fix: add validation for supabaseUrl (#1547)

* improve validation for supabaseUrl

* move call

* trim before check

* improve regex + more tests

Author: maxmetcalfe

src/SupabaseClient.ts

@@ -19,7 +19,7 @@ import {
   DEFAULT_REALTIME_OPTIONS,
 } from './lib/constants'
 import { fetchWithAuth } from './lib/fetch'
-import { ensureTrailingSlash, applySettingDefaults } from './lib/helpers'
+import { applySettingDefaults, validateSupabaseUrl } from './lib/helpers'
 import { SupabaseAuthClient } from './lib/SupabaseAuthClient'
 import { Fetch, GenericSchema, SupabaseClientOptions, SupabaseAuthClientOptions } from './lib/types'
 
@@ -101,12 +101,9 @@ export default class SupabaseClient<
     protected supabaseKey: string,
     options?: SupabaseClientOptions<SchemaName>
   ) {
-    if (!supabaseUrl) throw new Error('supabaseUrl is required.')
+    const baseUrl = validateSupabaseUrl(supabaseUrl)
     if (!supabaseKey) throw new Error('supabaseKey is required.')
 
-    const _supabaseUrl = ensureTrailingSlash(supabaseUrl)
-    const baseUrl = new URL(_supabaseUrl)
-
     this.realtimeUrl = new URL('realtime/v1', baseUrl)
     this.realtimeUrl.protocol = this.realtimeUrl.protocol.replace('http', 'ws')
     this.authUrl = new URL('auth/v1', baseUrl)

src/lib/helpers.ts

@@ -71,3 +71,28 @@ export function applySettingDefaults<
 
   return result
 }
+
+/**
+ * Validates a Supabase client URL
+ *
+ * @param {string} supabaseUrl - The Supabase client URL string.
+ * @returns {URL} - The validated base URL.
+ * @throws {Error}
+ */
+export function validateSupabaseUrl(supabaseUrl: string): URL {
+  const trimmedUrl = supabaseUrl?.trim()
+
+  if (!trimmedUrl) {
+    throw new Error('supabaseUrl is required.')
+  }
+
+  if (!trimmedUrl.match(/^https?:\/\//i)) {
+    throw new Error('Invalid supabaseUrl: Must be a valid HTTP or HTTPS URL.')
+  }
+
+  try {
+    return new URL(ensureTrailingSlash(trimmedUrl))
+  } catch {
+    throw Error('Invalid supabaseUrl: Provided URL is malformed.')
+  }
+}

test/unit/SupabaseClient.test.ts

@@ -29,6 +29,23 @@ describe('SupabaseClient', () => {
     expect(() => createClient(URL, '')).toThrow('supabaseKey is required.')
   })
 
+  test('should validate supabaseUrl', () => {
+    expect(() => createClient('https://xyz123.supabase.co', KEY)).not.toThrow()
+    expect(() => createClient('http://localhost:54321', KEY)).not.toThrow()
+    expect(() => createClient('http://[invalid', KEY)).toThrow(
+      'Invalid supabaseUrl: Provided URL is malformed.'
+    )
+    expect(() =>
+      createClient('postgresql://postgre:[email protected]:5432/postgres', KEY)
+    ).toThrow('Invalid supabaseUrl: Must be a valid HTTP or HTTPS URL.')
+    expect(() => createClient('http:/localhost:3000', KEY)).toThrow(
+      'Invalid supabaseUrl: Must be a valid HTTP or HTTPS URL.'
+    )
+
+    expect(() => createClient('  https://xyz123.supabase.co  ', KEY)).not.toThrow()
+    expect(() => createClient('http://user:pass@localhost:54321', KEY)).not.toThrow()
+  })
+
   describe('URL Construction', () => {
     test('should construct URLs correctly', () => {
       const client = createClient(URL, KEY)