Frame request input validation

cryptojcdenton commented 2 weeks ago

Describe the bug

Hey Frog team, I am making a bug report on behalf of @artlu99, it seems that there is a lack of input validation for requests - we cannot figure out why this request body doesn't work on the frame url https://private-frame.artlu.xyz/api, for our client far.quest/cast.

// Here is all we are doing on `build.far.quest/v1/fetch-frame`:
const { proxyUrl, untrustedData, trustedData, action } = req.body;

 const response = await axios.post(proxyUrl, {
      untrustedData,
      trustedData,
 });

The frog server returns a 500 - I assume it should validate the input, and return a 400 for bad input, rather than an internal error.

His frog server on vercel show this error: TypeError: Invalid URL at new URL (node:internal) (the repo is here).

Would be helpful if there was some input validation for a frog frame server, thank you!

Link to Minimal Reproducible Example

https://github.com/artlu99/private-frame-artlu-xyz

Steps To Reproduce

Enter: https://private-frame.artlu.xyz/api to this test page: https://far.quest/~/developers/frames

Server:

https://github.com/artlu99/private-frame-artlu-xyz

Frog Version

0.17.4

TypeScript Version

No response

Check existing issues

[X] I checked there isn't already an issue for the bug I encountered.

Anything else?

No response

dalechyn commented 2 weeks ago

Thank you! Will check it on the weekend!

dalechyn commented 1 day ago

I don't think the Invalid URL error is thrown because of validation issue.

Can you please provide full error stacktrace? To know where exactly it threw it.

Also appreciate the repo but I could not reproduce it locally.

wevm / frog