fix(security): [HIGH] resolve host header injection vulnerability

core/config.py

@@ -38,6 +38,8 @@ class Settings(BaseSettings):
     BREVO_EMAIL_FROM_ADDRESS: str = os.getenv("BREVO_EMAIL_FROM_ADDRESS", "noreply@example.com")
     BREVO_EMAIL_FROM_NAME: str = os.getenv("BREVO_EMAIL_FROM_NAME", "BookLib")
 
+    app_base_url: str = os.getenv("APP_BASE_URL", "")
+
     DEBUG: bool = os.getenv("DEBUG", "false").lower() == "true"
     admin_users_env: str = Field(default=os.getenv("ADMIN_USERS", ""), repr=False)
     admin_users: set[str] = set()

routes/auth.py

@@ -6,6 +6,7 @@
 from sqlalchemy.orm import Session
 
 from core.auth import create_session, get_authenticated_user
+from core.config import settings
 from core.email import send_password_reset_email, send_verification_email
 from core.security import (
     generate_password_reset_token,
@@ -92,7 +93,11 @@ def _handle_register(
     if not created_user:
         return None, "Error creating user. Please try again."
 
-    base_url = str(request.base_url).rstrip("/")
+    base_url = (
+        settings.app_base_url.rstrip("/")
+        if settings.app_base_url
+        else str(request.base_url).rstrip("/")
+    )
     email_sent = send_verification_email(
         created_user.email, created_user.username, verification_token, base_url
     )
@@ -262,7 +267,11 @@ async def handle_forgot_password(
         if not set_password_reset_token(db, user, token):
             logger.error(f"Failed to save reset token to DB for {user.email}")
         else:
-            base_url = str(request.base_url).rstrip("/")
+            base_url = (
+                settings.app_base_url.rstrip("/")
+                if settings.app_base_url
+                else str(request.base_url).rstrip("/")
+            )
             email_sent = send_password_reset_email(user.email, user.username, token, base_url)
             if not email_sent:
                 logger.warning(f"Failed attempt to send reset email for {user.email}.")