fix(core): add callback protocol validation

GaloyMoney · Nov 11, 2023 · ce4f57c · ce4f57c
1 parent c7bbeea
commit ce4f57c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/core/api/src/graphql/public/types/scalar/endpoint-url.ts b/core/api/src/graphql/public/types/scalar/endpoint-url.ts
@@ -22,7 +22,10 @@ const EndpointUrl = GT.Scalar({
 
 function validUrlValue(value: string) {
   try {
-    new URL(value)
+    const url = new URL(value)
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return new InputValidationError({ message: "Invalid value for EndpointUrl" })
+    }
     return value
   } catch (error) {
     return new InputValidationError({ message: "Invalid value for EndpointUrl" })

diff --git a/core/api/src/services/svix/index.ts b/core/api/src/services/svix/index.ts
@@ -177,6 +177,8 @@ const handleCommonErrors = (err: Error | string | unknown) => {
   const match = (knownErrDetail: RegExp): boolean => knownErrDetail.test(errMsg)
 
   switch (true) {
+    case match(KnownSvixErrorMessages.InvalidUrlProtocol):
+      return new InvalidUrlError("URL must have a valid protocol")
     case match(KnownSvixErrorMessages.InvalidHttpsUrl):
       return new InvalidUrlError("URL must be https")
 
@@ -186,4 +188,5 @@ const handleCommonErrors = (err: Error | string | unknown) => {
 }
 export const KnownSvixErrorMessages = {
   InvalidHttpsUrl: /endpoint_https_only/,
+  InvalidUrlProtocol: /must be http or https/,
 } as const