fix: cap MX cache size, deduplicate validateCallbackUrl, add slug duplicate guard

Author: waleedlatif1

apps/sim/app/(auth)/login/login-form.tsx

@@ -106,13 +106,13 @@ export default function LoginPage({
   const buttonClass = useBrandedButtonClass()
 
   const callbackUrlParam = searchParams?.get('callbackUrl')
+  const isValidCallbackUrl = callbackUrlParam ? validateCallbackUrl(callbackUrlParam) : false
   const invalidCallbackRef = useRef(false)
-  if (callbackUrlParam && !validateCallbackUrl(callbackUrlParam) && !invalidCallbackRef.current) {
+  if (callbackUrlParam && !isValidCallbackUrl && !invalidCallbackRef.current) {
     invalidCallbackRef.current = true
     logger.warn('Invalid callback URL detected and blocked:', { url: callbackUrlParam })
   }
-  const callbackUrl =
-    callbackUrlParam && validateCallbackUrl(callbackUrlParam) ? callbackUrlParam : '/workspace'
+  const callbackUrl = isValidCallbackUrl ? callbackUrlParam! : '/workspace'
   const isInviteFlow = searchParams?.get('invite_flow') === 'true'
 
   const [forgotPasswordOpen, setForgotPasswordOpen] = useState(false)

apps/sim/app/(landing)/integrations/[slug]/page.tsx

@@ -18,6 +18,14 @@ const byName = new Map(allIntegrations.map((i) => [i.name, i]))
 const bySlug = new Map(allIntegrations.map((i) => [i.slug, i]))
 const byType = new Map(allIntegrations.map((i) => [i.type, i]))
 
+if (process.env.NODE_ENV === 'development') {
+  const slugsSeen = new Set<string>()
+  for (const i of allIntegrations) {
+    if (slugsSeen.has(i.slug)) throw new Error(`Duplicate integration slug: ${i.slug}`)
+    slugsSeen.add(i.slug)
+  }
+}
+
 /** Returns workflow pairs that feature the given integration on either side. */
 function getPairsFor(name: string) {
   return POPULAR_WORKFLOWS.filter((p) => p.from === name || p.to === name)

apps/sim/lib/messaging/email/validation.ts

@@ -64,6 +64,14 @@ const DISPOSABLE_MX_BACKENDS = new Set(['in.mail.gw', 'smtp.catchmail.io', 'mx.y
 
 /** Per-domain MX result cache — avoids redundant DNS queries for concurrent or repeated sign-ups */
 const mxCache = new Map<string, { result: boolean; expires: number }>()
+const MX_CACHE_MAX = 1_000
+
+function setMxCache(domain: string, entry: { result: boolean; expires: number }) {
+  if (mxCache.size >= MX_CACHE_MAX) {
+    mxCache.delete(mxCache.keys().next().value!)
+  }
+  mxCache.set(domain, entry)
+}
 
 /**
  * Validates email syntax using RFC 5322 compliant regex
@@ -135,10 +143,10 @@ export async function isDisposableMxBackend(email: string): Promise<boolean> {
       }
     )
     const result = await Promise.race([mxCheckPromise, timeoutPromise])
-    mxCache.set(domain, { result: result.isDisposableBackend, expires: now + 5 * 60 * 1000 })
+    setMxCache(domain, { result: result.isDisposableBackend, expires: now + 5 * 60 * 1000 })
     return result.isDisposableBackend
   } catch {
-    mxCache.set(domain, { result: false, expires: now + 60 * 1000 })
+    setMxCache(domain, { result: false, expires: now + 60 * 1000 })
     return false
   } finally {
     clearTimeout(timeoutId)