Skip to content

fix: add input validation to analytics app schemas #26976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pedroccastro wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

fix: add input validation to analytics app schemas #26976

pedroccastro wants to merge 4 commits into from
+445 −29

Conversation

@pedroccastro
Copy link
Contributor

@pedroccastro pedroccastro commented Jan 18, 2026

What does this PR do?

Adds input validation to analytics app integration schemas. Tracking IDs and URLs now conform to their expected formats, preventing malformed data from being stored and rendered.

Changes

Layer File(s) Change
Schema gtm/zod.ts Validate GTM-XXXXXX format
Schema ga4/zod.ts Validate G-XXXXXXXXXX format
Schema metapixel/zod.ts Validate numeric pixel IDs
Schema posthog/zod.ts Validate alphanumeric keys + http/https URLs
Schema fathom/zod.ts Validate alphanumeric site IDs
Schema plausible/zod.ts Validate domain format + http/https URLs
Schema matomo/zod.ts Validate http/https URLs + numeric site IDs
Schema umami/zod.ts Validate UUID/numeric IDs + http/https URLs
Schema twipla/zod.ts Validate alphanumeric/UUID site IDs
Schema insihts/zod.ts Validate alphanumeric site IDs + http/https URLs
Schema databuddy/zod.ts Validate alphanumeric client IDs + http/https URLs
Tests analytics-apps.test.ts Unit tests for all schemas

Technical Details

  • URL fields use new URL() for validation + protocol check (http/https only)
  • Tracking IDs use format-specific regex based on each provider's documentation
  • Empty strings remain valid for optional fields (backwards compatible)

How should this be tested?

  1. Configure any analytics app on an event type with valid ID → should save
  2. Try saving with invalid format (e.g., letters in Meta Pixel ID) → should show validation error
  3. Leave optional fields empty → should save successfully
  4. Run unit tests: yarn vitest run packages/app-store/analytics-apps.test.ts

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code.
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

@pedroccastro
fix(analytics): add input validation to analytics app schemas
511c73b 
Add strict input validation for tracking IDs and URLs in analytics
app integrations to ensure data conforms to expected formats
@pedroccastro
fix: remove optional/default to fix type inference
98f9edd 
Remove .optional() and .default("") from schemas with transform/refine
chains to preserve correct TypeScript type inference
@pedroccastro
fix: restore .optional() for type compatibility
17fff2f
@github-actions
Copy link
Contributor

github-actions bot commented Jan 18, 2026

E2E results are ready!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ready-for-e2e size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pedroccastro