Skip to content

docs(identity): per-request origin resolution for auth e-mail links#233

Closed
marcelo-maciel wants to merge 1 commit into
fullstackhero:mainfrom
marcelo-maciel:docs/identity-origin-resolution
Closed

docs(identity): per-request origin resolution for auth e-mail links#233
marcelo-maciel wants to merge 1 commit into
fullstackhero:mainfrom
marcelo-maciel:docs/identity-origin-resolution

Conversation

@marcelo-maciel

Copy link
Copy Markdown
Contributor

Accompanies the starter-kit PRs #1323 (per-request front-end origin resolution) and #1324 (CORS allow-list pointed at the React client origins), which promised a separate docs follow-up.

What changed

  • modules/identity.mdx — new "Where auth e-mail links point (origin resolution)" section under Configuration: IOriginResolver, FrontendOrigin() (validates the request Origin against CorsOptions.AllowedOrigins) vs ApiOrigin() (configured origin, else request host), and that the confirmation link now targets the SPA /confirm-email page instead of the API route. Includes a security callout on AllowedOrigins gating anonymous e-mail links independently of AllowAll.
  • security/cors-and-headers.mdx — callout + updated "Common mistakes" noting that AllowedOrigins is now also the allow-list for auth e-mail link origins, not just browser CORS; an empty list makes forgot-password/register/self-register/resend-confirmation-email reject the request.
  • changelog/index.mdx — dated 2026-07-03 entry describing the change and the deployment action (populate AllowedOrigins).

Verification

npm run check (astro check) — 0 errors, 0 warnings. The 21 hints are pre-existing is:inline hints in BaseLayout.astro, unrelated to this change.

…l links

Covers the IOriginResolver change (FrontendOrigin vs ApiOrigin), that
confirmation/reset links now target the SPA /confirm-email page, and that
CorsOptions.AllowedOrigins is the allow-list gating anonymous auth e-mail
links independently of AllowAll. Adds a changelog entry and cross-links
the Identity and CORS pages. Accompanies fullstackhero/dotnet-starter-kit
PRs #1323 and #1324.
@marcelo-maciel

Copy link
Copy Markdown
Contributor Author

Duplicate of #232, which is more complete (also updates production-checklist.mdx) and is MERGEABLE/CLEAN. Closing in favour of #232.

@marcelo-maciel marcelo-maciel deleted the docs/identity-origin-resolution branch July 3, 2026 06:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant