[Bug]: URL parameter injection in email callback redirect

[taheerahmed]

Summary

The message query parameter in /api/auth/email-callback is interpolated into the redirect URL without encoding, allowing parameter injection.

Actual behavior

redirect(`${next}?message=${message}&type=update_email`)

A crafted URL like /api/auth/email-callback?message=foo%26error%3Dinjected would produce:

/dashboard/account?message=foo&error=injected&type=update_email

The &error=injected part breaks out of the message parameter and injects an additional query param. This is inconsistent with encodedRedirect() used elsewhere in the same file (line 21), which properly encodes values.

Expected behavior

The message value should be encoded before interpolation to prevent parameter injection.

Fix

redirect(`${next}?message=${encodeURIComponent(message)}&type=update_email`)

Both redirect calls on lines 17 and 27 are affected.

[linear]

ENG-3551

[taheerahmed]

Opened a PR with the fix: #256