Skip to content

docs(identity): per-request front-end origin for auth e-mail links#232

Open
marcelo-maciel wants to merge 1 commit into
fullstackhero:mainfrom
marcelo-maciel:docs/identity-origin-multifront
Open

docs(identity): per-request front-end origin for auth e-mail links#232
marcelo-maciel wants to merge 1 commit into
fullstackhero:mainfrom
marcelo-maciel:docs/identity-origin-multifront

Conversation

@marcelo-maciel

Copy link
Copy Markdown
Contributor

Documents the behaviour introduced by dotnet-starter-kit#1323: password-reset and e-mail-confirmation links now resolve to the front-end that made the request, via the request Origin header validated against CorsOptions.AllowedOrigins.

Changes:

  • security/cors-and-headers — new "Front-end origin for auth e-mail links" section explaining AllowedOrigins' second role (link allowlist + security boundary against a forged Origin), plus a common-mistake note.
  • security/production-checklist — item 3 now notes AllowedOrigins gates the reset/confirmation e-mail flows, not just CORS.
  • modules/identity — a callout on the endpoints table describing where reset/confirmation links point and that confirmation lands on the SPA /confirm-email page.
  • changelog — 2026-07-02 entry.

Pairs with code PR #1323; ideally merges alongside or just after it. (Did not run astro build locally — no node_modules in my checkout — but the changes are prose plus one <Callout> matching existing usage, no new imports.)

Documents that CorsOptions.AllowedOrigins now doubles as the allowlist the
Identity module validates the request Origin against to build password-reset
and e-mail-confirmation links (per PR fullstackhero/dotnet-starter-kit#1323):
- security/cors-and-headers: new section + common-mistake note
- security/production-checklist: AllowedOrigins gates the auth e-mail flows
- modules/identity: callout on where reset/confirmation links point
- changelog: 2026-07-02 entry
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant