Fix magic link routes

app/api/auth/magic-link/request/route.ts

@@ -20,6 +20,7 @@ import {
 import { logRouteError } from "../../../../../lib/server/requestId";
 import { apiRoute } from "../../../../../lib/server/apiRoute";
 import { safeInternalPath } from "../../../../../lib/safeInternalPath";
+import { getPublicOrigin } from "../../../../../lib/server/publicOrigin";
 import { magicLinkRequestBodySchema } from "../../../../../lib/server/validation/createFlowSchemas";
 import { jsonFromZodError } from "../../../../../lib/server/validation/zodHttp";
 
@@ -99,7 +100,7 @@ export const POST = apiRoute(SCOPE, async (request: NextRequest, _ctx, { request
     },
   });
 
-  const origin = request.nextUrl.origin;
+  const origin = getPublicOrigin(request);
   const verifyUrl = `${origin}/api/auth/magic-link/verify?token=${encodeURIComponent(token)}`;
 
   try {

app/api/rules/[id]/stakeholders/[stakeholderId]/resend/route.ts

@@ -21,6 +21,7 @@ import {
 } from "../../../../../../../lib/server/responses";
 import { getSessionUser } from "../../../../../../../lib/server/session";
 import { rateLimitKey } from "../../../../../../../lib/server/rateLimit";
+import { getPublicOrigin } from "../../../../../../../lib/server/publicOrigin";
 
 type RouteContext = { params: Promise<{ id: string; stakeholderId: string }> };
 
@@ -92,7 +93,7 @@ export const POST = apiRoute<RouteContext>(
       },
     });
 
-    const verifyUrl = stakeholderInviteVerifyUrl(request.nextUrl.origin, token);
+    const verifyUrl = stakeholderInviteVerifyUrl(getPublicOrigin(request), token);
     try {
       await sendRuleStakeholderInviteEmail(row.email, verifyUrl, row.rule.title);
     } catch (err) {

app/api/rules/[id]/stakeholders/route.ts

@@ -18,6 +18,7 @@ import {
   unauthorized,
 } from "../../../../../lib/server/responses";
 import { getSessionUser } from "../../../../../lib/server/session";
+import { getPublicOrigin } from "../../../../../lib/server/publicOrigin";
 import {
   MAX_STAKEHOLDER_EMAILS,
   postRuleStakeholderBodySchema,
@@ -151,7 +152,7 @@ export const POST = apiRoute<RouteContext>(
       return serverMisconfigured();
     }
 
-    const origin = request.nextUrl.origin;
+    const origin = getPublicOrigin(request);
     const sent = await createRuleStakeholderInviteAndSendMail({
       scope: "rules.stakeholders.add",
       requestId,

app/api/rules/route.ts

@@ -20,6 +20,7 @@ import { stakeholderInviteVerifyUrl } from "../../../lib/server/ruleStakeholderI
 import { STAKEHOLDER_INVITE_TTL_MS } from "../../../lib/server/ruleStakeholders";
 import { getSessionUser } from "../../../lib/server/session";
 import { apiRoute } from "../../../lib/server/apiRoute";
+import { getPublicOrigin } from "../../../lib/server/publicOrigin";
 import {
   publishRuleBodySchema,
   uniqueStakeholderEmailsForPublish,
@@ -148,7 +149,7 @@ export const POST = apiRoute(
       return { rule: created, invites: toSend };
     });
 
-    const origin = request.nextUrl.origin;
+    const origin = getPublicOrigin(request);
     try {
       for (const inv of invites) {
         const verifyUrl = stakeholderInviteVerifyUrl(origin, inv.token);

app/api/user/email-change/request/route.ts

@@ -20,6 +20,7 @@ import {
   unauthorized,
 } from "../../../../../lib/server/responses";
 import { getSessionUser } from "../../../../../lib/server/session";
+import { getPublicOrigin } from "../../../../../lib/server/publicOrigin";
 import { readLimitedJson } from "../../../../../lib/server/validation/requestBody";
 import { emailChangeRequestBodySchema } from "../../../../../lib/server/validation/userEmailChangeSchemas";
 import { jsonFromZodError } from "../../../../../lib/server/validation/zodHttp";
@@ -115,7 +116,7 @@ export const POST = apiRoute(SCOPE, async (request: NextRequest, _ctx, { request
     },
   });
 
-  const origin = request.nextUrl.origin;
+  const origin = getPublicOrigin(request);
   const verifyUrl = `${origin}/api/user/email-change/verify?token=${encodeURIComponent(token)}`;
 
   try {