longer appears in `client.redirectUris`. If the oauth2-server library uses that list for auto-selection when no `redirect_uri` is included in the request, those OAuth flows would change behavior silently. The block should either be removed (if `validateRedirectUri` is fully authoritative) or repositioned so the localhost fallback is still added when appropriate.

_{Reviews (1): Last reviewed commit: "fix: only trust https:// for built-with ..." | Re-trigger Greptile}

[greptile-apps]

"Wrong port" test case uses HTTP, not HTTPS — it tests the wrong thing

The assertion passes because the protocol is HTTP, not because the port is wrong. Since only https://… is added to trusted domains, any HTTP URL returns false regardless of the port. The test comment says "Wrong port should NOT be trusted" but it never reaches port-matching logic. To actually verify the port-mismatch rejection, the URL should use https://.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/backend/src/lib/redirect-urls.test.tsx
Line: 519-520

Comment:
**"Wrong port" test case uses HTTP, not HTTPS — it tests the wrong thing**

The assertion passes because the protocol is HTTP, not because the port is wrong. Since only `https://…` is added to trusted domains, any HTTP URL returns `false` regardless of the port. The test comment says "Wrong port should NOT be trusted" but it never reaches port-matching logic. To actually verify the port-mismatch rejection, the URL should use `https://`.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Dead code — localhost fallback is never reached

The hosted domain URI is pushed unconditionally on line 81, so redirectUris.length is always >= 1 when this guard is evaluated — the length === 0 condition can never be true and the localhost fallback is unreachable. For projects that rely on allowLocalhost: true with no configured trusted domains, the localhost URI no longer appears in client.redirectUris. If the oauth2-server library uses that list for auto-selection when no redirect_uri is included in the request, those OAuth flows would change behavior silently. The block should either be removed (if validateRedirectUri is fully authoritative) or repositioned so the localhost fallback is still added when appropriate.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/backend/src/oauth/model.tsx
Line: 83-85

Comment:
**Dead code — localhost fallback is never reached**

The hosted domain URI is pushed unconditionally on line 81, so `redirectUris.length` is always `>= 1` when this guard is evaluated — the `length === 0` condition can never be true and the localhost fallback is unreachable. For projects that rely on `allowLocalhost: true` with no configured trusted domains, the localhost URI no longer appears in `client.redirectUris`. If the oauth2-server library uses that list for auto-selection when no `redirect_uri` is included in the request, those OAuth flows would change behavior silently. The block should either be removed (if `validateRedirectUri` is fully authoritative) or repositioned so the localhost fallback is still added when appropriate.

How can I resolve this? If you propose a fix, please make it concise.