Merge pull request #97 from usetrmnl/96-45-cleartext-com

[ADDED] Allow non-secure HTTP based BYOS URL

Author: hossain-khan

app/src/main/AndroidManifest.xml

@@ -14,6 +14,7 @@
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
         android:theme="@style/Theme.App"
+        android:networkSecurityConfig="@xml/network_security_config"
         tools:targetApi="35"
         android:enableOnBackInvokedCallback="true"
         tools:replace="android:appComponentFactory">

app/src/main/java/ink/trmnl/android/util/InputValidator.kt

@@ -3,22 +3,22 @@ package ink.trmnl.android.util
 import java.util.regex.Pattern
 
 /**
- * Validates if the provided string is a valid HTTPS URL.
+ * Validates if the provided string is a valid HTTP or HTTPS URL.
  *
  * The function checks that the URL:
- * - Starts with https:// (HTTP is not accepted for security reasons)
+ * - Starts with http:// or https://
  * - Contains valid URL characters in the domain and path components
  *
  * @param url The string to validate as a URL
- * @return true if the string is a valid HTTPS URL, false otherwise
+ * @return true if the string is a valid HTTP or HTTPS URL, false otherwise
  */
 internal fun isValidUrl(url: String): Boolean {
-    val httpsRegex =
+    val httpRegex =
         Pattern.compile(
-            "^(https)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]",
+            "^(http|https)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]",
             Pattern.CASE_INSENSITIVE,
         )
-    return httpsRegex.matcher(url).matches()
+    return httpRegex.matcher(url).matches()
 }
 
 /**

app/src/main/res/xml/network_security_config.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <!-- Allow cleartext traffic for all domains -->
+    <base-config cleartextTrafficPermitted="true">
+        <trust-anchors>
+            <certificates src="system" />
+        </trust-anchors>
+    </base-config>
+
+    <!-- Specific configuration for localhost/emulator addresses -->
+    <domain-config cleartextTrafficPermitted="true">
+        <domain includeSubdomains="true">localhost</domain>
+        <domain includeSubdomains="true">127.0.0.1</domain>
+        <domain includeSubdomains="true">10.0.2.2</domain> <!-- Android emulator's localhost -->
+    </domain-config>
+</network-security-config>

app/src/test/java/ink/trmnl/android/util/InputValidatorTest.kt

@@ -8,9 +8,10 @@ import org.junit.Test
  */
 class InputValidatorTest {
     @Test
-    fun `isValidUrl should return true for valid HTTPS URLs`() {
+    fun `isValidUrl should return true for valid HTTP and HTTPS URLs`() {
         val validUrls =
             listOf(
+                // HTTPS URLs
                 "https://localhost:2443",
                 "https://example.com",
                 "https://example.com/path",
@@ -21,6 +22,16 @@ class InputValidatorTest {
                 "https://example.com/path/to/resource",
                 "https://example.com/path-with-dash",
                 "https://example.com/path_with_underscore",
+                // HTTP URLs
+                "http://example.com",
+                "http://localhost",
+                "http://localhost:8080",
+                "http://subdomain.example.com",
+                "http://example.com/path",
+                "http://example.com/path?query=value&another=true",
+                "http://127.0.0.1",
+                "http://10.0.2.2",
+                "http://example-domain.com:9000/api",
             )
 
         validUrls.forEach { url ->
@@ -29,15 +40,12 @@ class InputValidatorTest {
     }
 
     @Test
-    fun `isValidUrl should return false for invalid URLs and HTTP URLs`() {
+    fun `isValidUrl should return false for invalid URLs`() {
         val invalidUrls =
             listOf(
                 "",
                 "example.com",
                 "www.example.com",
-                "http://example.com", // HTTP is now invalid - HTTPS only
-                "http://subdomain.example.com", // HTTP is now invalid - HTTPS only
-                "http://example.com/path", // HTTP is now invalid - HTTPS only
                 "ftp://example.com",
                 "file:///path/to/file",
                 "http:/example.com",