From 602c928134cc2e2798c703cbb9fc4b3988ec09b5 Mon Sep 17 00:00:00 2001
From: Tugamer89 <61603718+Tugamer89@users.noreply.github.com>
Date: Tue, 26 May 2026 07:22:22 +0000
Subject: [PATCH 1/2] fix(security): [HIGH] resolve host header injection
 vulnerability

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 core/config.py |  2 ++
 routes/auth.py | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/core/config.py b/core/config.py
index 8f05234..24e045d 100644
--- a/core/config.py
+++ b/core/config.py
@@ -38,6 +38,8 @@ class Settings(BaseSettings):
     BREVO_EMAIL_FROM_ADDRESS: str = os.getenv("BREVO_EMAIL_FROM_ADDRESS", "noreply@example.com")
     BREVO_EMAIL_FROM_NAME: str = os.getenv("BREVO_EMAIL_FROM_NAME", "BookLib")
 
+    app_base_url: str = os.getenv("APP_BASE_URL", "")
+
     DEBUG: bool = os.getenv("DEBUG", "false").lower() == "true"
     admin_users_env: str = Field(default=os.getenv("ADMIN_USERS", ""), repr=False)
     admin_users: set[str] = set()
diff --git a/routes/auth.py b/routes/auth.py
index 7ced03d..2000e3f 100644
--- a/routes/auth.py
+++ b/routes/auth.py
@@ -92,7 +92,11 @@ def _handle_register(
     if not created_user:
         return None, "Error creating user. Please try again."
 
-    base_url = str(request.base_url).rstrip("/")
+    base_url = (
+        settings.app_base_url.rstrip("/")
+        if settings.app_base_url
+        else str(request.base_url).rstrip("/")
+    )
     email_sent = send_verification_email(
         created_user.email, created_user.username, verification_token, base_url
     )
@@ -262,7 +266,11 @@ async def handle_forgot_password(
         if not set_password_reset_token(db, user, token):
             logger.error(f"Failed to save reset token to DB for {user.email}")
         else:
-            base_url = str(request.base_url).rstrip("/")
+            base_url = (
+                settings.app_base_url.rstrip("/")
+                if settings.app_base_url
+                else str(request.base_url).rstrip("/")
+            )
             email_sent = send_password_reset_email(user.email, user.username, token, base_url)
             if not email_sent:
                 logger.warning(f"Failed attempt to send reset email for {user.email}.")

From b6348d625bc4eb1ef452fa04b16d7dbad3cd889f Mon Sep 17 00:00:00 2001
From: Tugamer89 <61603718+Tugamer89@users.noreply.github.com>
Date: Tue, 26 May 2026 07:34:52 +0000
Subject: [PATCH 2/2] fix(security): [HIGH] resolve host header injection
 vulnerability

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 routes/auth.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/routes/auth.py b/routes/auth.py
index 2000e3f..a324e18 100644
--- a/routes/auth.py
+++ b/routes/auth.py
@@ -6,6 +6,7 @@
 from sqlalchemy.orm import Session
 
 from core.auth import create_session, get_authenticated_user
+from core.config import settings
 from core.email import send_password_reset_email, send_verification_email
 from core.security import (
     generate_password_reset_token,