Users objects created even when calling site not in trusted domain

[LukeeRBLX]

Hi,

I have come across an issue where user objects are still allowed to be created inside of a project that has its requested header coming from a non trusted domain.

This happens on both Production and Non production methods.

NextJS site has the correct ENV variables set up but I have not yet listed this as a trusted domain.
(This is a published site on vercel and not a localhost)

When going to my setup flow on my website, I enter an email address and submit, I receive my error that I am not apart of the trusted domains but the user object is still created within my project. I am unsure if this functionality is intended but incase of secret keys being hijacked, this is something I wouldnt want to happen outside of my enlisted sites.

Magic links gives me an error, still allowing a user object to be created.

Whilst credentials (email & password) allow me to create a user and login

Please try and replicate to get same behavior.

This is running a very clean nextjs project using the default components with no edits to source code.

[fomalhautb]

Just to be clear, this is not the ideal user experience, but it is also not a security risk.

The trusted domain is used for redirect URLs like magic link email and OAuth provider callbacks, where the server needs to call an endpoint with sensitive information. Signing up/in itself is an action that can be done from any domain (because it is just an API call).

The reason for a created user but a "redirect URL" error is that the endpoint first creates the user, and then tries to validate the email redirect URL (which in your case is a not allowed domain), so it refuses to send the email and returns an error.

We will try to validate the redirect URL before the user is created so it creates a more consistent developer experience, but no need to worry about security here.