fix: Validate token type in PagesRouter to prevent type confusion errors

Replace unsafe `.toString()` coercion with strict type check for token
parameters in verifyEmail, resendVerificationEmail, requestResetPassword,
and resetPassword handlers. Non-string tokens are now treated as undefined
instead of attempting coercion which throws on crafted objects.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mtrezza

spec/PagesRouter.spec.js

@@ -990,6 +990,56 @@ describe('Pages Router', () => {
           await fs.rm(baseDir, { recursive: true, force: true });
         }
       });
+
+      it('rejects non-string token in verifyEmail', async () => {
+        await reconfigureServer(config);
+        const url = `${config.publicServerURL}/apps/test/verify_email?token[toString]=abc`;
+        const response = await request({
+          url: url,
+          followRedirects: false,
+        }).catch(e => e);
+        expect(response.status).not.toBe(500);
+      });
+
+      it('rejects non-string token in requestResetPassword', async () => {
+        await reconfigureServer(config);
+        const url = `${config.publicServerURL}/apps/test/request_password_reset?token[toString]=abc`;
+        const response = await request({
+          url: url,
+          followRedirects: false,
+        }).catch(e => e);
+        expect(response.status).not.toBe(500);
+      });
+
+      it('rejects non-string token in resetPassword via POST', async () => {
+        await reconfigureServer(config);
+        const url = `${config.publicServerURL}/apps/test/request_password_reset`;
+        const response = await request({
+          method: 'POST',
+          url: url,
+          headers: {
+            'Content-Type': 'application/json',
+          },
+          body: { token: { toString: 'abc' }, new_password: 'newpass123' },
+          followRedirects: false,
+        }).catch(e => e);
+        expect(response.status).not.toBe(500);
+      });
+
+      it('rejects non-string token in resendVerificationEmail via POST', async () => {
+        await reconfigureServer(config);
+        const url = `${config.publicServerURL}/apps/test/resend_verification_email`;
+        const response = await request({
+          method: 'POST',
+          url: url,
+          headers: {
+            'Content-Type': 'application/json',
+          },
+          body: { token: { toString: 'abc' } },
+          followRedirects: false,
+        }).catch(e => e);
+        expect(response.status).not.toBe(500);
+      });
     });
 
     describe('custom route', () => {

src/Routers/PagesRouter.js

@@ -84,7 +84,7 @@ export class PagesRouter extends PromiseRouter {
   verifyEmail(req) {
     const config = req.config;
     const { token: rawToken } = req.query;
-    const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
+    const token = typeof rawToken === 'string' ? rawToken : undefined;
 
     if (!config) {
       this.invalidRequest();
@@ -109,7 +109,7 @@ export class PagesRouter extends PromiseRouter {
     const config = req.config;
     const username = req.body?.username;
     const rawToken = req.body?.token;
-    const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
+    const token = typeof rawToken === 'string' ? rawToken : undefined;
 
     if (!config) {
       this.invalidRequest();
@@ -151,7 +151,7 @@ export class PagesRouter extends PromiseRouter {
     }
 
     const { token: rawToken } = req.query;
-    const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
+    const token = typeof rawToken === 'string' ? rawToken : undefined;
 
     if (!token) {
       return this.goToPage(req, pages.passwordResetLinkInvalid);
@@ -180,7 +180,7 @@ export class PagesRouter extends PromiseRouter {
     }
 
     const { new_password, token: rawToken } = req.body || {};
-    const token = rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
+    const token = typeof rawToken === 'string' ? rawToken : undefined;
 
     if ((!token || !new_password) && req.xhr === false) {
       return this.goToPage(req, pages.passwordResetLinkInvalid);