Patch (backport #3297) (#3298)

mergify[bot] · Kefancao · web-flow · commit 8fca2a57be7d · 2026-01-05T15:58:32.000-05:00
Co-authored-by: Kefan Cao &lt;76069770+Kefancao@users.noreply.github.com&gt;
diff --git a/indexer/services/comlink/src/config.ts b/indexer/services/comlink/src/config.ts
@@ -120,6 +120,7 @@ export const configSchema = {
   TURNKEY_API_SENDER_PRIVATE_KEY: parseString({ default: '' }),
   TURNKEY_API_SENDER_PUBLIC_KEY: parseString({ default: '' }),
   TURNKEY_MAGIC_LINK_TEMPLATE: parseString({ default: '' }),
+  TURNKEY_MAGIC_LINK_VALIDATION: parseString({ default: 'https://dydx.trade' }),
   TURNKEY_ORGANIZATION_ID: parseString({ default: '' }),
   SOLANA_SPONSOR_PUBLIC_KEY: parseString({ default: '' }),
   SKIP_SLIPPAGE_TOLERANCE_PERCENTAGE: parseString({ default: '0' }),
diff --git a/indexer/services/comlink/src/controllers/api/v4/turnkey-controller.ts b/indexer/services/comlink/src/controllers/api/v4/turnkey-controller.ts
@@ -167,6 +167,12 @@ export class TurnkeyController extends Controller {
       if (!userEmail || !targetPublicKey) {
         throw new Error('userEmail and targetPublicKey are required for email signin');
       }
+      if (magicLink) {
+        const isValidMagicLink = magicLink.startsWith(config.TURNKEY_MAGIC_LINK_VALIDATION);
+        if (!isValidMagicLink) {
+          throw new Error('Invalid magic link template');
+        }
+      }
       try {
         const resp = await this.turnkeyHelpers.emailSignin(userEmail, targetPublicKey!, magicLink);
         if (resp.userId === undefined || resp.apiKeyId === undefined) {
@@ -229,7 +235,7 @@ export class TurnkeyController extends Controller {
 
     // Validate Apple configuration
     if (!config.APPLE_TEAM_ID || !config.APPLE_SERVICE_ID ||
-        !config.APPLE_KEY_ID || !config.APPLE_PRIVATE_KEY) {
+      !config.APPLE_KEY_ID || !config.APPLE_PRIVATE_KEY) {
       throw new TurnkeyError('Apple Sign-In configuration is incomplete');
     }
 
