Validate stored profile links

[ohong]

Summary

• normalize profile links in PATCH /api/users/me before storing
• allow http/https links and explicit clears
• reject malformed or unsafe schemes before public profile rendering

Verification

• bunx vitest run --pool=threads tests/api/profile.test.ts
• bun run --cwd apps/web typecheck
• bun run --cwd apps/web lint
• pre-push full build/test suite

Summary by CodeRabbit

• New Features

  • Added profile link validation. Links must be valid HTTP/HTTPS URLs, whitespace is automatically trimmed, invalid entries are rejected with error messages, and blank inputs clear the link.

• Tests

  • Enhanced profile update tests to cover link validation scenarios including URL format validation and edge cases.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
straude	Ready	Preview, Comment	Apr 30, 2026 5:04pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces link validation logic for the user profile update endpoint (PATCH /api/users/me), enforcing HTTP/HTTPS URL format requirements with normalization and trimming. Includes comprehensive test coverage for valid URLs, null inputs, blank values, and malformed links.

Changes

Cohort / File(s)	Summary
Profile Link Validation - Implementation apps/web/app/api/users/me/route.ts	Adds URL validation logic for profile updates: trims input, allows null values, validates http/https scheme, and returns 400 error responses on validation failure.
Profile Link Validation - Tests apps/web/__tests__/api/profile.test.ts	Extends PATCH /api/users/me tests to verify link validation behavior: URL trimming, acceptance of valid HTTP(S) URLs, null/blank clearing, and rejection of unsafe/malformed links with appropriate error responses.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Endpoint as API Handler
    participant Validator as Link Validator
    participant Database
    
    Client->>Endpoint: PATCH /api/users/me<br/>(with link field)
    Endpoint->>Validator: Validate & normalize link
    
    alt Valid URL or null
        Validator->>Validator: Trim input
        Validator-->>Endpoint: Return normalized link
        Endpoint->>Database: Update profile with link
        Database-->>Endpoint: Success
        Endpoint-->>Client: 200 OK
    else Invalid/Malformed URL
        Validator-->>Endpoint: Validation error
        Endpoint-->>Client: 400 Bad Request<br/>(error message)
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Whiskers twitch with validation glee,
URLs are trimmed with utmost care,
HTTP schemes keep profiles safe and fair,
Link validation hops along with flair,
This rabbit approves—our profiles are rare! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Validate stored profile links' accurately summarizes the main change: adding validation for profile links in the PATCH endpoint before storage, which is the primary objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/profile-link-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

apps/web/app/api/users/me/route.ts (1)

28-49: ⚡ Quick win

Consolidate URL validation policy into a shared helper.

This logic overlaps with apps/web/app/api/company-suggestions/route.ts:6-17; centralizing URL validation would reduce drift between endpoints and keep protocol/format rules consistent.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/api/users/me/route.ts` around lines 28 - 49, The URL validation
in normalizeProfileLink duplicates logic used elsewhere; extract the validation
into a shared helper (e.g., create a new function validateHttpUrl or
normalizeUrl in a common utilities module) and replace normalizeProfileLink's
internal validation with a call to that helper, then update the other duplicate
site (the logic in apps/web/app/api/company-suggestions/route.ts) to use the
same helper; ensure the helper returns the normalized string or null and
preserves the same error messages/behavior for non-string, empty, invalid, and
non-http(s) protocols so callers like normalizeProfileLink can simply delegate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/web/app/api/users/me/route.ts`:
- Around line 28-49: The URL validation in normalizeProfileLink duplicates logic
used elsewhere; extract the validation into a shared helper (e.g., create a new
function validateHttpUrl or normalizeUrl in a common utilities module) and
replace normalizeProfileLink's internal validation with a call to that helper,
then update the other duplicate site (the logic in
apps/web/app/api/company-suggestions/route.ts) to use the same helper; ensure
the helper returns the normalized string or null and preserves the same error
messages/behavior for non-string, empty, invalid, and non-http(s) protocols so
callers like normalizeProfileLink can simply delegate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 31c53f40-5b64-4e53-a2f8-510f94804e4c

📥 Commits

Reviewing files that changed from the base of the PR and between 030b41c and d8f43f8.

📒 Files selected for processing (2)

• apps/web/__tests__/api/profile.test.ts
• apps/web/app/api/users/me/route.ts

[ohong]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[ohong]

Merged. Adds server-side normalizeProfileLink to PATCH /api/users/me: trims whitespace, accepts null/empty as a clear, and rejects anything other than http(s) URLs (so javascript:/data: payloads can't land in users.link and get rendered as an <a href> on profile pages). New unit coverage for accept, clear, and reject paths.