make validation on http more lax

waleedlatif1 · waleedlatif1 · commit dd065850b54d · 2026-02-12T23:50:29.000-08:00
diff --git a/apps/sim/app/api/copilot/checkpoints/revert/route.test.ts b/apps/sim/app/api/copilot/checkpoints/revert/route.test.ts
@@ -18,9 +18,9 @@ describe('Copilot Checkpoints Revert API Route', () => {
     setupCommonApiMocks()
     mockCryptoUuid()
 
-    // Mock getBaseUrl to return localhost for tests
     vi.doMock('@/lib/core/utils/urls', () => ({
       getBaseUrl: vi.fn(() => 'http://localhost:3000'),
+      getInternalApiBaseUrl: vi.fn(() => 'http://localhost:3000'),
       getBaseDomain: vi.fn(() => 'localhost:3000'),
       getEmailDomain: vi.fn(() => 'localhost:3000'),
     }))
diff --git a/apps/sim/app/api/mcp/serve/[serverId]/route.test.ts b/apps/sim/app/api/mcp/serve/[serverId]/route.test.ts
@@ -72,6 +72,7 @@ describe('MCP Serve Route', () => {
     }))
     vi.doMock('@/lib/core/utils/urls', () => ({
       getBaseUrl: () => 'http://localhost:3000',
+      getInternalApiBaseUrl: () => 'http://localhost:3000',
     }))
     vi.doMock('@/lib/core/execution-limits', () => ({
       getMaxExecutionTimeout: () => 10_000,
diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts
@@ -220,7 +220,7 @@ export const env = createEnv({
     SOCKET_SERVER_URL:                     z.string().url().optional(),            // WebSocket server URL for real-time features
     SOCKET_PORT:                           z.number().optional(),                  // Port for WebSocket server
     PORT:                                  z.number().optional(),                  // Main application port
-    INTERNAL_API_BASE_URL:                 z.string().optional(),                  // Optional internal base URL for server-side self-calls (e.g., cluster DNS)
+    INTERNAL_API_BASE_URL:                 z.string().optional(),                  // Optional internal base URL for server-side self-calls; must include protocol if set (e.g., http://sim-app.namespace.svc.cluster.local:3000)
     ALLOWED_ORIGINS:                       z.string().optional(),                  // CORS allowed origins
 
     // OAuth Integration Credentials - All optional, enables third-party integrations
diff --git a/apps/sim/lib/core/utils/urls.ts b/apps/sim/lib/core/utils/urls.ts
@@ -1,8 +1,12 @@
 import { getEnv } from '@/lib/core/config/env'
 import { isProd } from '@/lib/core/config/feature-flags'
 
+function hasHttpProtocol(url: string): boolean {
+  return /^https?:\/\//i.test(url)
+}
+
 function normalizeBaseUrl(url: string): string {
-  if (url.startsWith('http://') || url.startsWith('https://')) {
+  if (hasHttpProtocol(url)) {
     return url
   }
 
@@ -17,7 +21,7 @@ function normalizeBaseUrl(url: string): string {
  * @throws Error if NEXT_PUBLIC_APP_URL is not configured
  */
 export function getBaseUrl(): string {
-  const baseUrl = getEnv('NEXT_PUBLIC_APP_URL')
+  const baseUrl = getEnv('NEXT_PUBLIC_APP_URL')?.trim()
 
   if (!baseUrl) {
     throw new Error(
@@ -38,7 +42,13 @@ export function getInternalApiBaseUrl(): string {
     return getBaseUrl()
   }
 
-  return normalizeBaseUrl(internalBaseUrl)
+  if (!hasHttpProtocol(internalBaseUrl)) {
+    throw new Error(
+      'INTERNAL_API_BASE_URL must include protocol (http:// or https://), e.g. http://sim-app.default.svc.cluster.local:3000'
+    )
+  }
+
+  return internalBaseUrl
 }
 
 /**
diff --git a/helm/sim/values.schema.json b/helm/sim/values.schema.json
@@ -130,7 +130,7 @@
                   "const": ""
                 }
               ],
-              "description": "Optional server-side internal base URL for internal /api self-calls; defaults to NEXT_PUBLIC_APP_URL when unset"
+              "description": "Optional server-side internal base URL for internal /api self-calls (must include http:// or https://); defaults to NEXT_PUBLIC_APP_URL when unset"
             },
             "BETTER_AUTH_URL": {
               "type": "string",
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -70,7 +70,7 @@ app:
     # Application URLs
     NEXT_PUBLIC_APP_URL: "http://localhost:3000"
     BETTER_AUTH_URL: "http://localhost:3000"
-    INTERNAL_API_BASE_URL: ""  # Optional server-side internal base URL for /api self-calls; falls back to NEXT_PUBLIC_APP_URL when empty
+    INTERNAL_API_BASE_URL: ""  # Optional server-side internal base URL for /api self-calls (include http:// or https://); falls back to NEXT_PUBLIC_APP_URL when empty
     # SOCKET_SERVER_URL: Auto-detected when realtime.enabled=true (uses internal service)
     # Only set this if using an external WebSocket service with realtime.enabled=false
     NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"  # Public WebSocket URL for browsers

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@`
`130`	`130`	`"const": ""`
`131`	`131`	`}`
`132`	`132`	`],`
`133`		`- "description": "Optional server-side internal base URL for internal /api self-calls; defaults to NEXT_PUBLIC_APP_URL when unset"`
	`133`	`+ "description": "Optional server-side internal base URL for internal /api self-calls (must include http:// or https://); defaults to NEXT_PUBLIC_APP_URL when unset"`
`134`	`134`	`},`
`135`	`135`	`"BETTER_AUTH_URL": {`
`136`	`136`	`"type": "string",`