feat(validators/url): support private-use URI scheme redirect URIs (RFC 8252)#60
Conversation
Adds an opt-in `allowPrivateUseSchemes` flag to the URL validator so it accepts authority-less private-use URI scheme redirect URIs per RFC 8252 §7.1 (reverse-DNS form), e.g. "com.example.app:/oauth". These are valid URIs but PHP's FILTER_VALIDATE_URL requires an authority component and rejects them, blocking OAuth Dynamic Client Registration for native clients (e.g. Raycast). The new flag is the trailing constructor argument so existing positional call sites are unaffected, and defaults to false to preserve behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR adds an opt-in
Confidence Score: 5/5Safe to merge; the new flag is off by default and all existing call sites are unaffected. The core validation logic is sound and the test suite is thorough for the path-absolute URI form. The
Important Files Changed
Reviews (3): Last reviewed commit: "chore(validators): conform package to PH..." | Re-trigger Greptile |
Bumping the package to `php: >=8.5` makes the shared rector config's `withPhpSets()` auto-detect 8.5 as the target, activating the 8.1→8.5 rule sets. Applying them (plus pint) modernizes the whole package so the `check` gate passes: `declare(strict_types=1)`, null-to-string arg casts, `array_all`, arrow-fn return types, `#[\Override]`, and parenthesis-less `new X()->method()`. Behavior is unchanged — full suite (135 tests, 878 assertions) stays green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
What
Adds an opt-in
allowPrivateUseSchemesflag to theURLvalidator (packages/validators) so it accepts authority-less private-use URI scheme redirect URIs per RFC 8252 §7.1 (reverse-DNS form), e.g.:Why
Appwrite Cloud implements OAuth 2.0 Dynamic Client Registration (RFC 7591). Native/desktop clients (e.g. Raycast) register redirect URIs using private-use URI schemes. These are valid URIs (
scheme:/path, no authority), but PHP'sFILTER_VALIDATE_URLrequires an authority component and rejects them, blocking legitimate client registration.How
public function __construct(..., protected bool $allowPrivateUseSchemes = false). Kept last so existing positional call sites are unaffected.allowPrivateUseSchemesis on, a value is accepted if it passes the existingfilter_varvalidation or it is a private-use URI scheme redirect URI:ctype_*, sinceparse_urldoes not enforce it — e.g. it would accept1com.raycast).http/https.scheme:/pathorscheme:path, plus optional query/fragment) is validated by reusingfilter_varwith a placeholder authority. Thescheme://…authority form is left to the existing logic.allowedSchemes,allowEmpty, andallowFragmentscontinue to apply uniformly, including to private-use URIs.Backward compatibility
Default behavior is unchanged (
allowPrivateUseSchemesdefaults tofalse). All pre-existing tests pass;isValid('http:/example.com')andisValid('example.com')remainfalse.Tests
Added
testAllowPrivateUseSchemesandtestAllowPrivateUseSchemesWithConstraints. Full suite: 135 tests, 878 assertions, green.🤖 Generated with Claude Code