Update URL validation regex to support Basic Auth

[samadalishah]

Description

The current destination type webhook's URL validation regex is slightly too strict. While it works great for standard domains, it currently fails to validate URLs that include embedded Basic Auth credentials (e.g., username:password@)

Since these are standard URL formats (especially for webhooks and API endpoints), the validation should ideally be relaxed to allow them.

Current Regex

Code snippet

^https?:\\/\\/[\\w\\-]+(?:\\.[\\w\\-]+)*(?::\\d{1,5})?(?:\\/[\\w\\-\\/\\.~:%?#\\[\\]@!$&'\\(\\)*+,;=]*)?$

Failing Examples (Valid URLs that are currently blocked)
Basic Auth: https://username:password@api.example.com

Proposed Solution

I suggest relaxing the regex to explicitly allow the optional auth segment before the domain

Handles auth and safely captures any complex token in the query/path:

Code snippet

^https?:\\/\\/(?:[^@\\/\\s]+@)?[\\w\\-]+(?:\\.[\\w\\-]+)*(?::\\d{1,5})?(?:\\/\\S*)?\$

Question for the Maintainers

Is there a specific reason for the strict regex? I wanted to make sure loosening the query/auth parameters doesn't introduce any unintended side effects for the Outpost. Also, from the documentation, it seems like adding DESTINATIONS_METADATA_PATH should override the destination definition but I tried it locally and it doesn't change it. My intention was to make it simple for my use case and create custom image.
Let me know what you think!

[alexluong]

Hi there, thanks for opening the issue. I don't think there's a particular reason for our RegEx to be "strict". We're not aware of use cases that end user may want to include basic auth as the URL of their webhook. Particularly, we design for the common webhook use case, and in this scenario, the destination wouldn't want to expose their own credentials to the webhook platform. That's the main reason.

As for DESTINATIONS_METADATA_PATH, it should work. Or you can override the RegEx yourself as well. Can you tell me more what you've tried? You can also find us on Slack or start a Discussion to chat more about your specific use case. Happy to chat more and make sure you get the best out of Outpost!

[alexbouchardd]

@samadalishah Webhook destinations also support custom_headers which allows adding arbitrary headers to the request such au Authorization: Basic whatever. Is there a specific reason why you'd rather have the auth in the URL rather then custom headers?

[samadalishah]

@alexluong @alexbouchardd Thanks for getting back!
I already have active customers who have such URLs with basic auth. Actually I am replacing my webhooks app with outpost to get all the features but would also want the migration to have no impact on my customers. For this reason I would want to relax the regex.
But it makes sense! I will start a discussion to see what I am missing related to DESTINATIONS_METADATA_PATH.

[alexbouchardd]

Honestly that seems reasonable to me to relax the regex, it's ultimately the user decision the input basic auth in the URL. Not best practice but it's "on them".

[alexluong]

Hi @samadalishah, this is released in v0.14.0, please check out this upgrade guide before upgrading! Let us know if there's anything else, and thanks for bringing up the issue.

[samadalishah]

@alexluong thanks a lot for releasing the change and notifying me! I have already started using v0.14 🙌