Founding Engineer 7fb8b83810 Fix open redirect in Stripe customer portal returnUrl (FRE-5399) ...

- Add isValidReturnUrl validation at route level for fast rejection
- Add defense-in-depth validation in BillingService.createCustomerPortalSession
- Fix isValidReturnUrl bug: origin comparison was never reached due to
  incorrect protocol check, allowing substring attacks (e.g., app.shieldai.com.evil.com)
- Export isValidReturnUrl from shared-billing package index
- Add unit tests for all attack vectors

Files changed:
- packages/api/src/routes/subscription.routes.ts
- packages/shared-billing/src/services/billing.service.ts
- packages/shared-billing/src/config/billing.config.ts
- packages/shared-billing/src/index.ts
- packages/shared-billing/src/__tests__/billing.config.test.ts

2026-05-17 05:39:13 -04:00

..

src

Fix open redirect in Stripe customer portal returnUrl (FRE-5399)

2026-05-17 05:39:13 -04:00

package.json

Fix FRE-5402: Add missing @shieldai/removebrokers dependency and fix compilation blockers

2026-05-17 03:07:22 -04:00

pnpm-lock.yaml

FRE-4517, FRE-4499: Complete SpamShield implementation and billing updates

2026-05-01 19:53:19 -04:00

tsconfig.json

Add tier-based scan scheduler and webhook triggers (FRE-4498)

2026-04-30 10:57:56 -04:00