Skip to content

fix: reject non-http(s) and malformed API_BASE values in apiFetch#184

Open
shinzoxD wants to merge 2 commits into
StableRoute-Org:mainfrom
shinzoxD:security/api-base-url-validation
Open

fix: reject non-http(s) and malformed API_BASE values in apiFetch#184
shinzoxD wants to merge 2 commits into
StableRoute-Org:mainfrom
shinzoxD:security/api-base-url-validation

Conversation

@shinzoxD

@shinzoxD shinzoxD commented Jul 8, 2026

Copy link
Copy Markdown

Closes #144

Summary

Adds validation for the NEXT_PUBLIC_STABLEROUTE_API_BASE environment variable to reject non-http(s) protocols and malformed URL values before they are used in API requests.

Changes

  • src/lib/apiClient.ts: Added validateApiBase() that checks the URL uses http/https and is a valid absolute URL. Runs at module init to fail fast.
  • src/lib/__tests__/apiClient.test.ts: 9 new tests covering valid http/https URLs with ports, rejecting ftp/javascript/file protocols, empty strings, and relative paths.

Verification

  • npm test: 21/21 passed (12 existing + 9 new)
  • npm run lint: No ESLint warnings or errors

Copilot AI review requested due to automatic review settings July 8, 2026 12:12

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to harden the frontend API client by validating the NEXT_PUBLIC_STABLEROUTE_API_BASE environment variable before it’s used to construct request URLs, reducing risk from malformed or non-http(s) values.

Changes:

  • Added validateApiBase() and invoked it at module initialization to fail fast on invalid API base URLs.
  • Added unit tests covering valid/invalid API_BASE values.
  • Added a new test suite for the Docs page rendering.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/lib/apiClient.ts Adds API base validation at module init prior to issuing fetch requests.
src/lib/__tests__/apiClient.test.ts Adds tests for validateApiBase() alongside existing apiFetch/auth-handler tests.
src/app/docs/page.test.tsx Introduces rendering tests for the Docs page endpoint list and accessibility target.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/lib/apiClient.ts
Comment on lines +4 to +18
/** Validates that a URL uses http(s) and is an absolute URL. */
export function validateApiBase(url: string): void {
if (!/^https?:\/\//i.test(url)) {
throw new Error(
`NEXT_PUBLIC_STABLEROUTE_API_BASE must use http or https; got "${url}"`,
);
}
try {
new URL(url);
} catch {
throw new Error(
`NEXT_PUBLIC_STABLEROUTE_API_BASE must be a valid absolute URL; got "${url}"`,
);
}
}
Comment on lines +122 to +129
describe("validateApiBase", () => {
it("passes for http URL", () => {
expect(() => validateApiBase("http://localhost:3001")).not.toThrow();
});

it("passes for https URL", () => {
expect(() => validateApiBase("https://api.stableroute.com")).not.toThrow();
});
Comment on lines +1 to +5
import { render, screen } from "@testing-library/react";
import DocsPage from "./page";

const sections = [
{ h: "POST /api/v1/pairs", p: "Register a (source, destination) routing pair. Idempotent." },
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reject non-http(s) and cross-origin API base values inside apiFetch

2 participants