fix: remove exact equality checks for matcher for /me and /my-org

tusharpandey13 · tusharpandey13 · commit d3ca61abf1f2 · 2025-11-04T21:17:36.000+05:30
diff --git a/src/server/auth-client.ts b/src/server/auth-client.ts
@@ -417,15 +417,9 @@ export class AuthClient {
       this.enableConnectAccountEndpoint
     ) {
       return this.handleConnectAccount(req);
-    } else if (
-      sanitizedPathname === "/me" ||
-      sanitizedPathname.startsWith("/me/")
-    ) {
+    } else if (sanitizedPathname.startsWith("/me/")) {
       return this.handleMyAccount(req);
-    } else if (
-      sanitizedPathname === "/my-org" ||
-      sanitizedPathname.startsWith("/my-org/")
-    ) {
+    } else if (sanitizedPathname.startsWith("/my-org/")) {
       return this.handleMyOrg(req);
     } else {
       // no auth handler found, simply touch the sessions
diff --git a/src/server/proxy-handler.test.ts b/src/server/proxy-handler.test.ts
@@ -489,16 +489,13 @@ describe("Authentication Client - Custom Proxy Handler", async () => {
 
   // combine single level and multi level subpaths
   describe("Category 3: URL Path Matching & Transformation", () => {
-    it("3.1 should proxy to root path", async () => {
+    it("3.1 should reject exact proxy path without subpath (security)", async () => {
+      // Security: The My Account and My Org APIs have no endpoints at exactly /me or /my-org
+      // All real endpoints are like /me/v1/... or /my-org/v1/...
+      // Accepting exact paths could lead to security issues
       const session = createInitialSessionData();
       const cookie = await createSessionCookie(session, secret);
 
-      server.use(
-        http.get(`${DEFAULT.upstreamBaseUrl}`, () => {
-          return HttpResponse.json({ path: "/" });
-        })
-      );
-
       const request = new NextRequest(
         new URL(DEFAULT.proxyPath, DEFAULT.appBaseUrl),
         {
@@ -508,10 +505,11 @@ describe("Authentication Client - Custom Proxy Handler", async () => {
       );
 
       const response = await authClient.handler(request);
+      // Should not proxy - should just touch sessions and return Next response
       expect(response.status).toBe(200);
-
-      const data = await response.json();
-      expect(data.path).toBe("/");
+      // Should not have proxied content
+      const text = await response.text();
+      expect(text).not.toContain('{"path":"/"}');
     });
 
     it("3.2 should proxy to single-level subpath", async () => {
