update

Co-authored-by: Dhruwang <dhruwangjariwala18@gmail.com>

.env.example

@@ -185,6 +185,14 @@ ENTERPRISE_LICENSE_KEY=
 # Ignore Rate Limiting across the Formbricks app
 # RATE_LIMITING_DISABLED=1
 
+# Disable telemetry reporting (usage stats sent to Formbricks). Ignored when an EE license is active.
+# TELEMETRY_DISABLED=1
+
+# Allow webhook URLs to point to internal/private network addresses (e.g. localhost, 192.168.x.x)
+# WARNING: Only enable this if you understand the SSRF risks. Useful for self-hosted instances
+# that need to send webhooks to internal services.
+# DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS=1
+
 # OpenTelemetry OTLP endpoint (base URL, exporters append /v1/traces and /v1/metrics)
 # OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
 # OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf

apps/web/app/api/(internal)/pipeline/lib/telemetry.test.ts

@@ -51,8 +51,19 @@ vi.mock("@/lib/env", () => ({
     RECAPTCHA_SECRET_KEY: "secret-key",
     GITHUB_ID: "github-id",
     SAML_DATABASE_URL: "postgresql://saml.example.com/formbricks",
+    ENTERPRISE_LICENSE_KEY: "test-license-key",
   },
 }));
+vi.mock("@/lib/constants", () => ({
+  E2E_TESTING: false,
+  TELEMETRY_DISABLED: false,
+}));
+vi.mock("@/lib/hash-string", () => ({
+  hashString: vi.fn((s: string) => `hashed-${s}`),
+}));
+vi.mock("@/modules/ee/license-check/lib/license", () => ({
+  getEnterpriseLicense: vi.fn(),
+}));
 
 // Mock fetch
 const fetchMock = vi.fn();
@@ -199,6 +210,10 @@ describe("sendTelemetryEvents", () => {
   test("should handle telemetry send failure and apply cooldown", async () => {
     // Reset module to clear nextTelemetryCheck state from previous tests
     vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({ E2E_TESTING: false, TELEMETRY_DISABLED: false }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: false }),
+    }));
     const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
 
     // Ensure we can acquire lock by setting last sent time far in the past
@@ -221,6 +236,7 @@ describe("sendTelemetryEvents", () => {
       expect.objectContaining({
         error: networkError,
         message: "Network error",
+        hashedLicenseKey: "hashed-test-license-key",
       }),
       "Failed to send telemetry - applying 1h cooldown"
     );
@@ -242,6 +258,10 @@ describe("sendTelemetryEvents", () => {
   test("should skip if no organization exists", async () => {
     // Reset module to clear nextTelemetryCheck state from previous tests
     vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({ E2E_TESTING: false, TELEMETRY_DISABLED: false }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: false }),
+    }));
     const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
 
     // Ensure we can acquire lock by setting last sent time far in the past
@@ -276,4 +296,83 @@ describe("sendTelemetryEvents", () => {
     // This might be a bug, but we test the actual behavior
     expect(mockCacheService.set).toHaveBeenCalled();
   });
+
+  test("should skip telemetry when TELEMETRY_DISABLED is true and no active EE license", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({ E2E_TESTING: false, TELEMETRY_DISABLED: true }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: false }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    await freshSendTelemetryEvents();
+
+    // Should return early without touching cache or sending telemetry
+    expect(getCacheService).not.toHaveBeenCalled();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  test("should send telemetry when TELEMETRY_DISABLED is true but EE license is active", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({ E2E_TESTING: false, TELEMETRY_DISABLED: true }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: true }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    // Re-setup mocks after resetModules
+    vi.mocked(getCacheService).mockResolvedValue({
+      ok: true,
+      data: mockCacheService as any,
+    });
+    mockCacheService.tryLock.mockResolvedValue({ ok: true, data: true });
+    mockCacheService.del.mockResolvedValue({ ok: true, data: undefined });
+    mockCacheService.get.mockResolvedValue({ ok: true, data: null });
+    mockCacheService.set.mockResolvedValue({ ok: true, data: undefined });
+
+    vi.mocked(prisma.organization.findFirst).mockResolvedValue({
+      id: "org-123",
+      createdAt: new Date("2023-01-01"),
+    } as any);
+    vi.mocked(prisma.$queryRaw).mockResolvedValue([
+      {
+        organizationCount: BigInt(1),
+        userCount: BigInt(5),
+        teamCount: BigInt(2),
+        projectCount: BigInt(3),
+        surveyCount: BigInt(10),
+        inProgressSurveyCount: BigInt(4),
+        completedSurveyCount: BigInt(6),
+        responseCountAllTime: BigInt(100),
+        responseCountSinceLastUpdate: BigInt(10),
+        displayCount: BigInt(50),
+        contactCount: BigInt(20),
+        segmentCount: BigInt(4),
+        newestResponseAt: new Date("2024-01-01T00:00:00.000Z"),
+      },
+    ] as any);
+    vi.mocked(prisma.integration.findMany).mockResolvedValue([{ type: IntegrationType.notion }] as any);
+    vi.mocked(prisma.account.findMany).mockResolvedValue([{ provider: "github" }] as any);
+    fetchMock.mockResolvedValue({ ok: true });
+
+    await freshSendTelemetryEvents();
+
+    // EE license active — telemetry should bypass TELEMETRY_DISABLED and send
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+
+  test("should unconditionally skip when E2E_TESTING is true even with active EE license", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({ E2E_TESTING: true, TELEMETRY_DISABLED: false }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: true }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    await freshSendTelemetryEvents();
+
+    // E2E_TESTING is a hard skip — no EE bypass, no cache, no fetch
+    expect(getCacheService).not.toHaveBeenCalled();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
 });

apps/web/app/api/(internal)/pipeline/lib/telemetry.ts

@@ -2,8 +2,11 @@ import { IntegrationType } from "@prisma/client";
 import { createCacheKey, getCacheService } from "@formbricks/cache";
 import { prisma } from "@formbricks/database";
 import { logger } from "@formbricks/logger";
+import { E2E_TESTING, TELEMETRY_DISABLED } from "@/lib/constants";
 import { env } from "@/lib/env";
+import { hashString } from "@/lib/hash-string";
 import { getInstanceInfo } from "@/lib/instance";
+import { getEnterpriseLicense } from "@/modules/ee/license-check/lib/license";
 import packageJson from "@/package.json";
 
 const TELEMETRY_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
@@ -24,8 +27,34 @@ let nextTelemetryCheck = 0;
  * 2. Redis check (shared across instances, persists across restarts)
  * 3. Distributed lock (prevents concurrent execution in multi-instance deployments)
  */
+// Hashed license key for log context — allows correlating log entries to a specific license
+// without exposing the raw key. Computed once at module load.
+const hashedLicenseKey = env.ENTERPRISE_LICENSE_KEY ? hashString(env.ENTERPRISE_LICENSE_KEY) : null;
+
 export const sendTelemetryEvents = async () => {
   try {
+    // ============================================================
+    // CHECK 0a: E2E Testing Hard Skip
+    // ============================================================
+    // Purpose: Unconditionally skip telemetry in test/CI environments.
+    // No EE bypass — E2E_TESTING is an internal flag, not customer-facing.
+    if (E2E_TESTING) {
+      return;
+    }
+
+    // ============================================================
+    // CHECK 0b: Telemetry Disabled Check
+    // ============================================================
+    // Purpose: Allow CE self-hosters to opt out of telemetry via env var.
+    // EE bypass: If an active Enterprise License is detected, telemetry is always sent
+    // regardless of the TELEMETRY_DISABLED setting to enforce license compliance.
+    if (TELEMETRY_DISABLED) {
+      const license = await getEnterpriseLicense();
+      if (!license.active) {
+        return;
+      }
+    }
+
     const now = Date.now();
 
     // ============================================================
@@ -100,7 +129,7 @@ export const sendTelemetryEvents = async () => {
       // Log as warning since telemetry is non-essential
       const errorMessage = e instanceof Error ? e.message : String(e);
       logger.warn(
-        { error: e, message: errorMessage, lastSent, now },
+        { error: e, message: errorMessage, lastSent, now, hashedLicenseKey },
         "Failed to send telemetry - applying 1h cooldown"
       );
 
@@ -118,7 +147,7 @@ export const sendTelemetryEvents = async () => {
     // Log as warning since telemetry is non-essential functionality
     const errorMessage = error instanceof Error ? error.message : String(error);
     logger.warn(
-      { error, message: errorMessage, timestamp: Date.now() },
+      { error, message: errorMessage, timestamp: Date.now(), hashedLicenseKey },
       "Unexpected error in sendTelemetryEvents wrapper - telemetry check skipped"
     );
   }

apps/web/app/api/auth/[...nextauth]/route.test.ts

@@ -0,0 +1,139 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import { GET } from "./route";
+
+const mocks = vi.hoisted(() => {
+  const nextAuthHandler = vi.fn(async () => new Response(null, { status: 200 }));
+  const nextAuth = vi.fn(() => nextAuthHandler);
+
+  return {
+    nextAuth,
+    nextAuthHandler,
+    baseSignIn: vi.fn(async () => true),
+    baseSession: vi.fn(async ({ session }: { session: unknown }) => session),
+    baseEventSignIn: vi.fn(),
+    queueAuditEventBackground: vi.fn(),
+    captureException: vi.fn(),
+    loggerError: vi.fn(),
+  };
+});
+
+vi.mock("next-auth", () => ({
+  default: mocks.nextAuth,
+}));
+
+vi.mock("@/lib/constants", () => ({
+  IS_PRODUCTION: false,
+  SENTRY_DSN: undefined,
+}));
+
+vi.mock("@sentry/nextjs", () => ({
+  captureException: mocks.captureException,
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      error: mocks.loggerError,
+    })),
+  },
+}));
+
+vi.mock("@/modules/auth/lib/authOptions", () => ({
+  authOptions: {
+    callbacks: {
+      signIn: mocks.baseSignIn,
+      session: mocks.baseSession,
+    },
+    events: {
+      signIn: mocks.baseEventSignIn,
+    },
+  },
+}));
+
+vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
+  queueAuditEventBackground: mocks.queueAuditEventBackground,
+}));
+
+const getWrappedAuthOptions = async (requestId: string = "req-123") => {
+  const request = new Request("http://localhost/api/auth/signin", {
+    headers: { "x-request-id": requestId },
+  });
+
+  await GET(request, {} as any);
+
+  expect(mocks.nextAuth).toHaveBeenCalledTimes(1);
+
+  return mocks.nextAuth.mock.calls[0][0];
+};
+
+describe("auth route audit logging", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("logs successful sign-in from the NextAuth signIn event after session creation", async () => {
+    const authOptions = await getWrappedAuthOptions();
+    const user = { id: "user_1", email: "user@example.com", name: "User Example" };
+    const account = { provider: "keycloak" };
+
+    await expect(authOptions.callbacks.signIn({ user, account })).resolves.toBe(true);
+    expect(mocks.queueAuditEventBackground).not.toHaveBeenCalled();
+
+    await authOptions.events.signIn({ user, account, isNewUser: false });
+
+    expect(mocks.baseEventSignIn).toHaveBeenCalledWith({ user, account, isNewUser: false });
+    expect(mocks.queueAuditEventBackground).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "signedIn",
+        targetType: "user",
+        userId: "user_1",
+        targetId: "user_1",
+        organizationId: "unknown",
+        status: "success",
+        userType: "user",
+        newObject: expect.objectContaining({
+          email: "user@example.com",
+          authMethod: "sso",
+          provider: "keycloak",
+          sessionStrategy: "database",
+          isNewUser: false,
+        }),
+      })
+    );
+  });
+
+  test("logs failed sign-in attempts from the callback stage with the request event id", async () => {
+    const error = new Error("Access denied");
+    mocks.baseSignIn.mockRejectedValueOnce(error);
+
+    const authOptions = await getWrappedAuthOptions("req-failure");
+    const user = { id: "user_2", email: "user2@example.com" };
+    const account = { provider: "credentials" };
+
+    await expect(authOptions.callbacks.signIn({ user, account })).rejects.toThrow("Access denied");
+
+    expect(mocks.baseEventSignIn).not.toHaveBeenCalled();
+    expect(mocks.queueAuditEventBackground).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "signedIn",
+        targetType: "user",
+        userId: "user_2",
+        targetId: "user_2",
+        organizationId: "unknown",
+        status: "failure",
+        userType: "user",
+        eventId: "req-failure",
+        newObject: expect.objectContaining({
+          email: "user2@example.com",
+          authMethod: "password",
+          provider: "credentials",
+          errorMessage: "Access denied",
+        }),
+      })
+    );
+  });
+});

apps/web/app/api/auth/[...nextauth]/route.ts

@@ -6,10 +6,26 @@ import { logger } from "@formbricks/logger";
 import { IS_PRODUCTION, SENTRY_DSN } from "@/lib/constants";
 import { authOptions as baseAuthOptions } from "@/modules/auth/lib/authOptions";
 import { queueAuditEventBackground } from "@/modules/ee/audit-logs/lib/handler";
-import { TAuditStatus, UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
+import { UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
 
 export const fetchCache = "force-no-store";
 
+const getAuthMethod = (account: Account | null) => {
+  if (account?.provider === "credentials") {
+    return "password";
+  }
+
+  if (account?.provider === "token") {
+    return "email_verification";
+  }
+
+  if (account?.provider) {
+    return "sso";
+  }
+
+  return "unknown";
+};
+
 const handler = async (req: Request, ctx: any) => {
   const eventId = req.headers.get("x-request-id") ?? undefined;
 
@@ -17,44 +33,6 @@ const handler = async (req: Request, ctx: any) => {
     ...baseAuthOptions,
     callbacks: {
       ...baseAuthOptions.callbacks,
-      async jwt(params: any) {
-        let result: any = params.token;
-        let error: any = undefined;
-
-        try {
-          if (baseAuthOptions.callbacks?.jwt) {
-            result = await baseAuthOptions.callbacks.jwt(params);
-          }
-        } catch (err) {
-          error = err;
-          logger.withContext({ eventId, err }).error("JWT callback failed");
-
-          if (SENTRY_DSN && IS_PRODUCTION) {
-            Sentry.captureException(err);
-          }
-        }
-
-        // Audit JWT operations (token refresh, updates)
-        if (params.trigger && params.token?.profile?.id) {
-          const status: TAuditStatus = error ? "failure" : "success";
-          const auditLog = {
-            action: "jwtTokenCreated" as const,
-            targetType: "user" as const,
-            userId: params.token.profile.id,
-            targetId: params.token.profile.id,
-            organizationId: UNKNOWN_DATA,
-            status,
-            userType: "user" as const,
-            newObject: { trigger: params.trigger, tokenType: "jwt" },
-            ...(error ? { eventId } : {}),
-          };
-
-          queueAuditEventBackground(auditLog);
-        }
-
-        if (error) throw error;
-        return result;
-      },
       async session(params: any) {
         let result: any = params.session;
         let error: any = undefined;
@@ -90,7 +68,7 @@ const handler = async (req: Request, ctx: any) => {
       }) {
         let result: boolean | string = true;
         let error: any = undefined;
-        let authMethod = "unknown";
+        const authMethod = getAuthMethod(account);
 
         try {
           if (baseAuthOptions.callbacks?.signIn) {
@@ -102,15 +80,6 @@ const handler = async (req: Request, ctx: any) => {
               credentials,
             });
           }
-
-          // Determine authentication method for more detailed logging
-          if (account?.provider === "credentials") {
-            authMethod = "password";
-          } else if (account?.provider === "token") {
-            authMethod = "email_verification";
-          } else if (account?.provider && account.provider !== "credentials") {
-            authMethod = "sso";
-          }
         } catch (err) {
           error = err;
           result = false;
@@ -122,30 +91,60 @@ const handler = async (req: Request, ctx: any) => {
           }
         }
 
-        const status: TAuditStatus = result === false ? "failure" : "success";
-        const auditLog = {
-          action: "signedIn" as const,
-          targetType: "user" as const,
-          userId: user?.id ?? UNKNOWN_DATA,
-          targetId: user?.id ?? UNKNOWN_DATA,
-          organizationId: UNKNOWN_DATA,
-          status,
-          userType: "user" as const,
-          newObject: {
-            ...user,
-            authMethod,
-            provider: account?.provider,
-            ...(error ? { errorMessage: error.message } : {}),
-          },
-          ...(status === "failure" ? { eventId } : {}),
-        };
-
-        queueAuditEventBackground(auditLog);
+        if (result === false) {
+          queueAuditEventBackground({
+            action: "signedIn",
+            targetType: "user",
+            userId: user?.id ?? UNKNOWN_DATA,
+            targetId: user?.id ?? UNKNOWN_DATA,
+            organizationId: UNKNOWN_DATA,
+            status: "failure",
+            userType: "user",
+            newObject: {
+              ...user,
+              authMethod,
+              provider: account?.provider,
+              ...(error instanceof Error ? { errorMessage: error.message } : {}),
+            },
+            eventId,
+          });
+        }
 
         if (error) throw error;
         return result;
       },
     },
+    events: {
+      ...baseAuthOptions.events,
+      async signIn({ user, account, isNewUser }: any) {
+        try {
+          await baseAuthOptions.events?.signIn?.({ user, account, isNewUser });
+        } catch (err) {
+          logger.withContext({ eventId, err }).error("Sign-in event callback failed");
+
+          if (SENTRY_DSN && IS_PRODUCTION) {
+            Sentry.captureException(err);
+          }
+        }
+
+        queueAuditEventBackground({
+          action: "signedIn",
+          targetType: "user",
+          userId: user?.id ?? UNKNOWN_DATA,
+          targetId: user?.id ?? UNKNOWN_DATA,
+          organizationId: UNKNOWN_DATA,
+          status: "success",
+          userType: "user",
+          newObject: {
+            ...user,
+            authMethod: getAuthMethod(account),
+            provider: account?.provider,
+            sessionStrategy: "database",
+            isNewUser: isNewUser ?? false,
+          },
+        });
+      },
+    },
   };
 
   return NextAuth(authOptions)(req, ctx);

apps/web/lib/account/service.test.ts

@@ -0,0 +1,97 @@
+import { Prisma } from "@prisma/client";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { upsertAccount } from "./service";
+
+const { mockUpsert } = vi.hoisted(() => ({
+  mockUpsert: vi.fn(),
+}));
+
+vi.mock("@formbricks/database", () => ({
+  prisma: {
+    account: {
+      upsert: mockUpsert,
+    },
+  },
+}));
+
+describe("account service", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("upsertAccount keeps user ownership immutable on update", async () => {
+    const accountData = {
+      userId: "user-1",
+      type: "oauth",
+      provider: "google",
+      providerAccountId: "provider-1",
+      access_token: "access-token",
+      refresh_token: "refresh-token",
+      expires_at: 123,
+      scope: "openid email",
+      token_type: "Bearer",
+      id_token: "id-token",
+    };
+
+    mockUpsert.mockResolvedValue({
+      id: "account-1",
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      ...accountData,
+    });
+
+    await upsertAccount(accountData);
+
+    expect(mockUpsert).toHaveBeenCalledWith({
+      where: {
+        provider_providerAccountId: {
+          provider: "google",
+          providerAccountId: "provider-1",
+        },
+      },
+      create: accountData,
+      update: {
+        access_token: "access-token",
+        refresh_token: "refresh-token",
+        expires_at: 123,
+        scope: "openid email",
+        token_type: "Bearer",
+        id_token: "id-token",
+      },
+    });
+  });
+
+  test("upsertAccount wraps Prisma known request errors", async () => {
+    const prismaError = Object.assign(Object.create(Prisma.PrismaClientKnownRequestError.prototype), {
+      message: "duplicate account",
+    });
+
+    mockUpsert.mockRejectedValue(prismaError);
+
+    await expect(
+      upsertAccount({
+        userId: "user-1",
+        type: "oauth",
+        provider: "google",
+        providerAccountId: "provider-1",
+      })
+    ).rejects.toMatchObject({
+      name: "DatabaseError",
+      message: "duplicate account",
+    });
+  });
+
+  test("upsertAccount rethrows non-Prisma errors", async () => {
+    const error = new Error("unexpected failure");
+    mockUpsert.mockRejectedValue(error);
+
+    await expect(
+      upsertAccount({
+        userId: "user-1",
+        type: "oauth",
+        provider: "google",
+        providerAccountId: "provider-1",
+      })
+    ).rejects.toThrow("unexpected failure");
+  });
+});

apps/web/lib/account/service.ts

@@ -20,3 +20,36 @@ export const createAccount = async (accountData: TAccountInput): Promise<TAccoun
     throw error;
   }
 };
+
+export const upsertAccount = async (accountData: TAccountInput): Promise<TAccount> => {
+  const [validatedAccountData] = validateInputs([accountData, ZAccountInput]);
+  const updateAccountData: Omit<TAccountInput, "userId" | "type" | "provider" | "providerAccountId"> = {
+    access_token: validatedAccountData.access_token,
+    refresh_token: validatedAccountData.refresh_token,
+    expires_at: validatedAccountData.expires_at,
+    scope: validatedAccountData.scope,
+    token_type: validatedAccountData.token_type,
+    id_token: validatedAccountData.id_token,
+  };
+
+  try {
+    const account = await prisma.account.upsert({
+      where: {
+        provider_providerAccountId: {
+          provider: validatedAccountData.provider,
+          providerAccountId: validatedAccountData.providerAccountId,
+        },
+      },
+      create: validatedAccountData,
+      update: updateAccountData,
+    });
+
+    return account;
+  } catch (error) {
+    if (error instanceof Prisma.PrismaClientKnownRequestError) {
+      throw new DatabaseError(error.message);
+    }
+
+    throw error;
+  }
+};

apps/web/lib/constants.ts

@@ -26,6 +26,7 @@ export const TERMS_URL = env.TERMS_URL;
 export const IMPRINT_URL = env.IMPRINT_URL;
 export const IMPRINT_ADDRESS = env.IMPRINT_ADDRESS;
 
+export const DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS = env.DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS === "1";
 export const PASSWORD_RESET_DISABLED = env.PASSWORD_RESET_DISABLED === "1";
 export const EMAIL_VERIFICATION_DISABLED = env.EMAIL_VERIFICATION_DISABLED === "1";
 
@@ -152,6 +153,7 @@ export const ENTERPRISE_LICENSE_KEY = env.ENTERPRISE_LICENSE_KEY;
 
 export const REDIS_URL = env.REDIS_URL;
 export const RATE_LIMITING_DISABLED = env.RATE_LIMITING_DISABLED === "1";
+export const TELEMETRY_DISABLED = env.TELEMETRY_DISABLED === "1";
 
 export const BREVO_API_KEY = env.BREVO_API_KEY;
 export const BREVO_LIST_ID = env.BREVO_LIST_ID;

apps/web/lib/env.ts

@@ -15,6 +15,7 @@ export const env = createEnv({
     BREVO_API_KEY: z.string().optional(),
     BREVO_LIST_ID: z.string().optional(),
     DATABASE_URL: z.url(),
+    DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: z.enum(["1", "0"]).optional(),
     DEBUG: z.enum(["1", "0"]).optional(),
     AUTH_DEFAULT_TEAM_ID: z.string().optional(),
     AUTH_SKIP_INVITE_FOR_SSO: z.enum(["1", "0"]).optional(),
@@ -65,6 +66,7 @@ export const env = createEnv({
       .optional()
       .or(z.string().refine((str) => str === "")),
     RATE_LIMITING_DISABLED: z.enum(["1", "0"]).optional(),
+    TELEMETRY_DISABLED: z.enum(["1", "0"]).optional(),
     S3_ACCESS_KEY: z.string().optional(),
     S3_BUCKET_NAME: z.string().optional(),
     S3_REGION: z.string().optional(),
@@ -141,6 +143,7 @@ export const env = createEnv({
     BREVO_LIST_ID: process.env.BREVO_LIST_ID,
     CRON_SECRET: process.env.CRON_SECRET,
     DATABASE_URL: process.env.DATABASE_URL,
+    DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: process.env.DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS,
     DEBUG: process.env.DEBUG,
     AUTH_DEFAULT_TEAM_ID: process.env.AUTH_SSO_DEFAULT_TEAM_ID,
     AUTH_SKIP_INVITE_FOR_SSO: process.env.AUTH_SKIP_INVITE_FOR_SSO,
@@ -183,6 +186,7 @@ export const env = createEnv({
     PASSWORD_RESET_DISABLED: process.env.PASSWORD_RESET_DISABLED,
     PRIVACY_URL: process.env.PRIVACY_URL,
     RATE_LIMITING_DISABLED: process.env.RATE_LIMITING_DISABLED,
+    TELEMETRY_DISABLED: process.env.TELEMETRY_DISABLED,
     S3_ACCESS_KEY: process.env.S3_ACCESS_KEY,
     S3_BUCKET_NAME: process.env.S3_BUCKET_NAME,
     S3_REGION: process.env.S3_REGION,

apps/web/lib/utils/validate-webhook-url.test.ts

@@ -9,6 +9,10 @@ vi.mock("node:dns", () => ({
   },
 }));
 
+vi.mock("../constants", () => ({
+  DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: false,
+}));
+
 const mockResolve = vi.mocked(dns.resolve);
 const mockResolve6 = vi.mocked(dns.resolve6);
 
@@ -294,4 +298,78 @@ describe("validateWebhookUrl", () => {
       });
     });
   });
+
+  describe("DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS", () => {
+    test("allows private IP URLs when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("http://127.0.0.1/")).resolves.toBeUndefined();
+      await expect(validateWithFlag("http://192.168.1.1/test")).resolves.toBeUndefined();
+      await expect(validateWithFlag("http://10.0.0.1/webhook")).resolves.toBeUndefined();
+    });
+
+    test("allows localhost when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("http://localhost/webhook")).resolves.toBeUndefined();
+      await expect(validateWithFlag("http://localhost:3333/webhook")).resolves.toBeUndefined();
+    });
+
+    test("allows localhost.localdomain when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("http://localhost.localdomain/path")).resolves.toBeUndefined();
+    });
+
+    test("allows hostname resolving to private IP when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      setupDnsResolution(["192.168.1.1"]);
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("https://internal.company.com/webhook")).resolves.toBeUndefined();
+    });
+
+    test("still rejects unresolvable hostnames when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      setupDnsResolution(null, null);
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("https://typo-gibberish.invalid/hook")).rejects.toThrow(
+        "Could not resolve webhook URL hostname"
+      );
+    });
+
+    test("still rejects invalid URL format when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("not-a-url")).rejects.toThrow("Invalid webhook URL format");
+    });
+
+    test("still rejects non-HTTP protocols when enabled", async () => {
+      vi.doMock("../constants", () => ({
+        DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: true,
+      }));
+
+      const { validateWebhookUrl: validateWithFlag } = await import("./validate-webhook-url");
+      await expect(validateWithFlag("ftp://192.168.1.1/")).rejects.toThrow(
+        "Webhook URL must use HTTPS or HTTP protocol"
+      );
+    });
+  });
 });

apps/web/lib/utils/validate-webhook-url.ts

@@ -1,6 +1,7 @@
 import "server-only";
 import dns from "node:dns";
 import { InvalidInputError } from "@formbricks/types/errors";
+import { DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS } from "../constants";
 
 const BLOCKED_HOSTNAMES = new Set([
   "localhost",
@@ -139,8 +140,10 @@ export const validateWebhookUrl = async (url: string): Promise<void> => {
 
   const hostname = parsed.hostname;
 
-  if (BLOCKED_HOSTNAMES.has(hostname.toLowerCase())) {
-    throw new InvalidInputError("Webhook URL must not point to localhost or internal services");
+  if (!DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS) {
+    if (BLOCKED_HOSTNAMES.has(hostname.toLowerCase())) {
+      throw new InvalidInputError("Webhook URL must not point to localhost or internal services");
+    }
   }
 
   // Direct IP literal — validate without DNS resolution
@@ -149,12 +152,17 @@ export const validateWebhookUrl = async (url: string): Promise<void> => {
 
   if (isIPv4Literal || isIPv6Literal) {
     const ip = isIPv6Literal ? stripIPv6Brackets(hostname) : hostname;
-    if (isPrivateIP(ip)) {
+    if (!DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS && isPrivateIP(ip)) {
       throw new InvalidInputError("Webhook URL must not point to private or internal IP addresses");
     }
     return;
   }
 
+  // Skip DNS resolution for localhost-like hostnames when internal URLs are allowed since these are resolved via /etc/hosts and not DNS
+  if (DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS && BLOCKED_HOSTNAMES.has(hostname.toLowerCase())) {
+    return;
+  }
+
   // Domain name — resolve DNS and validate every resolved IP
   let resolvedIPs: string[];
   try {
@@ -168,9 +176,11 @@ export const validateWebhookUrl = async (url: string): Promise<void> => {
     );
   }
 
-  for (const ip of resolvedIPs) {
-    if (isPrivateIP(ip)) {
-      throw new InvalidInputError("Webhook URL must not point to private or internal IP addresses");
+  if (!DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS) {
+    for (const ip of resolvedIPs) {
+      if (isPrivateIP(ip)) {
+        throw new InvalidInputError("Webhook URL must not point to private or internal IP addresses");
+      }
     }
   }
 };

apps/web/modules/auth/lib/authOptions.test.ts

@@ -10,6 +10,25 @@ import { authOptions } from "./authOptions";
 import { mockUser } from "./mock-data";
 import { hashPassword } from "./utils";
 
+vi.mock("@next-auth/prisma-adapter", () => ({
+  PrismaAdapter: vi.fn(() => ({
+    createUser: vi.fn(),
+    getUser: vi.fn(),
+    getUserByEmail: vi.fn(),
+    getUserByAccount: vi.fn(),
+    updateUser: vi.fn(),
+    deleteUser: vi.fn(),
+    linkAccount: vi.fn(),
+    unlinkAccount: vi.fn(),
+    createSession: vi.fn(),
+    getSessionAndUser: vi.fn(),
+    updateSession: vi.fn(),
+    deleteSession: vi.fn(),
+    createVerificationToken: vi.fn(),
+    useVerificationToken: vi.fn(),
+  })),
+}));
+
 // Mock encryption utilities
 vi.mock("@/lib/encryption", () => ({
   symmetricEncrypt: vi.fn((value: string) => `encrypted_${value}`),
@@ -300,51 +319,20 @@ describe("authOptions", () => {
   });
 
   describe("Callbacks", () => {
-    describe("jwt callback", () => {
-      test("should add profile information to token if user is found", async () => {
-        vi.spyOn(prisma.user, "findFirst").mockResolvedValue({
-          id: mockUser.id,
-          locale: mockUser.locale,
-          email: mockUser.email,
-          emailVerified: mockUser.emailVerified,
-        } as any);
-
-        const token = { email: mockUser.email };
-        if (!authOptions.callbacks?.jwt) {
-          throw new Error("jwt callback is not defined");
-        }
-        const result = await authOptions.callbacks.jwt({ token } as any);
-        expect(result).toEqual({
-          ...token,
-          profile: { id: mockUser.id },
-        });
-      });
-
-      test("should return token unchanged if no existing user is found", async () => {
-        vi.spyOn(prisma.user, "findFirst").mockResolvedValue(null);
-
-        const token = { email: "nonexistent@example.com" };
-        if (!authOptions.callbacks?.jwt) {
-          throw new Error("jwt callback is not defined");
-        }
-        const result = await authOptions.callbacks.jwt({ token } as any);
-        expect(result).toEqual(token);
-      });
-    });
-
     describe("session callback", () => {
-      test("should add user profile to session", async () => {
-        const token = {
-          id: "user6",
-          profile: { id: "user6", email: "user6@example.com" },
-        };
+      test("should add user id and isActive to session from database user", async () => {
+        const session = { user: { email: "user6@example.com" } };
+        const user = { id: "user6", isActive: false };
 
-        const session = { user: {} };
         if (!authOptions.callbacks?.session) {
           throw new Error("session callback is not defined");
         }
-        const result = await authOptions.callbacks.session({ session, token } as any);
-        expect(result.user).toEqual(token.profile);
+        const result = await authOptions.callbacks.session({ session, user } as any);
+        expect(result.user).toEqual({
+          email: "user6@example.com",
+          id: "user6",
+          isActive: false,
+        });
       });
     });
 

apps/web/modules/auth/lib/authOptions.ts

@@ -1,3 +1,4 @@
+import { PrismaAdapter } from "@next-auth/prisma-adapter";
 import type { NextAuthOptions } from "next-auth";
 import CredentialsProvider from "next-auth/providers/credentials";
 import { cookies } from "next/headers";
@@ -13,7 +14,7 @@ import {
 } from "@/lib/constants";
 import { symmetricDecrypt, symmetricEncrypt } from "@/lib/crypto";
 import { verifyToken } from "@/lib/jwt";
-import { getUserByEmail, updateUser, updateUserLastLoginAt } from "@/modules/auth/lib/user";
+import { updateUser, updateUserLastLoginAt } from "@/modules/auth/lib/user";
 import {
   logAuthAttempt,
   logAuthEvent,
@@ -31,6 +32,7 @@ import { handleSsoCallback } from "@/modules/ee/sso/lib/sso-handlers";
 import { createBrevoCustomer } from "./brevo";
 
 export const authOptions: NextAuthOptions = {
+  adapter: PrismaAdapter(prisma),
   providers: [
     CredentialsProvider({
       id: "credentials",
@@ -310,30 +312,17 @@ export const authOptions: NextAuthOptions = {
     ...(ENTERPRISE_LICENSE_KEY ? getSSOProviders() : []),
   ],
   session: {
+    strategy: "database",
     maxAge: SESSION_MAX_AGE,
   },
   callbacks: {
-    async jwt({ token }) {
-      const existingUser = await getUserByEmail(token?.email!);
-
-      if (!existingUser) {
-        return token;
+    async session({ session, user }) {
+      if (session.user) {
+        session.user.id = user.id;
+        if ("isActive" in user && typeof user.isActive === "boolean") {
+          session.user.isActive = user.isActive;
+        }
       }
-
-      return {
-        ...token,
-        profile: { id: existingUser.id },
-        isActive: existingUser.isActive,
-      };
-    },
-    async session({ session, token }) {
-      // @ts-expect-error
-      session.user.id = token?.id;
-      // @ts-expect-error
-      session.user = token.profile;
-      // @ts-expect-error
-      session.user.isActive = token.isActive;
-
       return session;
     },
     async signIn({ user, account }) {

apps/web/modules/auth/lib/proxy-session.test.ts

@@ -0,0 +1,115 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { getProxySession, getSessionTokenFromRequest } from "./proxy-session";
+
+const { mockFindUnique } = vi.hoisted(() => ({
+  mockFindUnique: vi.fn(),
+}));
+
+vi.mock("@formbricks/database", () => ({
+  prisma: {
+    session: {
+      findUnique: mockFindUnique,
+    },
+  },
+}));
+
+const createRequest = (cookies: Record<string, string> = {}) => ({
+  cookies: {
+    get: (name: string) => {
+      const value = cookies[name];
+      return value ? { value } : undefined;
+    },
+  },
+});
+
+describe("proxy-session", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("reads the secure session cookie when present", () => {
+    const request = createRequest({
+      "__Secure-next-auth.session-token": "secure-token",
+    });
+
+    expect(getSessionTokenFromRequest(request)).toBe("secure-token");
+  });
+
+  test("returns null when no session cookie is present", async () => {
+    const request = createRequest();
+
+    const session = await getProxySession(request);
+
+    expect(session).toBeNull();
+    expect(mockFindUnique).not.toHaveBeenCalled();
+  });
+
+  test("returns null when the session is expired", async () => {
+    mockFindUnique.mockResolvedValue({
+      userId: "user-1",
+      expires: new Date(Date.now() - 60_000),
+      user: {
+        isActive: true,
+      },
+    });
+
+    const request = createRequest({
+      "next-auth.session-token": "expired-token",
+    });
+
+    const session = await getProxySession(request);
+
+    expect(session).toBeNull();
+    expect(mockFindUnique).toHaveBeenCalledWith({
+      where: {
+        sessionToken: "expired-token",
+      },
+      select: {
+        userId: true,
+        expires: true,
+        user: {
+          select: {
+            isActive: true,
+          },
+        },
+      },
+    });
+  });
+
+  test("returns null when the session belongs to an inactive user", async () => {
+    mockFindUnique.mockResolvedValue({
+      userId: "user-1",
+      expires: new Date(Date.now() + 60_000),
+      user: {
+        isActive: false,
+      },
+    });
+
+    const request = createRequest({
+      "next-auth.session-token": "inactive-user-token",
+    });
+
+    const session = await getProxySession(request);
+
+    expect(session).toBeNull();
+  });
+
+  test("returns the session when the cookie maps to a valid session", async () => {
+    const validSession = {
+      userId: "user-1",
+      expires: new Date(Date.now() + 60_000),
+      user: {
+        isActive: true,
+      },
+    };
+    mockFindUnique.mockResolvedValue(validSession);
+
+    const request = createRequest({
+      "next-auth.session-token": "valid-token",
+    });
+
+    const session = await getProxySession(request);
+
+    expect(session).toEqual(validSession);
+  });
+});

apps/web/modules/auth/lib/proxy-session.ts

@@ -0,0 +1,54 @@
+import { prisma } from "@formbricks/database";
+
+const NEXT_AUTH_SESSION_COOKIE_NAMES = [
+  "__Secure-next-auth.session-token",
+  "next-auth.session-token",
+] as const;
+
+type TCookieStore = {
+  get: (name: string) => { value: string } | undefined;
+};
+
+type TRequestWithCookies = {
+  cookies: TCookieStore;
+};
+
+export const getSessionTokenFromRequest = (request: TRequestWithCookies): string | null => {
+  for (const cookieName of NEXT_AUTH_SESSION_COOKIE_NAMES) {
+    const cookie = request.cookies.get(cookieName);
+    if (cookie?.value) {
+      return cookie.value;
+    }
+  }
+
+  return null;
+};
+
+export const getProxySession = async (request: TRequestWithCookies) => {
+  const sessionToken = getSessionTokenFromRequest(request);
+
+  if (!sessionToken) {
+    return null;
+  }
+
+  const session = await prisma.session.findUnique({
+    where: {
+      sessionToken,
+    },
+    select: {
+      userId: true,
+      expires: true,
+      user: {
+        select: {
+          isActive: true,
+        },
+      },
+    },
+  });
+
+  if (!session || session.expires <= new Date() || session.user.isActive === false) {
+    return null;
+  }
+
+  return session;
+};

apps/web/modules/ee/billing/actions.test.ts

@@ -106,10 +106,7 @@ describe("billing actions", () => {
     });
     expect(mocks.getOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.ensureStripeCustomerForOrganization).toHaveBeenCalledWith("org_1");
-    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith(
-      "org_1",
-      "start-hobby"
-    );
+    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.syncOrganizationBillingFromStripe).toHaveBeenCalledWith("org_1");
     expect(result).toEqual({ success: true });
   });
@@ -128,10 +125,7 @@ describe("billing actions", () => {
     } as any);
 
     expect(mocks.ensureStripeCustomerForOrganization).not.toHaveBeenCalled();
-    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith(
-      "org_1",
-      "start-hobby"
-    );
+    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.syncOrganizationBillingFromStripe).toHaveBeenCalledWith("org_1");
     expect(result).toEqual({ success: true });
   });
@@ -145,7 +139,7 @@ describe("billing actions", () => {
     expect(mocks.getOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.ensureStripeCustomerForOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.createProTrialSubscription).toHaveBeenCalledWith("org_1", "cus_1");
-    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith("org_1", "pro-trial");
+    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.syncOrganizationBillingFromStripe).toHaveBeenCalledWith("org_1");
     expect(result).toEqual({ success: true });
   });
@@ -165,7 +159,7 @@ describe("billing actions", () => {
 
     expect(mocks.ensureStripeCustomerForOrganization).not.toHaveBeenCalled();
     expect(mocks.createProTrialSubscription).toHaveBeenCalledWith("org_1", "cus_existing");
-    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith("org_1", "pro-trial");
+    expect(mocks.reconcileCloudStripeSubscriptionsForOrganization).toHaveBeenCalledWith("org_1");
     expect(mocks.syncOrganizationBillingFromStripe).toHaveBeenCalledWith("org_1");
     expect(result).toEqual({ success: true });
   });

apps/web/modules/ee/billing/actions.ts

@@ -216,7 +216,7 @@ export const startHobbyAction = authenticatedActionClient
       throw new ResourceNotFoundError("OrganizationBilling", parsedInput.organizationId);
     }
 
-    await reconcileCloudStripeSubscriptionsForOrganization(parsedInput.organizationId, "start-hobby");
+    await reconcileCloudStripeSubscriptionsForOrganization(parsedInput.organizationId);
     await syncOrganizationBillingFromStripe(parsedInput.organizationId);
     return { success: true };
   });
@@ -248,7 +248,7 @@ export const startProTrialAction = authenticatedActionClient
     }
 
     await createProTrialSubscription(parsedInput.organizationId, customerId);
-    await reconcileCloudStripeSubscriptionsForOrganization(parsedInput.organizationId, "pro-trial");
+    await reconcileCloudStripeSubscriptionsForOrganization(parsedInput.organizationId);
     await syncOrganizationBillingFromStripe(parsedInput.organizationId);
     return { success: true };
   });

apps/web/modules/ee/billing/api/lib/stripe-webhook.ts

@@ -150,7 +150,7 @@ export const webhookHandler = async (requestBody: string, stripeSignature: strin
       await handleSetupCheckoutCompleted(event.data.object, stripe);
     }
 
-    await reconcileCloudStripeSubscriptionsForOrganization(organizationId, event.id);
+    await reconcileCloudStripeSubscriptionsForOrganization(organizationId);
     await syncOrganizationBillingFromStripe(organizationId, {
       id: event.id,
       created: event.created,

apps/web/modules/ee/billing/lib/organization-billing.test.ts

@@ -1905,7 +1905,7 @@ describe("organization-billing", () => {
         items: [{ price: "price_hobby_monthly", quantity: 1 }],
         metadata: { organizationId: "org_1" },
       },
-      { idempotencyKey: "ensure-hobby-subscription-org_1-bootstrap" }
+      { idempotencyKey: "ensure-hobby-subscription-org_1-0" }
     );
     expect(mocks.prismaOrganizationBillingUpdate).toHaveBeenCalledWith({
       where: { organizationId: "org_1" },
@@ -1974,7 +1974,7 @@ describe("organization-billing", () => {
       ],
     });
 
-    await reconcileCloudStripeSubscriptionsForOrganization("org_1", "evt_123");
+    await reconcileCloudStripeSubscriptionsForOrganization("org_1");
 
     expect(mocks.subscriptionsCancel).toHaveBeenCalledWith("sub_hobby", { prorate: false });
     expect(mocks.subscriptionsCreate).not.toHaveBeenCalled();

apps/web/modules/ee/billing/lib/organization-billing.ts

@@ -458,18 +458,21 @@ const resolvePendingChangeEffectiveAt = (
 const ensureHobbySubscription = async (
   organizationId: string,
   customerId: string,
-  idempotencySuffix: string
+  subscriptionCount: number
 ): Promise<void> => {
   if (!stripeClient) return;
   const hobbyItems = await getCatalogItemsForPlan("hobby", "monthly");
 
+  // Include subscriptionCount so the key is stable across concurrent calls (same
+  // count → same key → Stripe deduplicates) but changes after a cancellation
+  // (count increases → new key → allows legitimate re-creation).
   await stripeClient.subscriptions.create(
     {
       customer: customerId,
       items: hobbyItems,
       metadata: { organizationId },
     },
-    { idempotencyKey: `ensure-hobby-subscription-${organizationId}-${idempotencySuffix}` }
+    { idempotencyKey: `ensure-hobby-subscription-${organizationId}-${subscriptionCount}` }
   );
 };
 
@@ -1264,8 +1267,7 @@ export const findOrganizationIdByStripeCustomerId = async (customerId: string):
 };
 
 export const reconcileCloudStripeSubscriptionsForOrganization = async (
-  organizationId: string,
-  idempotencySuffix = "reconcile"
+  organizationId: string
 ): Promise<void> => {
   const client = stripeClient;
   if (!IS_FORMBRICKS_CLOUD || !client) return;
@@ -1342,12 +1344,14 @@ export const reconcileCloudStripeSubscriptionsForOrganization = async (
     // (e.g. webhook + bootstrap) both seeing 0 and creating duplicate hobbies.
     const freshSubscriptions = await client.subscriptions.list({
       customer: customerId,
-      status: "active",
-      limit: 1,
+      status: "all",
+      limit: 20,
     });
 
-    if (freshSubscriptions.data.length === 0) {
-      await ensureHobbySubscription(organizationId, customerId, idempotencySuffix);
+    const freshActive = freshSubscriptions.data.filter((sub) => ACTIVE_SUBSCRIPTION_STATUSES.has(sub.status));
+
+    if (freshActive.length === 0) {
+      await ensureHobbySubscription(organizationId, customerId, freshSubscriptions.data.length);
     }
   }
 };
@@ -1355,6 +1359,6 @@ export const reconcileCloudStripeSubscriptionsForOrganization = async (
 export const ensureCloudStripeSetupForOrganization = async (organizationId: string): Promise<void> => {
   if (!IS_FORMBRICKS_CLOUD || !stripeClient) return;
   await ensureStripeCustomerForOrganization(organizationId);
-  await reconcileCloudStripeSubscriptionsForOrganization(organizationId, "bootstrap");
+  await reconcileCloudStripeSubscriptionsForOrganization(organizationId);
   await syncOrganizationBillingFromStripe(organizationId);
 };

apps/web/modules/ee/sso/lib/sso-handlers.ts

@@ -3,7 +3,7 @@ import type { Account } from "next-auth";
 import { prisma } from "@formbricks/database";
 import { logger } from "@formbricks/logger";
 import type { TUser, TUserNotificationSettings } from "@formbricks/types/user";
-import { createAccount } from "@/lib/account/service";
+import { upsertAccount } from "@/lib/account/service";
 import { DEFAULT_TEAM_ID, SKIP_INVITE_FOR_SSO } from "@/lib/constants";
 import { getIsFreshInstance } from "@/lib/instance/service";
 import { verifyInviteToken } from "@/lib/jwt";
@@ -23,6 +23,21 @@ import {
 import { getFirstOrganization } from "@/modules/ee/sso/lib/organization";
 import { createDefaultTeamMembership, getOrganizationByTeamId } from "@/modules/ee/sso/lib/team";
 
+const syncSsoAccount = async (userId: string, account: Account) => {
+  await upsertAccount({
+    userId,
+    type: account.type,
+    provider: account.provider,
+    providerAccountId: account.providerAccountId,
+    ...(account.access_token !== undefined ? { access_token: account.access_token } : {}),
+    ...(account.refresh_token !== undefined ? { refresh_token: account.refresh_token } : {}),
+    ...(account.expires_at !== undefined ? { expires_at: account.expires_at } : {}),
+    ...(account.scope !== undefined ? { scope: account.scope } : {}),
+    ...(account.token_type !== undefined ? { token_type: account.token_type } : {}),
+    ...(account.id_token !== undefined ? { id_token: account.id_token } : {}),
+  });
+};
+
 export const handleSsoCallback = async ({
   user,
   account,
@@ -108,6 +123,7 @@ export const handleSsoCallback = async ({
       // User with this provider found
       // check if email still the same
       if (existingUserWithAccount.email === user.email) {
+        await syncSsoAccount(existingUserWithAccount.id, account);
         contextLogger.debug(
           { existingUserId: existingUserWithAccount.id },
           "SSO callback successful: existing user, email matches"
@@ -133,6 +149,7 @@ export const handleSsoCallback = async ({
         );
 
         await updateUser(existingUserWithAccount.id, { email: user.email });
+        await syncSsoAccount(existingUserWithAccount.id, account);
         return true;
       }
 
@@ -154,6 +171,7 @@ export const handleSsoCallback = async ({
     const existingUserWithEmail = await getUserByEmail(user.email);
 
     if (existingUserWithEmail) {
+      await syncSsoAccount(existingUserWithEmail.id, account);
       contextLogger.debug(
         { existingUserId: existingUserWithEmail.id, action: "existing_user_login" },
         "SSO callback successful: existing user found by email"
@@ -342,6 +360,7 @@ export const handleSsoCallback = async ({
 
     // send new user to brevo
     createBrevoCustomer({ id: userProfile.id, email: userProfile.email });
+    await syncSsoAccount(userProfile.id, account);
 
     if (isMultiOrgEnabled) {
       contextLogger.debug(
@@ -358,10 +377,6 @@ export const handleSsoCallback = async ({
         "Assigning user to organization"
       );
       await createMembership(organization.id, userProfile.id, { role: "member", accepted: true });
-      await createAccount({
-        ...account,
-        userId: userProfile.id,
-      });
 
       if (SKIP_INVITE_FOR_SSO && DEFAULT_TEAM_ID) {
         contextLogger.debug(

apps/web/modules/ee/sso/lib/tests/sso-handlers.test.ts

@@ -1,6 +1,7 @@
 import { beforeEach, describe, expect, test, vi } from "vitest";
 import { prisma } from "@formbricks/database";
 import type { TUser } from "@formbricks/types/user";
+import { upsertAccount } from "@/lib/account/service";
 import { createMembership } from "@/lib/membership/service";
 import { createOrganization, getOrganization } from "@/lib/organization/service";
 import { findMatchingLocale } from "@/lib/utils/locale";
@@ -62,7 +63,7 @@ vi.mock("@/modules/ee/sso/lib/team", () => ({
 }));
 
 vi.mock("@/lib/account/service", () => ({
-  createAccount: vi.fn(),
+  upsertAccount: vi.fn(),
 }));
 
 vi.mock("@/lib/membership/service", () => ({
@@ -203,6 +204,36 @@ describe("handleSsoCallback", () => {
       });
     });
 
+    test("should not overwrite stored tokens when the provider omits them", async () => {
+      vi.mocked(prisma.user.findFirst).mockResolvedValue({
+        ...mockUser,
+        email: mockUser.email,
+        accounts: [{ provider: mockAccount.provider }],
+      } as any);
+
+      const result = await handleSsoCallback({
+        user: mockUser,
+        account: {
+          ...mockAccount,
+          access_token: undefined,
+          refresh_token: undefined,
+          expires_at: undefined,
+          scope: undefined,
+          token_type: undefined,
+          id_token: undefined,
+        },
+        callbackUrl: "http://localhost:3000",
+      });
+
+      expect(result).toBe(true);
+      expect(upsertAccount).toHaveBeenCalledWith({
+        userId: mockUser.id,
+        type: mockAccount.type,
+        provider: mockAccount.provider,
+        providerAccountId: mockAccount.providerAccountId,
+      });
+    });
+
     test("should update user email if user with account exists but email changed", async () => {
       const existingUser = {
         ...mockUser,

apps/web/modules/integrations/webhooks/components/add-webhook-button.tsx

@@ -11,9 +11,10 @@ import { AddWebhookModal } from "./add-webhook-modal";
 interface AddWebhookButtonProps {
   environment: TEnvironment;
   surveys: TSurvey[];
+  allowInternalUrls: boolean;
 }
 
-export const AddWebhookButton = ({ environment, surveys }: AddWebhookButtonProps) => {
+export const AddWebhookButton = ({ environment, surveys, allowInternalUrls }: AddWebhookButtonProps) => {
   const { t } = useTranslation();
   const [isAddWebhookModalOpen, setAddWebhookModalOpen] = useState(false);
   return (
@@ -31,6 +32,7 @@ export const AddWebhookButton = ({ environment, surveys }: AddWebhookButtonProps
         surveys={surveys}
         open={isAddWebhookModalOpen}
         setOpen={setAddWebhookModalOpen}
+        allowInternalUrls={allowInternalUrls}
       />
     </>
   );

apps/web/modules/integrations/webhooks/components/add-webhook-modal.tsx

@@ -34,9 +34,16 @@ interface AddWebhookModalProps {
   open: boolean;
   surveys: TSurvey[];
   setOpen: (v: boolean) => void;
+  allowInternalUrls: boolean;
 }
 
-export const AddWebhookModal = ({ environmentId, surveys, open, setOpen }: AddWebhookModalProps) => {
+export const AddWebhookModal = ({
+  environmentId,
+  surveys,
+  open,
+  setOpen,
+  allowInternalUrls,
+}: AddWebhookModalProps) => {
   const router = useRouter();
   const {
     handleSubmit,
@@ -59,7 +66,7 @@ export const AddWebhookModal = ({ environmentId, surveys, open, setOpen }: AddWe
     sendSuccessToast: boolean
   ): Promise<{ success: boolean; secret?: string }> => {
     try {
-      const { valid, error } = validWebHookURL(testEndpointInput);
+      const { valid, error } = validWebHookURL(testEndpointInput, allowInternalUrls);
       if (!valid) {
         toast.error(error ?? t("common.something_went_wrong_please_try_again"));
         return { success: false };

apps/web/modules/integrations/webhooks/components/webhook-detail-modal.tsx

@@ -23,9 +23,17 @@ interface WebhookModalProps {
   webhook: Webhook;
   surveys: TSurvey[];
   isReadOnly: boolean;
+  allowInternalUrls: boolean;
 }
 
-export const WebhookModal = ({ open, setOpen, webhook, surveys, isReadOnly }: WebhookModalProps) => {
+export const WebhookModal = ({
+  open,
+  setOpen,
+  webhook,
+  surveys,
+  isReadOnly,
+  allowInternalUrls,
+}: WebhookModalProps) => {
   const { t, i18n } = useTranslation();
   const locale = (i18n.resolvedLanguage ?? i18n.language ?? "en-US") as TUserLocale;
   const [activeTab, setActiveTab] = useState(0);
@@ -38,7 +46,13 @@ export const WebhookModal = ({ open, setOpen, webhook, surveys, isReadOnly }: We
     {
       title: t("common.settings"),
       children: (
-        <WebhookSettingsTab webhook={webhook} surveys={surveys} setOpen={setOpen} isReadOnly={isReadOnly} />
+        <WebhookSettingsTab
+          webhook={webhook}
+          surveys={surveys}
+          setOpen={setOpen}
+          isReadOnly={isReadOnly}
+          allowInternalUrls={allowInternalUrls}
+        />
       ),
     },
   ];

apps/web/modules/integrations/webhooks/components/webhook-settings-tab.tsx

@@ -26,9 +26,16 @@ interface WebhookSettingsTabProps {
   surveys: TSurvey[];
   setOpen: (v: boolean) => void;
   isReadOnly: boolean;
+  allowInternalUrls: boolean;
 }
 
-export const WebhookSettingsTab = ({ webhook, surveys, setOpen, isReadOnly }: WebhookSettingsTabProps) => {
+export const WebhookSettingsTab = ({
+  webhook,
+  surveys,
+  setOpen,
+  isReadOnly,
+  allowInternalUrls,
+}: WebhookSettingsTabProps) => {
   const { t } = useTranslation();
   const router = useRouter();
   const { register, handleSubmit } = useForm({
@@ -60,7 +67,7 @@ export const WebhookSettingsTab = ({ webhook, surveys, setOpen, isReadOnly }: We
 
   const handleTestEndpoint = async (sendSuccessToast: boolean): Promise<boolean> => {
     try {
-      const { valid, error } = validWebHookURL(testEndpointInput);
+      const { valid, error } = validWebHookURL(testEndpointInput, allowInternalUrls);
       if (!valid) {
         toast.error(error ?? t("common.something_went_wrong_please_try_again"));
         return false;

apps/web/modules/integrations/webhooks/components/webhook-table.tsx

@@ -14,6 +14,7 @@ interface WebhookTableProps {
   surveys: TSurvey[];
   children: [JSX.Element, JSX.Element[]];
   isReadOnly: boolean;
+  allowInternalUrls: boolean;
 }
 
 export const WebhookTable = ({
@@ -22,6 +23,7 @@ export const WebhookTable = ({
   surveys,
   children: [TableHeading, webhookRows],
   isReadOnly,
+  allowInternalUrls,
 }: WebhookTableProps) => {
   const [isWebhookDetailModalOpen, setWebhookDetailModalOpen] = useState(false);
   const { t } = useTranslation();
@@ -71,6 +73,7 @@ export const WebhookTable = ({
         webhook={activeWebhook}
         surveys={surveys}
         isReadOnly={isReadOnly}
+        allowInternalUrls={allowInternalUrls}
       />
     </>
   );

apps/web/modules/integrations/webhooks/lib/utils.ts

@@ -1,4 +1,4 @@
-export const validWebHookURL = (urlInput: string) => {
+export const validWebHookURL = (urlInput: string, allowInternalUrls = false) => {
   const trimmedInput = urlInput.trim();
   if (!trimmedInput) {
     return { valid: false, error: "Please enter a URL" };
@@ -7,6 +7,13 @@ export const validWebHookURL = (urlInput: string) => {
   try {
     const url = new URL(trimmedInput);
 
+    if (allowInternalUrls) {
+      if (url.protocol !== "https:" && url.protocol !== "http:") {
+        return { valid: false, error: "URL must start with https:// or http://" };
+      }
+      return { valid: true };
+    }
+
     if (url.protocol !== "https:") {
       return { valid: false, error: "URL must start with https://" };
     }

apps/web/modules/integrations/webhooks/page.tsx

@@ -1,3 +1,4 @@
+import { DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS } from "@/lib/constants";
 import { getSurveys } from "@/lib/survey/service";
 import { getTranslate } from "@/lingodotdev/server";
 import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
@@ -21,13 +22,24 @@ export const WebhooksPage = async (props: { params: Promise<{ environmentId: str
     getSurveys(params.environmentId, 200), // HOTFIX: not getting all surveys for now since it's maxing out the prisma accelerate limit
   ]);
 
-  const renderAddWebhookButton = () => <AddWebhookButton environment={environment} surveys={surveys} />;
+  const renderAddWebhookButton = () => (
+    <AddWebhookButton
+      environment={environment}
+      surveys={surveys}
+      allowInternalUrls={DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS}
+    />
+  );
 
   return (
     <PageContentWrapper>
       <GoBackButton />
       <PageHeader pageTitle={t("common.webhooks")} cta={!isReadOnly ? renderAddWebhookButton() : <></>} />
-      <WebhookTable environment={environment} webhooks={webhooks} surveys={surveys} isReadOnly={isReadOnly}>
+      <WebhookTable
+        environment={environment}
+        webhooks={webhooks}
+        surveys={surveys}
+        isReadOnly={isReadOnly}
+        allowInternalUrls={DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS}>
         <WebhookTableHeading />
         {webhooks.map((webhook) => (
           <WebhookRowData key={webhook.id} webhook={webhook} surveys={surveys} />

apps/web/modules/survey/editor/components/survey-menu-bar.tsx

@@ -72,6 +72,7 @@ export const SurveyMenuBar = ({
   const [lastAutoSaved, setLastAutoSaved] = useState<Date | null>(null);
   const isSuccessfullySavedRef = useRef(false);
   const isAutoSavingRef = useRef(false);
+  const isSurveyPublishingRef = useRef(false);
 
   // Refs for interval-based auto-save (to access current values without re-creating interval)
   const localSurveyRef = useRef(localSurvey);
@@ -269,8 +270,8 @@ export const SurveyMenuBar = ({
       // Skip if tab is not visible (no computation, no API calls for background tabs)
       if (document.hidden) return;
 
-      // Skip if already saving (manual or auto)
-      if (isAutoSavingRef.current || isSurveySavingRef.current) return;
+      // Skip if already saving, publishing, or auto-saving
+      if (isAutoSavingRef.current || isSurveySavingRef.current || isSurveyPublishingRef.current) return;
 
       // Check for changes using refs (avoids re-creating interval on every change)
       const { updatedAt: localUpdatedAt, ...localSurveyRest } = localSurveyRef.current;
@@ -289,10 +290,19 @@ export const SurveyMenuBar = ({
         } as unknown as TSurveyDraft);
 
         if (updatedSurveyResponse?.data) {
+          const savedData = updatedSurveyResponse.data;
+
+          // If the segment changed on the server (e.g., private segment was deleted when
+          // switching from app to link type), update localSurvey to prevent stale segment
+          // references when publishing
+          if (!isEqual(localSurveyRef.current.segment, savedData.segment)) {
+            setLocalSurvey({ ...localSurveyRef.current, segment: savedData.segment });
+          }
+
           // Update surveyRef (not localSurvey state) to prevent re-renders during auto-save.
           // This keeps the UI stable while still tracking that changes have been saved.
           // The comparison uses refs, so this prevents unnecessary re-saves.
-          surveyRef.current = { ...updatedSurveyResponse.data };
+          surveyRef.current = { ...savedData };
           isSuccessfullySavedRef.current = true;
           setLastAutoSaved(new Date());
         }
@@ -417,11 +427,13 @@ export const SurveyMenuBar = ({
   };
 
   const handleSurveyPublish = async () => {
+    isSurveyPublishingRef.current = true;
     setIsSurveyPublishing(true);
 
     const isSurveyValidatedWithZod = validateSurveyWithZod();
 
     if (!isSurveyValidatedWithZod) {
+      isSurveyPublishingRef.current = false;
       setIsSurveyPublishing(false);
       return;
     }
@@ -429,6 +441,7 @@ export const SurveyMenuBar = ({
     try {
       const isSurveyValidResult = isSurveyValid(localSurvey, selectedLanguageCode, t, responseCount);
       if (!isSurveyValidResult) {
+        isSurveyPublishingRef.current = false;
         setIsSurveyPublishing(false);
         return;
       }
@@ -445,10 +458,12 @@ export const SurveyMenuBar = ({
       if (!publishResult?.data) {
         const errorMessage = getFormattedErrorMessage(publishResult);
         toast.error(errorMessage);
+        isSurveyPublishingRef.current = false;
         setIsSurveyPublishing(false);
         return;
       }
 
+      isSurveyPublishingRef.current = false;
       setIsSurveyPublishing(false);
       // Set flag to prevent beforeunload warning during navigation
       isSuccessfullySavedRef.current = true;
@@ -456,6 +471,7 @@ export const SurveyMenuBar = ({
     } catch (error) {
       console.error(error);
       toast.error(t("environments.surveys.edit.error_publishing_survey"));
+      isSurveyPublishingRef.current = false;
       setIsSurveyPublishing(false);
     }
   };

apps/web/package.json

@@ -42,6 +42,7 @@
     "@lexical/react": "0.41.0",
     "@lexical/rich-text": "0.41.0",
     "@lexical/table": "0.41.0",
+    "@next-auth/prisma-adapter": "1.0.7",
     "@opentelemetry/auto-instrumentations-node": "0.71.0",
     "@opentelemetry/exporter-metrics-otlp-http": "0.213.0",
     "@opentelemetry/exporter-prometheus": "0.213.0",

apps/web/playwright/api/auth/security.spec.ts

@@ -485,5 +485,55 @@ test.describe("Authentication Security Tests - Vulnerability Prevention", () =>
 
       logger.info(`✅ Malformed request handled gracefully: status ${response.status()}`);
     });
+
+    test("should invalidate a copied session cookie after logout", async ({ page, browser, users }) => {
+      const user = await users.create();
+      await user.login();
+
+      const sessionCookie = (await page.context().cookies()).find((cookie) =>
+        cookie.name.includes("next-auth.session-token")
+      );
+
+      expect(sessionCookie).toBeDefined();
+
+      const preLogoutContext = await browser.newContext();
+      try {
+        await preLogoutContext.addCookies([sessionCookie!]);
+        const preLogoutPage = await preLogoutContext.newPage();
+        await preLogoutPage.goto("http://localhost:3000/environments");
+        await expect(preLogoutPage).not.toHaveURL(/\/auth\/login/);
+      } finally {
+        await preLogoutContext.close();
+      }
+
+      const signOutCsrfToken = await page
+        .context()
+        .request.get("/api/auth/csrf")
+        .then((response) => response.json())
+        .then((json) => json.csrfToken);
+
+      const signOutResponse = await page.context().request.post("/api/auth/signout", {
+        form: {
+          callbackUrl: "/auth/login",
+          csrfToken: signOutCsrfToken,
+          json: "true",
+        },
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+        },
+      });
+
+      expect(signOutResponse.status()).not.toBe(500);
+
+      const replayContext = await browser.newContext();
+      try {
+        await replayContext.addCookies([sessionCookie!]);
+        const replayPage = await replayContext.newPage();
+        await replayPage.goto("http://localhost:3000/environments");
+        await expect(replayPage).toHaveURL(/\/auth\/login/);
+      } finally {
+        await replayContext.close();
+      }
+    });
   });
 });

apps/web/proxy.test.ts

@@ -0,0 +1,85 @@
+import { NextRequest } from "next/server";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { proxy } from "./proxy";
+
+const { mockGetProxySession, mockIsPublicDomainConfigured, mockIsRequestFromPublicDomain } = vi.hoisted(
+  () => ({
+    mockGetProxySession: vi.fn(),
+    mockIsPublicDomainConfigured: vi.fn(),
+    mockIsRequestFromPublicDomain: vi.fn(),
+  })
+);
+
+vi.mock("@/modules/auth/lib/proxy-session", () => ({
+  getProxySession: mockGetProxySession,
+}));
+
+vi.mock("@/app/middleware/domain-utils", () => ({
+  isPublicDomainConfigured: mockIsPublicDomainConfigured,
+  isRequestFromPublicDomain: mockIsRequestFromPublicDomain,
+}));
+
+vi.mock("@/app/middleware/endpoint-validator", () => ({
+  isAuthProtectedRoute: (url: string) => url.startsWith("/environments"),
+  isRouteAllowedForDomain: vi.fn(() => true),
+}));
+
+vi.mock("@/lib/constants", () => ({
+  WEBAPP_URL: "http://localhost:3000",
+}));
+
+vi.mock("@/lib/utils/url", () => ({
+  isValidCallbackUrl: (url: string) => url.startsWith("http://localhost:3000"),
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    error: vi.fn(),
+  },
+}));
+
+describe("proxy", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockIsPublicDomainConfigured.mockReturnValue(false);
+    mockIsRequestFromPublicDomain.mockReturnValue(false);
+  });
+
+  test("redirects unauthenticated protected routes to login with callbackUrl", async () => {
+    mockGetProxySession.mockResolvedValue(null);
+
+    const response = await proxy(new NextRequest("http://localhost:3000/environments/test"));
+
+    expect(response.status).toBe(307);
+    expect(response.headers.get("location")).toBe(
+      "http://localhost:3000/auth/login?callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fenvironments%2Ftest"
+    );
+  });
+
+  test("rejects invalid callback URLs", async () => {
+    mockGetProxySession.mockResolvedValue(null);
+
+    const response = await proxy(
+      new NextRequest("http://localhost:3000/auth/login?callbackUrl=https%3A%2F%2Fevil.example")
+    );
+
+    expect(response.status).toBe(400);
+    await expect(response.json()).resolves.toEqual({ error: "Invalid callback URL" });
+  });
+
+  test("redirects authenticated callback requests to the callback URL", async () => {
+    mockGetProxySession.mockResolvedValue({
+      userId: "user-1",
+      expires: new Date(Date.now() + 60_000),
+    });
+
+    const response = await proxy(
+      new NextRequest(
+        "http://localhost:3000/auth/login?callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fenvironments%2Ftest"
+      )
+    );
+
+    expect(response.status).toBe(307);
+    expect(response.headers.get("location")).toBe("http://localhost:3000/environments/test");
+  });
+});

apps/web/proxy.ts

@@ -1,4 +1,3 @@
-import { getToken } from "next-auth/jwt";
 import { NextRequest, NextResponse } from "next/server";
 import { v4 as uuidv4 } from "uuid";
 import { logger } from "@formbricks/logger";
@@ -6,11 +5,12 @@ import { isPublicDomainConfigured, isRequestFromPublicDomain } from "@/app/middl
 import { isAuthProtectedRoute, isRouteAllowedForDomain } from "@/app/middleware/endpoint-validator";
 import { WEBAPP_URL } from "@/lib/constants";
 import { isValidCallbackUrl } from "@/lib/utils/url";
+import { getProxySession } from "@/modules/auth/lib/proxy-session";
 
 const handleAuth = async (request: NextRequest): Promise<Response | null> => {
-  const token = await getToken({ req: request as any });
+  const session = await getProxySession(request);
 
-  if (isAuthProtectedRoute(request.nextUrl.pathname) && !token) {
+  if (isAuthProtectedRoute(request.nextUrl.pathname) && !session) {
     const loginUrl = `${WEBAPP_URL}/auth/login?callbackUrl=${encodeURIComponent(WEBAPP_URL + request.nextUrl.pathname + request.nextUrl.search)}`;
     return NextResponse.redirect(loginUrl);
   }
@@ -21,7 +21,7 @@ const handleAuth = async (request: NextRequest): Promise<Response | null> => {
     return NextResponse.json({ error: "Invalid callback URL" }, { status: 400 });
   }
 
-  if (token && callbackUrl) {
+  if (session && callbackUrl) {
     return NextResponse.redirect(callbackUrl);
   }
 

apps/web/vite.config.mts

@@ -15,7 +15,7 @@ export default defineConfig({
       provider: "v8", // Use V8 as the coverage provider
       reporter: ["text", "html", "lcov"], // Generate text summary and HTML reports
       reportsDirectory: "./coverage", // Output coverage reports to the coverage/ directory
-      include: ["app/**/*.ts", "modules/**/*.ts", "lib/**/*.ts", "lingodotdev/**/*.ts"],
+      include: ["app/**/*.ts", "modules/**/*.ts", "lib/**/*.ts", "lingodotdev/**/*.ts", "proxy.ts"],
       exclude: [
         // Build and configuration files
         "**/.next/**", // Next.js build output

apps/web/vitestSetup.ts

@@ -240,5 +240,6 @@ vi.mock("@/lib/constants", () => ({
   MAIL_FROM: "mock@mail.com",
   MAIL_FROM_NAME: "Mock Mail",
   RATE_LIMITING_DISABLED: false,
+  TELEMETRY_DISABLED: false,
   CONTROL_HASH: "$2b$12$fzHf9le13Ss9UJ04xzmsjODXpFJxz6vsnupoepF5FiqDECkX2BH5q",
 }));

docker/docker-compose.yml

@@ -169,6 +169,9 @@ x-environment: &environment
     # Set the below to 1 to disable Rate Limiting across Formbricks
     # RATE_LIMITING_DISABLED: 1
 
+    # Set the below to 1 to disable telemetry reporting (ignored when EE license is active)
+    # TELEMETRY_DISABLED: 1
+
     # Set the below to send OpenTelemetry data via OTLP to your collector
     # OTEL_EXPORTER_OTLP_ENDPOINT: http://localhost:4318
     # OTEL_EXPORTER_OTLP_PROTOCOL: http/protobuf

docs/self-hosting/configuration/environment-variables.mdx

@@ -32,6 +32,8 @@ These variables are present inside your machine's docker-compose file. Restart t
 | PASSWORD_RESET_DISABLED      | Disables password reset functionality if set to 1.                                                                   | optional                                                |                                                                           |
 | EMAIL_VERIFICATION_DISABLED  | Disables email verification if set to 1.                                                                             | optional                                                |                                                                           |
 | RATE_LIMITING_DISABLED       | Disables rate limiting if set to 1.                                                                                  | optional                                                |                                                                           |
+| TELEMETRY_DISABLED           | Disables telemetry reporting if set to 1. Ignored when an Enterprise License is active.                              | optional                                                |                                                                           |
+| DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS | Allows webhook URLs to point to internal/private network addresses (e.g. localhost, 192.168.x.x) if set to 1. Useful for self-hosted instances that need to send webhooks to internal services. | optional                                                |                                                                           |
 | INVITE_DISABLED              | Disables the ability for invited users to create an account if set to 1.                                             | optional                                                |                                                                           |
 | MAIL_FROM                    | Email address to send emails from.                                                                                   | optional (required if email services are to be enabled) |                                                                           |
 | MAIL_FROM_NAME               | Email name/title to send emails from.                                                                                | optional (required if email services are to be enabled) |                                                                           |

docs/xm-and-surveys/core-features/integrations/webhooks.mdx

@@ -70,6 +70,18 @@ endpoint with [ngrok](https://ngrok.com/docs/universal-gateway/http).
   workflow while validating the webhook setup.
 </Note>
 
+### Allowing Internal URLs (Self-Hosted Only)
+
+By default, Formbricks blocks webhook URLs that point to private or internal IP addresses (e.g. `localhost`, `192.168.x.x`, `10.x.x.x`) to prevent [SSRF attacks](https://owasp.org/www-community/attacks/Server-Side_Request_Forgery). If you are self-hosting Formbricks and need to send webhooks to internal services, you can set the following environment variable:
+
+```sh
+DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS=1
+```
+
+<Warning>
+  Only enable this on trusted, self-hosted environments. Enabling this on a publicly accessible instance exposes your server to SSRF risks.
+</Warning>
+
 If you encounter any issues or need help setting up webhooks, feel free to reach out to us on [GitHub Discussions](https://github.com/formbricks/formbricks/discussions). 😃
 
 ---

packages/database/migration/20260325090000_add_auth_sessions/migration.sql

@@ -0,0 +1,30 @@
+-- CreateTable
+CREATE TABLE "Session" (
+    "id" TEXT NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+    "sessionToken" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "expires" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "Session_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "VerificationToken" (
+    "identifier" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "expires" TIMESTAMP(3) NOT NULL
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Session_sessionToken_key" ON "Session"("sessionToken");
+
+-- CreateIndex
+CREATE INDEX "Session_userId_idx" ON "Session"("userId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "VerificationToken_identifier_token_key" ON "VerificationToken"("identifier", "token");
+
+-- AddForeignKey
+ALTER TABLE "Session" ADD CONSTRAINT "Session_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/database/schema.prisma

@@ -853,6 +853,32 @@ model Account {
   @@index([userId])
 }
 
+/// Stores active authentication sessions for revocable server-side login state.
+///
+/// @property sessionToken - Opaque token stored in the browser cookie
+/// @property user - The Formbricks user who owns this session
+/// @property expires - Hard expiry for the session
+model Session {
+  id           String   @id @default(cuid())
+  createdAt    DateTime @default(now()) @map(name: "created_at")
+  updatedAt    DateTime @updatedAt @map(name: "updated_at")
+  sessionToken String   @unique
+  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  userId       String
+  expires      DateTime
+
+  @@index([userId])
+}
+
+/// Stores one-time verification tokens used by Auth.js adapter flows.
+model VerificationToken {
+  identifier String
+  token      String
+  expires    DateTime
+
+  @@unique([identifier, token])
+}
+
 /// Represents a user in the Formbricks system.
 /// Central model for user authentication and profile management.
 ///
@@ -878,6 +904,7 @@ model User {
   identityProviderAccountId String?
   memberships               Membership[]
   accounts                  Account[]
+  sessions                  Session[]
   groupId                   String?
   invitesCreated            Invite[]         @relation("inviteCreatedBy")
   invitesAccepted           Invite[]         @relation("inviteAcceptedBy")

packages/surveys/locales/et.json

@@ -0,0 +1,85 @@
+{
+  "common": {
+    "and": "ja",
+    "apply": "rakenda",
+    "auto_close_wrapper": "Automaatse sulgemise ümbris",
+    "back": "Tagasi",
+    "close_survey": "Sulge küsitlus",
+    "company_logo": "Ettevõtte logo",
+    "finish": "Lõpeta",
+    "language_switch": "Keele vahetamine",
+    "next": "Edasi",
+    "no_results_found": "Tulemusi ei leitud",
+    "open_in_new_tab": "Ava uuel vahelehel",
+    "people_responded": "{count, plural, one {1 inimene vastas} other {{count} inimest vastas}}",
+    "please_retry_now_or_try_again_later": "Palun proovi uuesti kohe või hiljem.",
+    "powered_by": "Teenust pakub",
+    "privacy_policy": "Privaatsuspoliitika",
+    "protected_by_reCAPTCHA_and_the_Google": "Kaitstud reCAPTCHA ja Google'i poolt",
+    "question": "Küsimus",
+    "question_video": "Küsimuse video",
+    "required": "Kohustuslik",
+    "respondents_will_not_see_this_card": "Vastajad ei näe seda kaarti",
+    "retry": "Proovi uuesti",
+    "retrying": "Proovin uuesti…",
+    "search": "Otsi...",
+    "select_option": "Vali variant",
+    "select_options": "Vali variandid",
+    "sending_responses": "Vastuste saatmine…",
+    "takes_less_than_x_minutes": "{count, plural, one {Võtab vähem kui 1 minuti} other {Võtab vähem kui {count} minutit}}",
+    "takes_x_minutes": "{count, plural, one {Võtab 1 minuti} other {Võtab {count} minutit}}",
+    "takes_x_plus_minutes": "Võtab {count}+ minutit",
+    "terms_of_service": "Teenusetingimused",
+    "the_servers_cannot_be_reached_at_the_moment": "Serveritega ei saa hetkel ühendust.",
+    "they_will_be_redirected_immediately": "Nad suunatakse kohe ümber",
+    "your_feedback_is_stuck": "Sinu tagasiside on kinni jäänud :("
+  },
+  "errors": {
+    "all_options_must_be_ranked": "Palun järjesta kõik variandid",
+    "all_rows_must_be_answered": "Palun vasta kõikidele ridadele",
+    "file_extension_must_be": "Faililaiend peab olema {extension}",
+    "file_extension_must_not_be": "Faililaiend ei tohi olla {extension}",
+    "file_input": {
+      "duplicate_files": "Järgmised failid on juba üles laaditud: {duplicateNames}. Duplikaatfailid ei ole lubatud.",
+      "file_size_exceeded": "Järgmised failid ületavad maksimaalse suuruse {maxSizeInMB} MB ja eemaldati: {fileNames}",
+      "file_size_exceeded_alert": "Fail peab olema väiksem kui {maxSizeInMB} MB",
+      "no_valid_file_types_selected": "Ühtegi kehtivat failitüüpi pole valitud. Palun vali kehtiv failitüüp.",
+      "only_one_file_can_be_uploaded_at_a_time": "Korraga saab üles laadida ainult ühe faili.",
+      "placeholder_text": "Klõpsa või lohista failide üleslaadimiseks",
+      "upload_failed": "Üleslaadimine ebaõnnestus! Palun proovi uuesti.",
+      "uploading": "Üleslaadimine...",
+      "you_can_only_upload_a_maximum_of_files": "Saad üles laadida maksimaalselt {FILE_LIMIT} faili."
+    },
+    "invalid_device_error": {
+      "message": "Palun keela küsitluse seadetes rämpsposti kaitse, et jätkata selle seadmega.",
+      "title": "See seade ei toeta rämpsposti kaitset."
+    },
+    "invalid_format": "Palun sisesta kehtiv vorming",
+    "is_between": "Palun vali kuupäev vahemikus {startDate} kuni {endDate}",
+    "is_earlier_than": "Palun vali kuupäev enne {date}",
+    "is_greater_than": "Palun sisesta väärtus, mis on suurem kui {min}",
+    "is_later_than": "Palun vali kuupäev pärast {date}",
+    "is_less_than": "Palun sisesta väärtus, mis on väiksem kui {max}",
+    "is_not_between": "Palun vali kuupäev, mis ei jää vahemikku {startDate} kuni {endDate}",
+    "max_length": "Palun sisesta mitte rohkem kui {max} tähemärki",
+    "max_selections": "Palun vali mitte rohkem kui {max} varianti",
+    "max_value": "Palun sisesta väärtus, mis ei ole suurem kui {max}",
+    "min_length": "Palun sisesta vähemalt {min} tähemärki",
+    "min_selections": "Palun vali vähemalt {min} varianti",
+    "min_value": "Palun sisesta väärtus vähemalt {min}",
+    "minimum_options_ranked": "Palun järjesta vähemalt {min} varianti",
+    "minimum_rows_answered": "Palun vasta vähemalt {min} reale",
+    "please_enter_a_valid_email_address": "Palun sisesta kehtiv e-posti aadress",
+    "please_enter_a_valid_phone_number": "Palun sisesta kehtiv telefoninumber",
+    "please_enter_a_valid_url": "Palun sisesta kehtiv URL",
+    "please_fill_out_this_field": "Palun täida see väli",
+    "recaptcha_error": {
+      "message": "Sinu vastust ei saanud esitada, kuna see märgiti automatiseeritud tegevuseks. Kui sa hingad, palun proovi uuesti.",
+      "title": "Me ei suutnud kinnitada, et sa oled inimene."
+    },
+    "value_must_contain": "Väärtus peab sisaldama {value}",
+    "value_must_equal": "Väärtus peab võrduma {value}",
+    "value_must_not_contain": "Väärtus ei tohi sisaldada {value}",
+    "value_must_not_equal": "Väärtus ei tohi võrduda {value}"
+  }
+}

packages/surveys/src/lib/i18n.config.ts

@@ -6,6 +6,7 @@ import daTranslations from "../../locales/da.json";
 import deTranslations from "../../locales/de.json";
 import enTranslations from "../../locales/en.json";
 import esTranslations from "../../locales/es.json";
+import etTranslations from "../../locales/et.json";
 import frTranslations from "../../locales/fr.json";
 import hiTranslations from "../../locales/hi.json";
 import huTranslations from "../../locales/hu.json";
@@ -30,6 +31,7 @@ i18n
       "de",
       "en",
       "es",
+      "et",
       "fr",
       "hi",
       "hu",
@@ -50,6 +52,7 @@ i18n
       de: { translation: deTranslations },
       en: { translation: enTranslations },
       es: { translation: esTranslations },
+      et: { translation: etTranslations },
       fr: { translation: frTranslations },
       hi: { translation: hiTranslations },
       hu: { translation: huTranslations },

packages/types/next-auth.d.ts

@@ -1,11 +1,13 @@
-import NextAuth from "next-auth";
-import { type TUser } from "./user";
+import NextAuth, { type DefaultSession } from "next-auth";
 
 declare module "next-auth" {
   /**
    * Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
    */
   interface Session {
-    user: { id: string };
+    user: DefaultSession["user"] & {
+      id: string;
+      isActive?: boolean;
+    };
   }
 }

patches/next-auth@4.24.13.patch

@@ -1,8 +1,30 @@
+diff --git a/core/lib/assert.js b/core/lib/assert.js
+--- a/core/lib/assert.js
++++ b/core/lib/assert.js
+@@ -52,12 +52,6 @@
+     if (provider.type === "credentials") hasCredentials = true;else if (provider.type === "email") hasEmail = true;else if (provider.id === "twitter" && provider.version === "2.0") hasTwitterOAuth2 = true;
+   }
+   if (hasCredentials) {
+-    var _options$session;
+-    const dbStrategy = ((_options$session = options.session) === null || _options$session === void 0 ? void 0 : _options$session.strategy) === "database";
+-    const onlyCredentials = !options.providers.some(p => p.type !== "credentials");
+-    if (dbStrategy && onlyCredentials) {
+-      return new _errors.UnsupportedStrategy("Signin in with credentials only supported if JWT strategy is enabled");
+-    }
+     const credentialsNoAuthorize = options.providers.some(p => p.type === "credentials" && !p.authorize);
+     if (credentialsNoAuthorize) {
+       return new _errors.MissingAuthorize("Must define an authorize() handler to use credentials authentication provider");
+@@ -80,4 +74,4 @@
+     warned = true;
+   }
+   return warnings;
+-}
+\ No newline at end of file
++}
 diff --git a/core/lib/oauth/client.js b/core/lib/oauth/client.js
-index 52c51eb6ff422dc0899ccec31baf3fa39e42eeae..472772cfefc2c2947536d6a22b022c2f9c27c61f 100644
 --- a/core/lib/oauth/client.js
 +++ b/core/lib/oauth/client.js
-@@ -5,9 +5,73 @@ Object.defineProperty(exports, "__esModule", {
+@@ -5,9 +5,73 @@
  });
  exports.openidClient = openidClient;
  var _openidClient = require("openid-client");
@@ -77,3 +99,199 @@ index 52c51eb6ff422dc0899ccec31baf3fa39e42eeae..472772cfefc2c2947536d6a22b022c2f
    let issuer;
    if (provider.wellKnown) {
      issuer = await _openidClient.Issuer.discover(provider.wellKnown);
+diff --git a/core/routes/callback.js b/core/routes/callback.js
+--- a/core/routes/callback.js
++++ b/core/routes/callback.js
+@@ -377,29 +377,48 @@
+         cookies
+       };
+     }
+-    const defaultToken = {
+-      name: user.name,
+-      email: user.email,
+-      picture: user.image,
+-      sub: (_user$id3 = user.id) === null || _user$id3 === void 0 ? void 0 : _user$id3.toString()
+-    };
+-    const token = await callbacks.jwt({
+-      token: defaultToken,
+-      user,
+-      account,
+-      isNewUser: false,
+-      trigger: "signIn"
+-    });
+-    const newToken = await jwt.encode({
+-      ...jwt,
+-      token
+-    });
+-    const cookieExpires = new Date();
+-    cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000);
+-    const sessionCookies = sessionStore.chunk(newToken, {
+-      expires: cookieExpires
+-    });
+-    cookies.push(...sessionCookies);
++    if (useJwtSession) {
++      const defaultToken = {
++        name: user.name,
++        email: user.email,
++        picture: user.image,
++        sub: (_user$id3 = user.id) === null || _user$id3 === void 0 ? void 0 : _user$id3.toString()
++      };
++      const token = await callbacks.jwt({
++        token: defaultToken,
++        user,
++        account,
++        isNewUser: false,
++        trigger: "signIn"
++      });
++      const newToken = await jwt.encode({
++        ...jwt,
++        token
++      });
++      const cookieExpires = new Date();
++      cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000);
++      const sessionCookies = sessionStore.chunk(newToken, {
++        expires: cookieExpires
++      });
++      cookies.push(...sessionCookies);
++    } else {
++      if (!adapter) {
++        throw new Error("Missing adapter");
++      }
++      const session = await adapter.createSession({
++        sessionToken: await options.session.generateSessionToken(),
++        userId: user.id,
++        expires: (0, _utils.fromDate)(options.session.maxAge)
++      });
++      cookies.push({
++        name: options.cookies.sessionToken.name,
++        value: session.sessionToken,
++        options: {
++          ...options.cookies.sessionToken.options,
++          expires: session.expires
++        }
++      });
++    }
+     await ((_events$signIn3 = events.signIn) === null || _events$signIn3 === void 0 ? void 0 : _events$signIn3.call(events, {
+       user,
+       account
+@@ -414,4 +433,4 @@
+     body: `Error: Callback for provider type ${provider.type} not supported`,
+     cookies
+   };
+-}
+\ No newline at end of file
++}
+diff --git a/src/core/lib/assert.ts b/src/core/lib/assert.ts
+--- a/src/core/lib/assert.ts
++++ b/src/core/lib/assert.ts
+@@ -101,16 +101,6 @@
+   }
+ 
+   if (hasCredentials) {
+-    const dbStrategy = options.session?.strategy === "database"
+-    const onlyCredentials = !options.providers.some(
+-      (p) => p.type !== "credentials"
+-    )
+-    if (dbStrategy && onlyCredentials) {
+-      return new UnsupportedStrategy(
+-        "Signin in with credentials only supported if JWT strategy is enabled"
+-      )
+-    }
+-
+     const credentialsNoAuthorize = options.providers.some(
+       (p) => p.type === "credentials" && !p.authorize
+     )
+diff --git a/src/core/routes/callback.ts b/src/core/routes/callback.ts
+--- a/src/core/routes/callback.ts
++++ b/src/core/routes/callback.ts
+@@ -1,6 +1,6 @@
+ import oAuthCallback from "../lib/oauth/callback"
+ import callbackHandler from "../lib/callback-handler"
+-import { hashToken } from "../lib/utils"
++import { fromDate, hashToken } from "../lib/utils"
+ import getAdapterUserFromEmail from "../lib/email/getUserFromEmail"
+ 
+ import type { InternalOptions } from "../types"
+@@ -385,37 +385,58 @@
+         )}`,
+         cookies,
+       }
+-    }
+-
+-    const defaultToken = {
+-      name: user.name,
+-      email: user.email,
+-      picture: user.image,
+-      sub: user.id?.toString(),
+     }
+ 
+-    const token = await callbacks.jwt({
+-      token: defaultToken,
+-      user,
+-      // @ts-expect-error
+-      account,
+-      isNewUser: false,
+-      trigger: "signIn",
+-    })
++    if (useJwtSession) {
++      const defaultToken = {
++        name: user.name,
++        email: user.email,
++        picture: user.image,
++        sub: user.id?.toString(),
++      }
+ 
+-    // Encode token
+-    const newToken = await jwt.encode({ ...jwt, token })
++      const token = await callbacks.jwt({
++        token: defaultToken,
++        user,
++        // @ts-expect-error
++        account,
++        isNewUser: false,
++        trigger: "signIn",
++      })
+ 
+-    // Set cookie expiry date
+-    const cookieExpires = new Date()
+-    cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
++      // Encode token
++      const newToken = await jwt.encode({ ...jwt, token })
+ 
+-    const sessionCookies = sessionStore.chunk(newToken, {
+-      expires: cookieExpires,
+-    })
++      // Set cookie expiry date
++      const cookieExpires = new Date()
++      cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+ 
+-    cookies.push(...sessionCookies)
++      const sessionCookies = sessionStore.chunk(newToken, {
++        expires: cookieExpires,
++      })
+ 
++      cookies.push(...sessionCookies)
++    } else {
++      if (!adapter) {
++        throw new Error("Missing adapter")
++      }
++
++      const session = await adapter.createSession({
++        sessionToken: await options.session.generateSessionToken(),
++        userId: user.id,
++        expires: fromDate(options.session.maxAge),
++      })
++
++      cookies.push({
++        name: options.cookies.sessionToken.name,
++        value: (session as AdapterSession).sessionToken,
++        options: {
++          ...options.cookies.sessionToken.options,
++          expires: (session as AdapterSession).expires,
++        },
++      })
++    }
++
+     // @ts-expect-error
+     await events.signIn?.({ user, account })
+ 

pnpm-lock.yaml

@@ -25,7 +25,7 @@ overrides:
 
 patchedDependencies:
   next-auth@4.24.13:
-    hash: 7ac5717a8d7d2049442182b5d83ab492d33fe774ff51ff5ea3884628b77df87b
+    hash: 6b21102fce2caaca35f5e4e93ea07a0b4ff486cbf3d3b09a4173ad45977d5798
     path: patches/next-auth@4.24.13.patch
 
 importers:
@@ -183,6 +183,9 @@ importers:
       '@lexical/table':
         specifier: 0.41.0
         version: 0.41.0
+      '@next-auth/prisma-adapter':
+        specifier: 1.0.7
+        version: 1.0.7(@prisma/client@6.19.2(prisma@7.4.2(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3))(typescript@5.9.3))(next-auth@4.24.13(patch_hash=6b21102fce2caaca35f5e4e93ea07a0b4ff486cbf3d3b09a4173ad45977d5798)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))
       '@opentelemetry/auto-instrumentations-node':
         specifier: 0.71.0
         version: 0.71.0(@opentelemetry/api@1.9.0)(@opentelemetry/core@2.6.0(@opentelemetry/api@1.9.0))
@@ -347,7 +350,7 @@ importers:
         version: 16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
       next-auth:
         specifier: 4.24.13
-        version: 4.24.13(patch_hash=7ac5717a8d7d2049442182b5d83ab492d33fe774ff51ff5ea3884628b77df87b)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+        version: 4.24.13(patch_hash=6b21102fce2caaca35f5e4e93ea07a0b4ff486cbf3d3b09a4173ad45977d5798)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
       next-safe-action:
         specifier: 8.1.8
         version: 8.1.8(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
@@ -2348,6 +2351,12 @@ packages:
   '@neoconfetti/react@1.0.0':
     resolution: {integrity: sha512-klcSooChXXOzIm+SE5IISIAn3bYzYfPjbX7D7HoqZL84oAfgREeSg5vSIaSFH+DaGzzvImTyWe1OyrJ67vik4A==}
 
+  '@next-auth/prisma-adapter@1.0.7':
+    resolution: {integrity: sha512-Cdko4KfcmKjsyHFrWwZ//lfLUbcLqlyFqjd/nYE2m3aZ7tjMNUjpks47iw7NTCnXf+5UWz5Ypyt1dSs1EP5QJw==}
+    peerDependencies:
+      '@prisma/client': '>=2.26.0 || >=3'
+      next-auth: ^4
+
   '@next/env@16.1.7':
     resolution: {integrity: sha512-rJJbIdJB/RQr2F1nylZr/PJzamvNNhfr3brdKP6s/GW850jbtR70QlSfFselvIBbcPUOlQwBakexjFzqLzF6pg==}
 
@@ -13200,6 +13209,11 @@ snapshots:
 
   '@neoconfetti/react@1.0.0': {}
 
+  '@next-auth/prisma-adapter@1.0.7(@prisma/client@6.19.2(prisma@7.4.2(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3))(typescript@5.9.3))(next-auth@4.24.13(patch_hash=6b21102fce2caaca35f5e4e93ea07a0b4ff486cbf3d3b09a4173ad45977d5798)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))':
+    dependencies:
+      '@prisma/client': 6.19.2(prisma@7.4.2(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3))(typescript@5.9.3)
+      next-auth: 4.24.13(patch_hash=6b21102fce2caaca35f5e4e93ea07a0b4ff486cbf3d3b09a4173ad45977d5798)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+
   '@next/env@16.1.7': {}
 
   '@next/eslint-plugin-next@15.5.12':
@@ -17136,10 +17150,10 @@ snapshots:
       '@typescript-eslint/eslint-plugin': 7.18.0(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)(typescript@5.9.3)
       '@typescript-eslint/parser': 7.18.0(eslint@8.57.1)(typescript@5.9.3)
       eslint-config-prettier: 9.1.2(eslint@8.57.1)
-      eslint-import-resolver-alias: 1.1.2(eslint-plugin-import@2.32.0)
-      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0)(eslint@8.57.1)
+      eslint-import-resolver-alias: 1.1.2(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))
+      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1)
       eslint-plugin-eslint-comments: 3.2.0(eslint@8.57.1)
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1)(eslint@8.57.1)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1)
       eslint-plugin-jest: 27.9.0(@typescript-eslint/eslint-plugin@8.57.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)(typescript@5.9.3)
       eslint-plugin-jsx-a11y: 6.10.2(eslint@8.57.1)
       eslint-plugin-playwright: 1.8.3(eslint-plugin-jest@27.9.0(@typescript-eslint/eslint-plugin@7.18.0(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)
@@ -18564,8 +18578,8 @@ snapshots:
       '@typescript-eslint/parser': 8.57.0(eslint@8.57.1)(typescript@5.9.3)
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
-      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0)(eslint@8.57.1)
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)
+      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1)
       eslint-plugin-jsx-a11y: 6.10.2(eslint@8.57.1)
       eslint-plugin-react: 7.37.5(eslint@8.57.1)
       eslint-plugin-react-hooks: 5.2.0(eslint@8.57.1)
@@ -18590,9 +18604,9 @@ snapshots:
       eslint-plugin-turbo: 2.8.16(eslint@8.57.1)(turbo@2.8.16)
       turbo: 2.8.16
 
-  eslint-import-resolver-alias@1.1.2(eslint-plugin-import@2.32.0):
+  eslint-import-resolver-alias@1.1.2(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)):
     dependencies:
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1)
 
   eslint-import-resolver-node@0.3.9:
     dependencies:
@@ -18602,7 +18616,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0)(eslint@8.57.1):
+  eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1):
     dependencies:
       '@nolyfill/is-core-module': 1.0.39
       debug: 4.4.3
@@ -18613,29 +18627,29 @@ snapshots:
       tinyglobby: 0.2.15
       unrs-resolver: 1.11.1
     optionalDependencies:
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1)
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1)(eslint@8.57.1):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
       '@typescript-eslint/parser': 7.18.0(eslint@8.57.1)(typescript@5.9.3)
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
-      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0)(eslint@8.57.1)
+      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1)
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1)(eslint@8.57.1):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
       '@typescript-eslint/parser': 8.57.0(eslint@8.57.1)(typescript@5.9.3)
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
-      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0)(eslint@8.57.1)
+      eslint-import-resolver-typescript: 3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1)
     transitivePeerDependencies:
       - supports-color
 
@@ -18645,7 +18659,7 @@ snapshots:
       eslint: 8.57.1
       ignore: 5.3.2
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1)(eslint@8.57.1):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -18656,7 +18670,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1)(eslint@8.57.1)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -18674,7 +18688,7 @@ snapshots:
       - eslint-import-resolver-webpack
       - supports-color
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -18685,7 +18699,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1)(eslint@8.57.1)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.57.0(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1))(eslint@8.57.1))(eslint@8.57.1)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -20417,7 +20431,7 @@ snapshots:
 
   neo-async@2.6.2: {}
 
-  next-auth@4.24.13(patch_hash=7ac5717a8d7d2049442182b5d83ab492d33fe774ff51ff5ea3884628b77df87b)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4):
+  next-auth@4.24.13(patch_hash=6b21102fce2caaca35f5e4e93ea07a0b4ff486cbf3d3b09a4173ad45977d5798)(next@16.1.7(@opentelemetry/api@1.9.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(nodemailer@8.0.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4):
     dependencies:
       '@babel/runtime': 7.28.4
       '@panva/hkdf': 1.2.1

turbo.json

@@ -141,6 +141,7 @@
         "BREVO_API_KEY",
         "BREVO_LIST_ID",
         "CRON_SECRET",
+        "DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS",
         "DATABASE_URL",
         "DEBUG",
         "E2E_TESTING",
@@ -233,6 +234,7 @@
         "TURNSTILE_SITE_KEY",
         "RECAPTCHA_SITE_KEY",
         "RECAPTCHA_SECRET_KEY",
+        "TELEMETRY_DISABLED",
         "TERMS_URL",
         "VERCEL",
         "VERCEL_URL",