fix: remove origin refine from checkout Zod schema to prevent Permiss…

[lfariabr]

…ion denied

graphql-shield catches errors thrown from rules and silently returns false, which hits fallbackError(false) = 'Permission denied' instead of the real validation error. The origin refine was causing this when FRONTEND_URL was not correctly configured in production.

URL format validation stays in the schema (Shield layer). Origin enforcement stays in stripe.ts isSameOrigin() which silently falls back to the default URLs instead of throwing.

Summary by CodeRabbit

• Refactor
  • Simplified return URL validation in checkout to verify URL format only, removing origin-based restrictions.

[coderabbitai]

Warning

Rate limit exceeded

@lfariabr has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 25 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a2f4f9d5-3493-4140-8aea-f72cfb39a9e5

📥 Commits

Reviewing files that changed from the base of the PR and between 8098b50 and 0b3deeb.

📒 Files selected for processing (2)

• backend/src/services/stripe.ts
• docker-compose.yml

Walkthrough

The checkout schema's return URL validation was simplified by removing the custom origin-checking function (isAllowedReturnUrlOrigin) and its dependency on config.frontendUrl. The returnUrl field now validates only URL structure using basic string URL validation instead of origin-based refinement.

Changes

Cohort / File(s)	Summary
Checkout Validation Schema Simplification backend/src/validation/schemas/checkout.schema.ts	Removed custom origin validation logic and config dependency for returnUrl. Replaced refine-based origin check with basic URL structure validation; validation branching reduced.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: restore original URL on Stripe cancel and add return_to on success #158: Inverse operation—added the isAllowedReturnUrlOrigin origin checking that this PR removes, making these PRs direct counterparts in validation history.

Poem

❌ Origin checks erased,
🔗 URLs now bare and lean,
Validation stripped to bone—
What once was fortress walls
Now trusts the URL's shape alone. 🎯

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: removing origin refine from checkout Zod schema to fix Permission Denied errors. It's specific, concise, and clearly summarizes the primary fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/shield-permission-denied

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@backend/src/validation/schemas/checkout.schema.ts`:
- Line 13: The schema currently allows any absolute URL via the returnUrl field
(returnUrl: z.string().url(...)) while stripe.ts silently drops non-frontend
origins; instead enforce origin checks and fail fast: update checkout.schema.ts
to either restrict returnUrl to the configured FRONTEND_URL origin (or remove
permissive .url and require a sentinel like { origin: FRONTEND_URL } if Shield
can't express it) or, if keeping structural validation, add an explicit
post-Shield validation in the checkout creation flow (the function that
builds/creates the Stripe session in backend/src/services/stripe.ts such as the
checkout session creation code) that compares new URL input to
process.env.FRONTEND_URL and throws a badInput/config error when mismatched so
callers get a clear rejection rather than a successful-but-ignored session;
ensure the error path is used before any fallback successUrl/cancelUrl are
generated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5f21de59-be12-4856-97ca-9d9cb515cca6

📥 Commits

Reviewing files that changed from the base of the PR and between e0eda73 and 8098b50.

📒 Files selected for processing (1)

• backend/src/validation/schemas/checkout.schema.ts