fix: validate roles in VerifyEmail HTTP handler by lakhansamani · Pull Request #497

fix: validate roles in VerifyEmail HTTP handler by lakhansamani · Pull Request #497 · authorizerdev/authorizer

Merged

lakhansamani merged 3 commits intomainfrom

fix/verify-email-handler-role-validation

Mar 1, 2026

Merged

fix: validate roles in VerifyEmail HTTP handler#497
lakhansamani merged 3 commits intomainfrom
fix/verify-email-handler-role-validation

Conversation

Copy link Copy Markdown

Contributor

lakhansamani commented
Mar 1, 2026

Summary

Added role validation for ?roles= query parameter in VerifyEmail HTTP handler
Roles are now checked against user's stored roles using validators.IsValidRoles()
Prevents privilege escalation via URL manipulation

Test plan

Verify email verification with no roles param works (uses user's stored roles)
Verify email verification with valid roles subset works
Verify email verification with unauthorized roles returns 400

Fixes #486

lakhansamani added 3 commits

March 1, 2026 11:54

fix: validate roles in VerifyEmail HTTP handler

6771744

Roles from the query string were used without validation against the
user's stored roles, allowing privilege escalation via URL manipulation.

Fixes #486

Merge branch 'main' into fix/verify-email-handler-role-validation

695b12b

test: add unit tests for role validation

aa70796

lakhansamani merged commit 6486586 into main