diff --git a/src/lib/config/validate.ts b/src/lib/config/validate.ts index e5ee8d3c..1605a1de 100644 --- a/src/lib/config/validate.ts +++ b/src/lib/config/validate.ts @@ -268,14 +268,21 @@ export const schema = z.object({ rpID: z .string() .trim() + .refine( + (v) => v.length === 0 || /^[a-zA-Z0-9.-]+$/.test(v), + 'RP ID can only contain letters, numbers, dots, and hyphens. Example: example.com, localhost, zipline.example.com.', + ) .transform((v) => (v.length > 0 ? v : null)) .nullable() .default(null), origin: z .string() .trim() + .refine( + (v) => v.length === 0 || /^https?:\/\/[a-zA-Z0-9.-]+(:\d+)?(\/.*)?$/.test(v), + 'Origin must be a valid URL starting with http:// or https://', + ) .transform((v) => (v.length > 0 ? v : null)) - .refine((v) => (v ? URL.canParse(v) : true), 'Invalid URL') .nullable() .default(null), }), diff --git a/src/server/routes/api/server/settings/index.ts b/src/server/routes/api/server/settings/index.ts index 61aa9432..e61c9e45 100644 --- a/src/server/routes/api/server/settings/index.ts +++ b/src/server/routes/api/server/settings/index.ts @@ -332,11 +332,19 @@ export default typedPlugin( mfaPasskeysRpID: z .string() .trim() + .refine( + (v) => v.length === 0 || /^[a-zA-Z0-9.-]+$/.test(v), + 'RP ID can only contain letters, numbers, dots, and hyphens. Example: example.com, localhost, zipline.example.com.', + ) .transform((v) => (v.length === 0 ? null : v)) .nullable(), mfaPasskeysOrigin: z .string() .trim() + .refine( + (v) => v.length === 0 || /^https?:\/\/[a-zA-Z0-9.-]+(:\d+)?(\/.*)?$/.test(v), + 'Origin must be a valid URL starting with http:// or https://', + ) .transform((v) => (v.length === 0 ? null : v)) .nullable(),