Skip to content

docs(identity): per-request front-end origin for auth e-mail links#232

Open
marcelo-maciel wants to merge 2 commits into
fullstackhero:mainfrom
marcelo-maciel:docs/identity-origin-multifront
Open

docs(identity): per-request front-end origin for auth e-mail links#232
marcelo-maciel wants to merge 2 commits into
fullstackhero:mainfrom
marcelo-maciel:docs/identity-origin-multifront

Conversation

@marcelo-maciel

Copy link
Copy Markdown
Contributor

Documents the behaviour introduced by dotnet-starter-kit#1323: password-reset and e-mail-confirmation links now resolve to the front-end that made the request, via the request Origin header validated against CorsOptions.AllowedOrigins.

Changes:

  • security/cors-and-headers — new "Front-end origin for auth e-mail links" section explaining AllowedOrigins' second role (link allowlist + security boundary against a forged Origin), plus a common-mistake note.
  • security/production-checklist — item 3 now notes AllowedOrigins gates the reset/confirmation e-mail flows, not just CORS.
  • modules/identity — a callout on the endpoints table describing where reset/confirmation links point and that confirmation lands on the SPA /confirm-email page.
  • changelog — 2026-07-02 entry.

Pairs with code PR #1323; ideally merges alongside or just after it. (Did not run astro build locally — no node_modules in my checkout — but the changes are prose plus one <Callout> matching existing usage, no new imports.)

Documents that CorsOptions.AllowedOrigins now doubles as the allowlist the
Identity module validates the request Origin against to build password-reset
and e-mail-confirmation links (per PR fullstackhero/dotnet-starter-kit#1323):
- security/cors-and-headers: new section + common-mistake note
- security/production-checklist: AllowedOrigins gates the auth e-mail flows
- modules/identity: callout on where reset/confirmation links point
- changelog: 2026-07-02 entry
Update the origin docs to the reworked #1323 model: link resolution moved off
CorsOptions onto a dedicated FrontendOptions (AllowedOrigins + DefaultOrigin).

- cors-and-headers: rewrite the front-end-origin section — decoupled from CORS,
  self-service vs operator-driven flows, no-header fallback to DefaultOrigin,
  forged origin -> 400, startup validation, component-wise matching.
- modules/identity: callout reflects FrontendOptions + recipient-app targeting
  for register/resend.
- production-checklist: FrontendOptions is a separate required setting whose
  startup validation fails the boot until configured.
- changelog: describe the FrontendOptions model and the updated deploy action.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant