Skip to content

Revert 1 claude/webhooks form validation 8xlbql#180

Merged
mikewheeleer merged 3 commits into
Agentpay-Org:mainfrom
Goldy042:revert-1-claude/webhooks-form-validation-8xlbql
Jun 26, 2026
Merged

Revert 1 claude/webhooks form validation 8xlbql#180
mikewheeleer merged 3 commits into
Agentpay-Org:mainfrom
Goldy042:revert-1-claude/webhooks-form-validation-8xlbql

Conversation

@Goldy042

@Goldy042 Goldy042 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Closes #12

Summary

src/app/webhooks/page.tsx previously accepted any type="url" string and a
free-text comma-separated events field, then posted it directly — no scheme
check, no de-duplication, no guard against an empty event list. This PR adds
client-side validation before the apiPost call and clearer field-level
feedback using the shared TextField component.

  • URL validation: only https:// URLs are accepted. http://,
    javascript:, and other malformed values are rejected with a field-level
    error shown via TextField's error prop (aria-invalid="true", message
    linked through aria-describedby). Native type="url" / required
    attributes are kept — this validation augments them, not replaces them.
  • Events normalisation: trims, drops empties (including whitespace-only
    and trailing-comma artifacts), and de-duplicates while preserving order.
    Submit is blocked with a field error if the normalised list ends up empty.
  • Migrated both inputs in the webhook form to TextField for consistent
    label/description/error/aria wiring.
  • Existing list rendering and per-item Remove button behavior unchanged.
  • Documented accepted URL schemes in README.md.

Test plan

  • npm run lint
  • npm run typecheck
  • npm test — 15/15 passing, 96.2% statement coverage on the changed page
  • npm run build
  • Edge cases: http:// rejected, javascript: rejected, malformed URL rejected, whitespace-only events blocked, empty events blocked, trailing commas dropped, duplicate events collapsed, valid submit posts normalised payload
  • Verified aria-invalid/aria-describedby wiring through TextField

claude and others added 3 commits June 24, 2026 22:24
@claude
feat(webhooks): validate https url and normalise event list before su…
1173803 
…bmit

The webhook registration form accepted any type="url" string and a
free-text comma-separated events field with no validation, so http(s)
URLs, javascript: schemes, and empty/duplicate event lists could be
posted as-is. Validate the URL is https:// and normalise the events
CSV (trim, drop empties, de-duplicate) before calling apiPost, with
field-level errors surfaced through TextField.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016Qm9y5cUE6ZMGicMztgekh
@Goldy042
Merge pull request #1 from Goldy042/claude/webhooks-form-validation-8…
1d107c3 
…xlbql

feat(webhooks): validate https url and normalise event list before submit
@Goldy042
Revert "feat(webhooks): validate https url and normalise event list b…
1e1fd20 
…efore submit"
@mikewheeleer

mikewheeleer commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

solid — in it goes 👍

@mikewheeleer mikewheeleer merged commit d6884d9 into Agentpay-Org:main Jun 26, 2026
1 check failed
@grantfox-oss grantfox-oss Bot mentioned this pull request Jun 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validate and harden the webhook registration form before submit

3 participants

@Goldy042 @mikewheeleer @claude