Enforce https in URL's used by customers (#5728)

* Enforce HTTPS in links used by customers

* Enforce HTTPS in links used by customers

* Enforce https in URL's used by customers

* Enforce https in URL's used by customers

---------

Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>

Author: christopherholland-workday

packages/server/jest.config.js

@@ -13,7 +13,7 @@ module.exports = {
     },
 
     // Regular expression to find test files
-    testRegex: '((\\.|/)index\\.test)\\.tsx?$',
+    testRegex: '.*\\.test\\.tsx?$',
 
     // File extensions to recognize in module resolution
     moduleFileExtensions: ['ts', 'tsx', 'js', 'jsx', 'json', 'node'],

packages/server/src/enterprise/services/account.service.ts

@@ -20,6 +20,7 @@ import { destroyAllSessionsForUser } from '../middleware/passport/SessionPersist
 import { compareHash, getHash, getPasswordSaltRounds, hashNeedsUpgrade } from '../utils/encryption.util'
 import { sendPasswordResetEmail, sendVerificationEmailForCloud, sendWorkspaceAdd, sendWorkspaceInvite } from '../utils/sendEmail'
 import { generateTempToken } from '../utils/tempTokenUtils'
+import { getSecureAppUrl, getSecureTokenLink } from '../utils/url.util'
 import { validatePasswordOrThrow } from '../utils/validation.util'
 import auditService from './audit'
 import { OrganizationUserErrorMessage, OrganizationUserService } from './organization-user.service'
@@ -98,7 +99,7 @@ export class AccountService {
             await queryRunner.manager.save(User, updatedUser)
 
             // resend invite
-            const verificationLink = `${process.env.APP_URL}/verify?token=${updateUserData.tempToken}`
+            const verificationLink = getSecureTokenLink('/verify', updateUserData.tempToken!)
             await sendVerificationEmailForCloud(email, verificationLink)
 
             await queryRunner.commitTransaction()
@@ -173,7 +174,7 @@ export class AccountService {
                 }
                 // send verification email only if user signed up with email/password
                 if (data.user.credential) {
-                    const verificationLink = `${process.env.APP_URL}/verify?token=${data.user.tempToken}`
+                    const verificationLink = getSecureTokenLink('/verify', data.user.tempToken!)
                     await sendVerificationEmailForCloud(data.user.email!, verificationLink)
                 }
                 break
@@ -314,8 +315,8 @@ export class AccountService {
                 // send invite
                 const registerLink =
                     this.identityManager.getPlatformType() === Platform.ENTERPRISE
-                        ? `${process.env.APP_URL}/register?token=${data.user.tempToken}`
-                        : `${process.env.APP_URL}/register`
+                        ? getSecureTokenLink('/register', data.user.tempToken!)
+                        : getSecureAppUrl('/register')
                 await sendWorkspaceInvite(data.user.email!, data.workspace.name!, registerLink, this.identityManager.getPlatformType())
                 data.user = await this.userService.createNewUser(data.user, queryRunner)
 
@@ -383,9 +384,9 @@ export class AccountService {
                     tokenExpiry.setHours(tokenExpiry.getHours() + expiryInHours)
                     data.user.tokenExpiry = tokenExpiry
                     await this.userService.saveUser(data.user, queryRunner)
-                    registerLink = `${process.env.APP_URL}/register?token=${data.user.tempToken}`
+                    registerLink = getSecureTokenLink('/register', data.user.tempToken!)
                 } else {
-                    registerLink = `${process.env.APP_URL}/register`
+                    registerLink = getSecureAppUrl('/register')
                 }
                 if (workspaceUser.length === 1) {
                     oldWorkspaceUser = workspaceUser[0]
@@ -411,7 +412,7 @@ export class AccountService {
             } else {
                 data.organizationUser.updatedBy = data.user.createdBy
 
-                const dashboardLink = `${process.env.APP_URL}`
+                const dashboardLink = getSecureAppUrl()
                 await sendWorkspaceAdd(data.user.email!, data.workspace.name!, dashboardLink)
             }
 
@@ -549,7 +550,7 @@ export class AccountService {
             tokenExpiry.setMinutes(tokenExpiry.getMinutes() + expiryInMins)
             data.user.tokenExpiry = tokenExpiry
             data.user = await this.userService.saveUser(data.user, queryRunner)
-            const resetLink = `${process.env.APP_URL}/reset-password?token=${data.user.tempToken}`
+            const resetLink = getSecureTokenLink('/reset-password', data.user.tempToken!)
             await sendPasswordResetEmail(data.user.email!, resetLink)
             await queryRunner.commitTransaction()
         } catch (error) {

packages/server/src/enterprise/utils/url.util.ts

@@ -0,0 +1,63 @@
+import logger from '../../utils/logger'
+
+/**
+ * Ensures the APP_URL uses HTTPS protocol for security-sensitive operations.
+ * Allows HTTP only for localhost/127.0.0.1 (development environments).
+ *
+ * @param path - Optional path to append to the base URL
+ * @returns Secure URL (HTTPS) or development URL (HTTP localhost)
+ */
+export function getSecureAppUrl(path?: string): string {
+    const appUrl = process.env.APP_URL || ''
+
+    if (!appUrl) {
+        throw new Error('APP_URL environment variable is not configured')
+    }
+
+    // Validate that APP_URL is a well-formed URL (e.g. catches bare "example.com" without a protocol)
+    let urlObj: URL
+    try {
+        urlObj = new URL(appUrl)
+    } catch {
+        throw new Error(`APP_URL environment variable is not a valid URL: "${appUrl}"`)
+    }
+
+    const isLocalhost =
+        urlObj.hostname === 'localhost' || urlObj.hostname === '127.0.0.1' || urlObj.hostname === '[::1]' || urlObj.hostname === '0.0.0.0'
+
+    // If URL is HTTP and NOT localhost, convert to HTTPS for security.
+    // Keep HTTP for localhost/development URLs to avoid issues with self-signed certs.
+    if (urlObj.protocol === 'http:' && !isLocalhost) {
+        urlObj.protocol = 'https:'
+        const newUrlString = urlObj.toString().replace(/\/$/, '')
+        logger.warn(
+            `APP_URL uses insecure HTTP protocol for non-localhost URL. ` +
+                `Automatically converting to HTTPS for security. ` +
+                `Please update APP_URL to use HTTPS: ${newUrlString}`
+        )
+    }
+
+    // Always strip trailing slash for consistency, whether or not a path is appended
+    const secureUrl = urlObj.toString().replace(/\/$/, '')
+
+    // Append path if provided
+    if (path) {
+        const cleanPath = path.startsWith('/') ? path : `/${path}`
+        return `${secureUrl}${cleanPath}`
+    }
+
+    return secureUrl
+}
+
+/**
+ * Constructs a secure link with a token parameter.
+ * Always uses HTTPS for non-localhost URLs.
+ *
+ * @param path - URL path (e.g., '/reset-password', '/verify')
+ * @param token - Security token to include in URL
+ * @returns Secure URL with token parameter
+ */
+export function getSecureTokenLink(path: string, token: string): string {
+    const baseUrl = getSecureAppUrl(path)
+    return `${baseUrl}?token=${token}`
+}

packages/server/test/enterprise/utils/url.util.test.ts

@@ -0,0 +1,125 @@
+import { describe, expect, it, afterEach } from '@jest/globals'
+import { getSecureAppUrl, getSecureTokenLink } from '../../../src/enterprise/utils/url.util'
+
+describe('URL Security Utilities', () => {
+    const originalEnv = process.env.APP_URL
+
+    afterEach(() => {
+        if (originalEnv) {
+            process.env.APP_URL = originalEnv
+        } else {
+            delete process.env.APP_URL
+        }
+    })
+
+    describe('getSecureAppUrl', () => {
+        it('should throw error if APP_URL is not configured', () => {
+            delete process.env.APP_URL
+            expect(() => getSecureAppUrl()).toThrow('APP_URL environment variable is not configured')
+        })
+
+        it('should throw error if APP_URL is not a valid URL', () => {
+            process.env.APP_URL = 'example.com'
+            expect(() => getSecureAppUrl()).toThrow('APP_URL environment variable is not a valid URL: "example.com"')
+        })
+
+        it('should return HTTPS URL unchanged', () => {
+            process.env.APP_URL = 'https://example.com'
+            expect(getSecureAppUrl()).toBe('https://example.com')
+        })
+
+        it('should convert HTTP to HTTPS for production URLs', () => {
+            process.env.APP_URL = 'http://example.com'
+            const result = getSecureAppUrl()
+            expect(result).toBe('https://example.com')
+        })
+
+        it('should allow HTTP for localhost', () => {
+            process.env.APP_URL = 'http://localhost:3000'
+            expect(getSecureAppUrl()).toBe('http://localhost:3000')
+        })
+
+        it('should allow HTTP for 127.0.0.1', () => {
+            process.env.APP_URL = 'http://127.0.0.1:3000'
+            expect(getSecureAppUrl()).toBe('http://127.0.0.1:3000')
+        })
+
+        it('should allow HTTP for ::1 (IPv6 localhost)', () => {
+            process.env.APP_URL = 'http://[::1]:3000'
+            expect(getSecureAppUrl()).toBe('http://[::1]:3000')
+        })
+
+        it('should allow HTTP for 0.0.0.0', () => {
+            process.env.APP_URL = 'http://0.0.0.0:3000'
+            expect(getSecureAppUrl()).toBe('http://0.0.0.0:3000')
+        })
+
+        it('should append path correctly', () => {
+            process.env.APP_URL = 'https://example.com'
+            expect(getSecureAppUrl('/reset-password')).toBe('https://example.com/reset-password')
+        })
+
+        it('should handle trailing slash in base URL', () => {
+            process.env.APP_URL = 'https://example.com/'
+            expect(getSecureAppUrl('/reset-password')).toBe('https://example.com/reset-password')
+        })
+
+        it('should handle path without leading slash', () => {
+            process.env.APP_URL = 'https://example.com'
+            expect(getSecureAppUrl('reset-password')).toBe('https://example.com/reset-password')
+        })
+
+        it('should convert HTTP to HTTPS and append path', () => {
+            process.env.APP_URL = 'http://example.com'
+            expect(getSecureAppUrl('/verify')).toBe('https://example.com/verify')
+        })
+    })
+
+    describe('getSecureTokenLink', () => {
+        it('should create secure link with token', () => {
+            process.env.APP_URL = 'https://example.com'
+            const result = getSecureTokenLink('/reset-password', 'abc123')
+            expect(result).toBe('https://example.com/reset-password?token=abc123')
+        })
+
+        it('should convert HTTP to HTTPS in token link', () => {
+            process.env.APP_URL = 'http://example.com'
+            const result = getSecureTokenLink('/reset-password', 'abc123')
+            expect(result).toBe('https://example.com/reset-password?token=abc123')
+        })
+
+        it('should allow HTTP localhost in token link', () => {
+            process.env.APP_URL = 'http://localhost:3000'
+            const result = getSecureTokenLink('/verify', 'xyz789')
+            expect(result).toBe('http://localhost:3000/verify?token=xyz789')
+        })
+
+        it('should handle complex tokens', () => {
+            process.env.APP_URL = 'https://example.com'
+            const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0'
+            const result = getSecureTokenLink('/register', token)
+            expect(result).toBe(`https://example.com/register?token=${token}`)
+        })
+    })
+
+    describe('Security scenarios', () => {
+        it('should prevent HTTP password reset links in production', () => {
+            process.env.APP_URL = 'http://myapp.com'
+            const resetLink = getSecureTokenLink('/reset-password', 'secret-token')
+            expect(resetLink).toMatch(/^https:\/\//)
+            expect(resetLink).not.toMatch(/^http:\/\//)
+        })
+
+        it('should prevent HTTP verification links in production', () => {
+            process.env.APP_URL = 'http://myapp.com'
+            const verifyLink = getSecureTokenLink('/verify', 'verify-token')
+            expect(verifyLink).toMatch(/^https:\/\//)
+        })
+
+        it('should prevent HTTP registration links in production', () => {
+            process.env.APP_URL = 'http://myapp.com'
+            const registerLink = getSecureTokenLink('/register', 'invite-token')
+            expect(registerLink).toMatch(/^https:\/\//)
+        })
+    })
+})