fix: reject non-http(s) and malformed API_BASE values in apiFetch#184
Open
shinzoxD wants to merge 2 commits into
Open
fix: reject non-http(s) and malformed API_BASE values in apiFetch#184shinzoxD wants to merge 2 commits into
shinzoxD wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to harden the frontend API client by validating the NEXT_PUBLIC_STABLEROUTE_API_BASE environment variable before it’s used to construct request URLs, reducing risk from malformed or non-http(s) values.
Changes:
- Added
validateApiBase()and invoked it at module initialization to fail fast on invalid API base URLs. - Added unit tests covering valid/invalid
API_BASEvalues. - Added a new test suite for the Docs page rendering.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/lib/apiClient.ts |
Adds API base validation at module init prior to issuing fetch requests. |
src/lib/__tests__/apiClient.test.ts |
Adds tests for validateApiBase() alongside existing apiFetch/auth-handler tests. |
src/app/docs/page.test.tsx |
Introduces rendering tests for the Docs page endpoint list and accessibility target. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+4
to
+18
| /** Validates that a URL uses http(s) and is an absolute URL. */ | ||
| export function validateApiBase(url: string): void { | ||
| if (!/^https?:\/\//i.test(url)) { | ||
| throw new Error( | ||
| `NEXT_PUBLIC_STABLEROUTE_API_BASE must use http or https; got "${url}"`, | ||
| ); | ||
| } | ||
| try { | ||
| new URL(url); | ||
| } catch { | ||
| throw new Error( | ||
| `NEXT_PUBLIC_STABLEROUTE_API_BASE must be a valid absolute URL; got "${url}"`, | ||
| ); | ||
| } | ||
| } |
Comment on lines
+122
to
+129
| describe("validateApiBase", () => { | ||
| it("passes for http URL", () => { | ||
| expect(() => validateApiBase("http://localhost:3001")).not.toThrow(); | ||
| }); | ||
|
|
||
| it("passes for https URL", () => { | ||
| expect(() => validateApiBase("https://api.stableroute.com")).not.toThrow(); | ||
| }); |
Comment on lines
+1
to
+5
| import { render, screen } from "@testing-library/react"; | ||
| import DocsPage from "./page"; | ||
|
|
||
| const sections = [ | ||
| { h: "POST /api/v1/pairs", p: "Register a (source, destination) routing pair. Idempotent." }, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #144
Summary
Adds validation for the
NEXT_PUBLIC_STABLEROUTE_API_BASEenvironment variable to reject non-http(s) protocols and malformed URL values before they are used in API requests.Changes
src/lib/apiClient.ts: AddedvalidateApiBase()that checks the URL uses http/https and is a valid absolute URL. Runs at module init to fail fast.src/lib/__tests__/apiClient.test.ts: 9 new tests covering valid http/https URLs with ports, rejecting ftp/javascript/file protocols, empty strings, and relative paths.Verification
npm test: 21/21 passed (12 existing + 9 new)npm run lint: No ESLint warnings or errors