Skip to content

Validate stored profile links#101

Merged
ohong merged 1 commit into
mainfrom
codex/profile-link-validation
May 1, 2026
Merged

Validate stored profile links#101
ohong merged 1 commit into
mainfrom
codex/profile-link-validation

Conversation

@ohong

@ohong ohong commented Apr 30, 2026

Copy link
Copy Markdown
Owner

Summary

  • normalize profile links in PATCH /api/users/me before storing
  • allow http/https links and explicit clears
  • reject malformed or unsafe schemes before public profile rendering

Verification

  • bunx vitest run --pool=threads tests/api/profile.test.ts
  • bun run --cwd apps/web typecheck
  • bun run --cwd apps/web lint
  • pre-push full build/test suite

Summary by CodeRabbit

  • New Features

    • Added profile link validation. Links must be valid HTTP/HTTPS URLs, whitespace is automatically trimmed, invalid entries are rejected with error messages, and blank inputs clear the link.
  • Tests

    • Enhanced profile update tests to cover link validation scenarios including URL format validation and edge cases.

@ohong ohong added the codex label Apr 30, 2026
@vercel

vercel Bot commented Apr 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
straude Ready Ready Preview, Comment Apr 30, 2026 5:04pm

Request Review

@coderabbitai

coderabbitai Bot commented Apr 30, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Introduces link validation logic for the user profile update endpoint (PATCH /api/users/me), enforcing HTTP/HTTPS URL format requirements with normalization and trimming. Includes comprehensive test coverage for valid URLs, null inputs, blank values, and malformed links.

Changes

Cohort / File(s) Summary
Profile Link Validation - Implementation
apps/web/app/api/users/me/route.ts
Adds URL validation logic for profile updates: trims input, allows null values, validates http/https scheme, and returns 400 error responses on validation failure.
Profile Link Validation - Tests
apps/web/__tests__/api/profile.test.ts
Extends PATCH /api/users/me tests to verify link validation behavior: URL trimming, acceptance of valid HTTP(S) URLs, null/blank clearing, and rejection of unsafe/malformed links with appropriate error responses.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Endpoint as API Handler
    participant Validator as Link Validator
    participant Database
    
    Client->>Endpoint: PATCH /api/users/me<br/>(with link field)
    Endpoint->>Validator: Validate & normalize link
    
    alt Valid URL or null
        Validator->>Validator: Trim input
        Validator-->>Endpoint: Return normalized link
        Endpoint->>Database: Update profile with link
        Database-->>Endpoint: Success
        Endpoint-->>Client: 200 OK
    else Invalid/Malformed URL
        Validator-->>Endpoint: Validation error
        Endpoint-->>Client: 400 Bad Request<br/>(error message)
    end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Whiskers twitch with validation glee,
URLs are trimmed with utmost care,
HTTP schemes keep profiles safe and fair,
Link validation hops along with flair,
This rabbit approves—our profiles are rare! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Validate stored profile links' accurately summarizes the main change: adding validation for profile links in the PATCH endpoint before storage, which is the primary objective of this PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/profile-link-validation

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 60 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
apps/web/app/api/users/me/route.ts (1)

28-49: ⚡ Quick win

Consolidate URL validation policy into a shared helper.

This logic overlaps with apps/web/app/api/company-suggestions/route.ts:6-17; centralizing URL validation would reduce drift between endpoints and keep protocol/format rules consistent.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/api/users/me/route.ts` around lines 28 - 49, The URL validation
in normalizeProfileLink duplicates logic used elsewhere; extract the validation
into a shared helper (e.g., create a new function validateHttpUrl or
normalizeUrl in a common utilities module) and replace normalizeProfileLink's
internal validation with a call to that helper, then update the other duplicate
site (the logic in apps/web/app/api/company-suggestions/route.ts) to use the
same helper; ensure the helper returns the normalized string or null and
preserves the same error messages/behavior for non-string, empty, invalid, and
non-http(s) protocols so callers like normalizeProfileLink can simply delegate.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/web/app/api/users/me/route.ts`:
- Around line 28-49: The URL validation in normalizeProfileLink duplicates logic
used elsewhere; extract the validation into a shared helper (e.g., create a new
function validateHttpUrl or normalizeUrl in a common utilities module) and
replace normalizeProfileLink's internal validation with a call to that helper,
then update the other duplicate site (the logic in
apps/web/app/api/company-suggestions/route.ts) to use the same helper; ensure
the helper returns the normalized string or null and preserves the same error
messages/behavior for non-string, empty, invalid, and non-http(s) protocols so
callers like normalizeProfileLink can simply delegate.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 31c53f40-5b64-4e53-a2f8-510f94804e4c

📥 Commits

Reviewing files that changed from the base of the PR and between 030b41c and d8f43f8.

📒 Files selected for processing (2)
  • apps/web/__tests__/api/profile.test.ts
  • apps/web/app/api/users/me/route.ts

@ohong

ohong commented May 1, 2026

Copy link
Copy Markdown
Owner Author

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

@ohong ohong merged commit b934b16 into main May 1, 2026
6 checks passed
@ohong

ohong commented May 1, 2026

Copy link
Copy Markdown
Owner Author

Merged. Adds server-side normalizeProfileLink to PATCH /api/users/me: trims whitespace, accepts null/empty as a clear, and rejects anything other than http(s) URLs (so javascript:/data: payloads can't land in users.link and get rendered as an <a href> on profile pages). New unit coverage for accept, clear, and reject paths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant