From d6b5dc64cc5dce437452d8dcbb8d7c22add5c061 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Ara=C3=BAjo?= <edgararaj@gmail.com>
Date: Fri, 2 May 2025 15:48:37 +0100
Subject: [PATCH 1/2] Auth: ignore invalid search param

---
 necchange/src/app/api/auth/[...nextauth]/route.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/necchange/src/app/api/auth/[...nextauth]/route.js b/necchange/src/app/api/auth/[...nextauth]/route.js
index 344f3dc..7fa692e 100644
--- a/necchange/src/app/api/auth/[...nextauth]/route.js
+++ b/necchange/src/app/api/auth/[...nextauth]/route.js
@@ -8,6 +8,17 @@ const handler = async (req, context) => {
     return new Response(null, { status: 200 });
   }
 
+  // Macete para rejeitar emails vindos do postmaster, 
+  // por algum motivo o postmaster insiste em chamar esta api com o arugmento "callbackUrl" que já não é utilizado,
+  // mas que no entanto invalida o token de verificaçao.
+  const url = new URL(req.url);
+  const hasCallbackUrl = url.searchParams.has("callbackUrl");
+
+  if (hasCallbackUrl) {
+    console.warn("Blocked automated request with callbackUrl:", url.searchParams.get("callbackUrl"));
+    return new Response(null, { status: 200 });
+  }
+
   return await NextAuth(req, context, authOptions);
 };
 

From bfd5978d3fa71c7d5c095fb92274737d6b885f4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Ara=C3=BAjo?= <edgararaj@gmail.com>
Date: Fri, 2 May 2025 15:58:12 +0100
Subject: [PATCH 2/2] Auth: ignore only for callback email endpoint

---
 necchange/src/app/api/auth/[...nextauth]/route.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/necchange/src/app/api/auth/[...nextauth]/route.js b/necchange/src/app/api/auth/[...nextauth]/route.js
index 7fa692e..0a907d6 100644
--- a/necchange/src/app/api/auth/[...nextauth]/route.js
+++ b/necchange/src/app/api/auth/[...nextauth]/route.js
@@ -14,7 +14,7 @@ const handler = async (req, context) => {
   const url = new URL(req.url);
   const hasCallbackUrl = url.searchParams.has("callbackUrl");
 
-  if (hasCallbackUrl) {
+  if (url.pathname === "/api/auth/callback/email" && hasCallbackUrl) {
     console.warn("Blocked automated request with callbackUrl:", url.searchParams.get("callbackUrl"));
     return new Response(null, { status: 200 });
   }