fix: only accept https:// in isLikelyValidUrl to prevent auth tokens being sent over plain HTTP

[akhilmodi29]

Summary

Removes http:// acceptance from isLikelyValidUrl in supabaseClient.js
so a misconfigured plain HTTP URL correctly falls back to the safe
disabled client instead of creating a real Supabase connection.

Problem

isLikelyValidUrl accepted both https:// and http://. A misconfigured
VITE_SUPABASE_URL with http:// passed validation and created a real
Supabase client, transmitting auth tokens over plain HTTP.

Fix

Removed || parsed.protocol === 'http:' from the protocol check.
Only https:// is now accepted matching Supabase's requirement.

Changes

• Frontend/src/supabaseClient.js — removed http:// from protocol check

Closes #2910

Summary by CodeRabbit

• Bug Fixes
  • Updated protocol validation to require HTTPS-only URLs. Previously, both HTTP and HTTPS protocols were accepted for configuration. This change enforces stricter validation standards, affecting how the application initializes its client connection based on configuration validity.

[vercel]

@akhilmodi29 is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8eb40fa2-5ab9-4e06-8c23-755e887dc12b

📥 Commits

Reviewing files that changed from the base of the PR and between da8faf2 and 937dcae.

📒 Files selected for processing (1)

• Frontend/src/lib/supabaseClient.js

---

📝 Walkthrough

Walkthrough

In Frontend/src/lib/supabaseClient.js, the isLikelyValidUrl helper's protocol check is narrowed from accepting both https: and http: to accepting only https:. This makes hasValidConfig false for any http:// URL, causing the exported supabase constant to be the disabled stub client instead of a real Supabase client.

Changes

HTTPS-only URL Validation

Layer / File(s)	Summary
Restrict isLikelyValidUrl to https: protocol Frontend/src/lib/supabaseClient.js	Removes http: from the accepted protocols; only https: URLs now satisfy hasValidConfig, preventing the real Supabase client from being initialized over a plaintext connection.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A bunny hopped by and said, "No plain text today!"
One little colon changed the security way,
http: is banished, sent packing with fright,
Only https: may pass — encrypted, polite.
The tokens are safe, tucked snug out of sight! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main security fix: restricting URL validation to HTTPS only to prevent tokens being sent over HTTP.
Linked Issues check	✅ Passed	The pull request directly addresses the security vulnerability in issue #2910 by modifying isLikelyValidUrl to accept only HTTPS protocol, preventing insecure HTTP connections as required.
Out of Scope Changes check	✅ Passed	The change is narrowly scoped to the specific vulnerability—only modifying the protocol validation logic in isLikelyValidUrl without introducing unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}