Skip to content

fix: restrict interactive and metadata URLs to HTTP(S) and require in…#336

Merged
0xNgoo merged 1 commit into
0xNgoo:mainfrom
augustine00z:fix/restrict-interactive-metadata-urls-main
Jul 1, 2026
Merged

fix: restrict interactive and metadata URLs to HTTP(S) and require in…#336
0xNgoo merged 1 commit into
0xNgoo:mainfrom
augustine00z:fix/restrict-interactive-metadata-urls-main

Conversation

@augustine00z

Copy link
Copy Markdown
Contributor

Summary
This PR fixes SEP-24 interactive and metadata URL handling by restricting server.interactiveDomain and metadata.tomlUrl to only http: and https: schemes, and by requiring server.interactiveDomain before emitting SEP-24 interactive URLs.
Please provide a brief description of the changes in this PR.

Checklist

  • My code follows the code style of this project.
  • I have added tests for my changes.
  • I have updated the documentation accordingly.
  • I have run bun run test and bun run lint locally.

Issue Reference

Closes #204

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request ensures that server.interactiveDomain is configured for interactive deposit flows, returning a server_misconfigured error if it is absent. It also refactors URL construction to use this domain and updates ValidationUtils.isValidUrl to only accept http: and https: protocols. The review feedback suggests normalizing interactiveDomain by stripping trailing slashes to prevent double slashes in the generated interactive_url and more_info_url endpoints.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +499 to +506
const serverConfig = this.config.get('server');
if (!serverConfig.interactiveDomain) {
sendJson(res, 500, {
error: 'server_misconfigured',
message: 'server.interactiveDomain must be configured for interactive flows',
});
return;
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

If server.interactiveDomain is configured with a trailing slash (e.g., https://example.com/), appending /deposit/... directly will result in double slashes (e.g., https://example.com//deposit/...).

It is safer to strip any trailing slashes from interactiveDomain before constructing the URLs. We can define a normalized interactiveDomain variable here and reuse it.

Suggested change
const serverConfig = this.config.get('server');
if (!serverConfig.interactiveDomain) {
sendJson(res, 500, {
error: 'server_misconfigured',
message: 'server.interactiveDomain must be configured for interactive flows',
});
return;
}
const serverConfig = this.config.get('server');
if (!serverConfig.interactiveDomain) {
sendJson(res, 500, {
error: 'server_misconfigured',
message: 'server.interactiveDomain must be configured for interactive flows',
});
return;
}
const interactiveDomain = serverConfig.interactiveDomain.replace(/\/+$/, '');

asset_issuer: selectedAsset.issuer,
account: created.account,
interactive_url: `${this.config.get('server').interactiveDomain ?? 'http://localhost:3000'}/deposit/${created.id}`,
interactive_url: `${serverConfig.interactiveDomain}/deposit/${created.id}`,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Use the normalized interactiveDomain variable to avoid potential double slashes in the generated URL.

Suggested change
interactive_url: `${serverConfig.interactiveDomain}/deposit/${created.id}`,
interactive_url: `${interactiveDomain}/deposit/${created.id}`,

asset_issuer: selectedAsset.issuer,
account: created.account,
interactive_url: `${this.config.get('server').interactiveDomain ?? 'http://localhost:3000'}/deposit/${created.id}`,
interactive_url: `${serverConfig.interactiveDomain}/deposit/${created.id}`,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Use the normalized interactiveDomain variable to avoid potential double slashes in the generated URL.

Suggested change
interactive_url: `${serverConfig.interactiveDomain}/deposit/${created.id}`,
interactive_url: `${interactiveDomain}/deposit/${created.id}`,

Comment on lines 699 to 702
if (serverConfig.interactiveDomain) {
responseData.interactive_url = `${serverConfig.interactiveDomain}/deposit/${transaction.id}`;
responseData.more_info_url = `${serverConfig.interactiveDomain}/deposit/${transaction.id}`;
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Normalize interactiveDomain by stripping trailing slashes here as well to prevent double slashes in the generated interactive_url and more_info_url.

Suggested change
if (serverConfig.interactiveDomain) {
responseData.interactive_url = `${serverConfig.interactiveDomain}/deposit/${transaction.id}`;
responseData.more_info_url = `${serverConfig.interactiveDomain}/deposit/${transaction.id}`;
}
if (serverConfig.interactiveDomain) {
const interactiveDomain = serverConfig.interactiveDomain.replace(/\/+$/, '');
responseData.interactive_url = `${interactiveDomain}/deposit/${transaction.id}`;
responseData.more_info_url = `${interactiveDomain}/deposit/${transaction.id}`;
}

@0xNgoo 0xNgoo mentioned this pull request Jul 1, 2026
4 tasks
@0xNgoo 0xNgoo merged commit 839d800 into 0xNgoo:main Jul 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Restrict interactive and metadata URLs to HTTP(S)

2 participants