[NOCSL] Adds extra url validation for android referrers

[stanlp1]

• There is an edge cases where android apps will add a referrer that is not a valid url when opening links in a webview.

Ex: android-app://com.google.android.googlequicksearchbox/

• Transforms this into a "valid" url by replacing "android-app" with "https" to pass our api validation.
• Adds url trimming to limit urls to 2000
• Adds tests

[constructor-claude-bedrock]

Code Review Results

✅ Strengths

Well-tested implementation with comprehensive edge case coverage for Android app referrer transformation.

🚨 Critical Issues

None

⚠️ Important Issues

1. [File: src/utils/helpers.js Line: L52-53] Potential bug with multiple 'android-app' occurrences
The current implementation uses replace() which only replaces the first occurrence. If the URL contains multiple instances of 'android-app' (e.g., in the path), only the first would be replaced.

Suggestion: Use replaceAll() for consistency or be more specific with the replacement:

if (url?.startsWith('android-app')) {
  url = url.replace(/^android-app/, 'https');
}

2. [File: src/utils/helpers.js Line: L52-54] Mutation of function parameter
The function parameter url is being reassigned directly, which can be confusing since parameters appear immutable but aren't.

Suggestion: Use a new variable:

cleanAndValidateUrl: (url, baseUrl = undefined) => {
  let validatedUrl = null;

  try {
    let processedUrl = url;
    // Handle android app referrers
    if (processedUrl?.startsWith('android-app')) {
      processedUrl = processedUrl?.replace('android-app', 'https');
    }

    validatedUrl = (new URL(processedUrl, baseUrl)).toString();
  } catch (e) {
    // do nothing
  }

  return validatedUrl;
},

3. [File: src/utils/helpers.js Line: L52] Redundant optional chaining on reassigned variable
After checking url?.startsWith('android-app'), the subsequent url?.replace() uses optional chaining again, but we already know url exists from the previous check.

Suggestion: Remove the second optional chaining:

if (url?.startsWith('android-app')) {
  url = url.replace('android-app', 'https');
}

💡 Suggestions

1. [File: src/utils/helpers.js Line: L58] Silent error swallowing
The catch block with // do nothing silently swallows all errors. While this might be intentional for robustness, it could hide unexpected issues during development.

Consideration: Consider logging errors in development mode or documenting why all errors are intentionally ignored.

2. [File: spec/src/utils/helpers.js Line: L219] Test could verify more specific behavior
The test for getCanonicalUrl with Android app URLs is good, but it doesn't verify that the canonical URL is being processed through the same cleanAndValidateUrl function. Consider adding a test that verifies the integration explicitly.

3. [General] Documentation for edge case handling
This PR addresses a specific Android WebView edge case. Consider adding a code comment explaining why this transformation is necessary (e.g., "Android WebViews pass android-app:// schemes which aren't valid HTTP URLs for API validation").

Overall Assessment: ⚠️ Needs Work

The implementation correctly addresses the Android app referrer issue with comprehensive test coverage. However, there are a couple of important issues around parameter mutation and potential edge cases with the string replacement that should be addressed before merging. The changes are well-isolated and the test coverage is thorough.

[constructor-claude-bedrock]

Code Review Results

✅ Strengths

Good test coverage for the new functionality including edge cases like empty strings, null values, and URL trimming logic.

🚨 Critical Issues

[File: src/utils/helpers.js Line: L87-88]

• Parameter mutation vulnerability: The cleanAndValidateUrl function directly mutates its url parameter using url = url?.replace(...). This violates the principle of immutability and can cause unexpected behavior for callers who pass in string values. While strings are immutable in JavaScript, reassigning the parameter is a code smell that can lead to confusion.
• Fix: Create a new variable instead:

let processedUrl = url;
if (processedUrl?.startsWith('android-app')) {
  processedUrl = processedUrl.replace('android-app', 'https');
}
const urlObj = new URL(processedUrl, baseUrl);

[File: src/utils/helpers.js Line: L67-72]

• URL object mutation: The trimUrl function modifies the passed urlObj by calling searchParams.delete(), which mutates the original URL object. This violates the function's expected behavior since it should not have side effects on the input parameter.
• Fix: Clone the URL object at the start of the function:

trimUrl: (urlObj, maxLen = URL_MAX_LEN) => {
  const clonedUrlObj = new URL(urlObj.toString());
  let urlString = clonedUrlObj.toString();
  // ... rest of the logic using clonedUrlObj
}

⚠️ Important Issues

[File: src/utils/helpers.js Line: L87]

• Incomplete protocol handling: The android-app protocol replacement only handles android-app:// but not potential variations like android-app: (without slashes) or other mobile app protocols (e.g., ios-app://). Consider if other mobile protocols need handling.
• Suggestion: Add a comment explaining why only android-app is handled, or expand to support other protocols if needed.

[File: src/utils/helpers.js Line: L95-97]

• Silent error suppression: The catch block with // do nothing comment suppresses all errors without logging. This makes debugging difficult in production when URL validation fails unexpectedly.
• Fix: Consider logging errors in development or adding a more descriptive comment:

} catch (e) {
  // URL construction failed - return null for invalid URLs
  // This is expected for malformed URLs and relative paths without baseUrl
}

[File: src/utils/helpers.js Line: L156-158]

• Inconsistent error handling: Similar silent error suppression in getDocumentReferrer. The catch block should have a more descriptive comment about what errors are expected.

💡 Suggestions

[File: src/utils/helpers.js Line: L61-65]

• Performance optimization: The sort operation calculates the length of each parameter entry multiple times. Consider caching the lengths:

const paramEntriesWithLengths = paramEntries.map(entry => ({
  entry,
  length: entry[0].length + entry[1].length
}));
paramEntriesWithLengths.sort((a, b) => b.length - a.length);

[File: src/utils/helpers.js Line: L92]

• Unnecessary URL object creation: Creating a new URL object from utils.trimUrl(urlObj) is redundant since trimUrl already returns a string. Consider refactoring:

const trimmedUrlString = utils.trimUrl(urlObj);
validatedUrl = trimmedUrlString;

[File: spec/src/utils/helpers.js Line: L218-230]

• Test description inconsistency: The test is in the getCanonicalUrl describe block but tests android-app referrer handling. Consider if this test belongs in the cleanAndValidateUrl section instead, or update the description to be more specific about canonical URL handling.

[File: src/utils/helpers.js Line: L47]

• JSDoc missing: The new utility functions trimUrl and cleanAndValidateUrl lack JSDoc comments. Adding documentation would improve maintainability:

/**
 * Trims a URL to a maximum length by removing query parameters
 * @param {URL} urlObj - The URL object to trim
 * @param {number} maxLen - Maximum length (default: 2000)
 * @returns {string} The trimmed URL string
 */

Overall Assessment: ⚠️ Needs Work

The PR addresses a valid edge case with android-app referrers and includes good test coverage. However, there are two critical issues with parameter mutation that should be fixed before merge. The trimUrl and cleanAndValidateUrl functions should not mutate their input parameters. Additionally, error handling could be improved with better documentation.

[constructor-claude-bedrock]

Code Review Results

✅ Strengths

Comprehensive test coverage with edge cases for Android app referrers, URL validation, and trimming logic.

🚨 Critical Issues

None

⚠️ Important Issues

[File: src/utils/helpers.js Line: L88-89]
The conditional logic uses optional chaining on url twice, but then mutates the parameter directly. This creates two issues:

1. Reassigning the url parameter violates immutability principles
2. Using url?.replace() when url has already been verified by url?.startsWith() is redundant

Suggested fix:

// Handle android app referrers
let processedUrl = url;
if (url?.startsWith('android-app')) {
  processedUrl = url.replace('android-app', 'https');
}

const urlObj = new URL(processedUrl, baseUrl);

[File: src/utils/helpers.js Line: L96-97]
The catch block silently swallows errors with just a comment // do nothing. This makes debugging difficult when URL validation fails unexpectedly. Consider adding minimal logging for development/debugging purposes, or at least document why errors are intentionally ignored.

Suggested approach:

} catch (e) {
  // URL validation failed - return null to indicate invalid URL
  // This is expected for malformed URLs and should not throw
}

[File: src/utils/helpers.js Line: L88]
The android-app protocol replacement is too broad. It replaces android-app anywhere in the string, not just at the protocol position. Consider using a more precise replacement:

if (url?.startsWith('android-app://')) {
  processedUrl = url.replace(/^android-app:/, 'https:');
}

This ensures only the protocol is replaced and handles the case correctly.

[File: src/utils/helpers.js Line: L72]
The trimUrl function mutates the urlCopy object's searchParams inside the loop (line 72: searchParams.delete(paramEntries[i][0])). While urlCopy is a copy, this mutation pattern could be clearer. The code works correctly but consider documenting this intentional mutation since the guidelines emphasize avoiding mutations.

[File: src/utils/helpers.js Line: L153-159]
Similar to line 96-97, the catch block in getDocumentReferrer silently swallows errors. Document the expected error scenarios.

💡 Suggestions

[File: src/utils/helpers.js Line: L47-81]
The trimUrl function has complex logic with multiple responsibilities (checking length, sorting params by length, iterating and deleting, truncating). Consider extracting the parameter removal logic into a separate helper function to improve readability and testability:

const removeParamsBySize = (searchParams, targetLength) => {
  const paramEntries = Array.from(searchParams.entries());
  paramEntries.sort((a, b) => {
    const aLength = a[0].length + a[1].length;
    const bLength = b[0].length + b[1].length;
    return bLength - aLength;
  });
  
  for (let i = 0; i < paramEntries.length; i += 1) {
    if (urlString.length <= targetLength) break;
    searchParams.delete(paramEntries[i][0]);
  }
};

[File: src/utils/helpers.js Line: L22]
The constant URL_MAX_LEN = 2000 is defined but could benefit from a comment explaining why 2000 was chosen (e.g., API limitation, browser compatibility, etc.).

[File: spec/src/utils/helpers.js Line: L221]
Test coverage is excellent. Minor suggestion: Consider adding a test case for the edge where an android-app URL appears mid-string (though unlikely, it validates the replacement logic is position-aware).

[File: src/utils/helpers.js Line: L164-181]
The getCanonicalUrl function now uses cleanAndValidateUrl, which applies Android app URL transformation. Verify this is the intended behavior - canonical URLs are typically already in valid format, so applying Android app transformations might be unnecessary. If intentional, add a comment explaining why.

Overall Assessment: ⚠️ Needs Work

The implementation correctly handles the Android app referrer edge case and adds robust URL validation with comprehensive test coverage. The main concerns are around parameter mutation (violating immutability guidelines), overly broad string replacement logic, and silent error handling that could complicate debugging. These issues should be addressed before merging.