From ea52c80d2d18d1d797667e4716dfc5a3a3a69347 Mon Sep 17 00:00:00 2001
From: Yashar <YasharF.Git1@ydftech.com>
Date: Tue, 18 Feb 2025 17:55:46 -0800
Subject: [PATCH] Fix: Host-header Injection in Password Reset & Email
 Verification

---
 controllers/user.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/controllers/user.js b/controllers/user.js
index 54ae5fcbd..73a69e89a 100644
--- a/controllers/user.js
+++ b/controllers/user.js
@@ -385,7 +385,7 @@ exports.getVerifyEmail = (req, res, next) => {
       subject: 'Please verify your email address on Hackathon Starter',
       text: `Thank you for registering with hackathon-starter.\n\n
         To verify your email address, please click on the following link, or paste this into your browser:\n\n
-        http://${req.headers.host}/account/verify/${token}\n\n
+        ${process.env.BASE_URL}/account/verify/${token}\n\n
         \n\n
         Thank you!`
     };
@@ -522,7 +522,7 @@ exports.postForgot = (req, res, next) => {
       subject: 'Reset your password on Hackathon Starter',
       text: `You are receiving this email because you (or someone else) have requested the reset of the password for your account.\n\n
         Please click on the following link, or paste this into your browser to complete the process:\n\n
-        http://${req.headers.host}/reset/${token}\n\n
+        ${process.env.BASE_URL}/reset/${token}\n\n
         If you did not request this, please ignore this email and your password will remain unchanged.\n`
     };
     const mailSettings = {