feat(postgrest): add URL length validation and timeout protection

Adds two new configuration options to PostgrestClient to prevent
indefinite hangs on queries with very long URLs (10k+ characters):

- `timeout`: Optional int (milliseconds) to auto-abort requests via
  Future.timeout, propagated through PostgrestClientOptions
- `urlLengthLimit`: Max URL length (default 8000) before logging a
  warning, guiding users toward views or RPC functions for large queries

Both options propagate from PostgrestClient through all builders
(PostgrestQueryBuilder, PostgrestRpcBuilder) and from SupabaseClient
via PostgrestClientOptions.

Acceptance Criteria:
- [x] timeout option added to PostgrestClient and SupabaseClient
- [x] urlLengthLimit option added with default of 8000
- [x] URL length validation before request execution
- [x] Timeout auto-cancels requests via Future.timeout
- [x] Unit tests cover timeout and URL length scenarios

Linear: SDK-698

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: grdsdev

packages/postgrest/lib/src/postgrest.dart

@@ -12,6 +12,14 @@ class PostgrestClient {
   final Client? httpClient;
   final YAJsonIsolate _isolate;
   final bool _hasCustomIsolate;
+
+  /// Optional timeout in milliseconds for PostgREST requests. When set,
+  /// requests automatically abort after this duration to prevent indefinite hangs.
+  final int? timeout;
+
+  /// Maximum URL length in characters before a warning is logged. Defaults to 8000.
+  /// Protects against exceeding server URL limits with large queries.
+  final int urlLengthLimit;
   final _log = Logger('supabase.postgrest');
 
   /// To create a [PostgrestClient], you need to provide an [url] endpoint.
@@ -25,12 +33,18 @@ class PostgrestClient {
   /// [httpClient] is optional and can be used to provide a custom http client
   ///
   /// [isolate] is optional and can be used to provide a custom isolate, which is used for heavy json computation
+  ///
+  /// [timeout] is optional and can be used to set a timeout in milliseconds for requests
+  ///
+  /// [urlLengthLimit] is optional and can be used to set the maximum URL length before a warning is logged. Defaults to 8000.
   PostgrestClient(
     this.url, {
     Map<String, String>? headers,
     String? schema,
     this.httpClient,
     YAJsonIsolate? isolate,
+    this.timeout,
+    this.urlLengthLimit = 8000,
   })  : _schema = schema,
         headers = {...defaultHeaders, if (headers != null) ...headers},
         _isolate = isolate ?? (YAJsonIsolate()..initialize()),
@@ -65,6 +79,8 @@ class PostgrestClient {
       schema: _schema,
       httpClient: httpClient,
       isolate: _isolate,
+      timeout: timeout,
+      urlLengthLimit: urlLengthLimit,
     );
   }
 
@@ -78,6 +94,8 @@ class PostgrestClient {
       schema: schema,
       httpClient: httpClient,
       isolate: _isolate,
+      timeout: timeout,
+      urlLengthLimit: urlLengthLimit,
     );
   }
 
@@ -108,6 +126,8 @@ class PostgrestClient {
       schema: _schema,
       httpClient: httpClient,
       isolate: _isolate,
+      timeout: timeout,
+      urlLengthLimit: urlLengthLimit,
     ).rpc(params, get);
   }
 

packages/postgrest/lib/src/postgrest_builder.dart

@@ -45,6 +45,13 @@ class PostgrestBuilder<T, S, R> implements Future<T> {
   final Client? _httpClient;
   final YAJsonIsolate? _isolate;
   final CountOption? _count;
+
+  /// Optional timeout in milliseconds for this request. When set, the request
+  /// automatically aborts after this duration to prevent indefinite hangs.
+  final int? _timeout;
+
+  /// Maximum URL length in characters before a warning is logged. Defaults to 8000.
+  final int _urlLengthLimit;
   final _log = Logger('supabase.postgrest');
 
   PostgrestBuilder({
@@ -58,6 +65,8 @@ class PostgrestBuilder<T, S, R> implements Future<T> {
     CountOption? count,
     bool maybeSingle = false,
     PostgrestConverter<S, R>? converter,
+    int? timeout,
+    int urlLengthLimit = 8000,
   })  : _maybeSingle = maybeSingle,
         _method = method,
         _converter = converter,
@@ -67,7 +76,9 @@ class PostgrestBuilder<T, S, R> implements Future<T> {
         _httpClient = httpClient,
         _isolate = isolate,
         _count = count,
-        _body = body;
+        _body = body,
+        _timeout = timeout,
+        _urlLengthLimit = urlLengthLimit;
 
   PostgrestBuilder<T, S, R> _copyWith({
     Uri? url,
@@ -92,6 +103,8 @@ class PostgrestBuilder<T, S, R> implements Future<T> {
       count: count ?? _count,
       maybeSingle: maybeSingle ?? _maybeSingle,
       converter: converter ?? _converter,
+      timeout: _timeout,
+      urlLengthLimit: _urlLengthLimit,
     );
   }
 
@@ -113,6 +126,15 @@ class PostgrestBuilder<T, S, R> implements Future<T> {
       }
     }
 
+    final urlLength = _url.toString().length;
+    if (urlLength > _urlLengthLimit) {
+      _log.warning(
+        'Request URL is $urlLength characters, which exceeds the limit of $_urlLengthLimit. '
+        'If selecting many fields, consider using a view. '
+        'If filtering with large arrays, consider using an RPC function.',
+      );
+    }
+
     try {
       if (method == null) {
         throw ArgumentError(
@@ -136,39 +158,51 @@ class PostgrestBuilder<T, S, R> implements Future<T> {
       final bodyStr = jsonEncode(_body);
       _log.finest("Request: $uppercaseMethod $_url");
 
+      Future<http.Response> responseFuture;
+
       if (uppercaseMethod == METHOD_GET) {
-        response = await (_httpClient?.get ?? http.get)(
+        responseFuture = (_httpClient?.get ?? http.get)(
           _url,
           headers: _headers,
         );
       } else if (uppercaseMethod == METHOD_POST) {
-        response = await (_httpClient?.post ?? http.post)(
+        responseFuture = (_httpClient?.post ?? http.post)(
           _url,
           headers: _headers,
           body: bodyStr,
         );
       } else if (uppercaseMethod == METHOD_PUT) {
-        response = await (_httpClient?.put ?? http.put)(
+        responseFuture = (_httpClient?.put ?? http.put)(
           _url,
           headers: _headers,
           body: bodyStr,
         );
       } else if (uppercaseMethod == METHOD_PATCH) {
-        response = await (_httpClient?.patch ?? http.patch)(
+        responseFuture = (_httpClient?.patch ?? http.patch)(
           _url,
           headers: _headers,
           body: bodyStr,
         );
       } else if (uppercaseMethod == METHOD_DELETE) {
-        response = await (_httpClient?.delete ?? http.delete)(
+        responseFuture = (_httpClient?.delete ?? http.delete)(
           _url,
           headers: _headers,
         );
       } else if (uppercaseMethod == METHOD_HEAD) {
-        response = await (_httpClient?.head ?? http.head)(
+        responseFuture = (_httpClient?.head ?? http.head)(
           _url,
           headers: _headers,
         );
+      } else {
+        throw ArgumentError('Unsupported HTTP method: $method');
+      }
+
+      if (_timeout != null) {
+        response = await responseFuture.timeout(
+          Duration(milliseconds: _timeout!),
+        );
+      } else {
+        response = await responseFuture;
       }
 
       return _parseResponse(response, method);

packages/postgrest/lib/src/postgrest_query_builder.dart

@@ -19,6 +19,8 @@ class PostgrestQueryBuilder<T> extends RawPostgrestBuilder<T, T, T> {
     String? schema,
     Client? httpClient,
     YAJsonIsolate? isolate,
+    int? timeout,
+    int urlLengthLimit = 8000,
   }) : super(
           PostgrestBuilder(
             url: url,
@@ -27,6 +29,8 @@ class PostgrestQueryBuilder<T> extends RawPostgrestBuilder<T, T, T> {
             schema: schema,
             httpClient: httpClient,
             isolate: isolate,
+            timeout: timeout,
+            urlLengthLimit: urlLengthLimit,
           ),
         );
 

packages/postgrest/lib/src/postgrest_rpc_builder.dart

@@ -7,13 +7,17 @@ class PostgrestRpcBuilder extends RawPostgrestBuilder {
     String? schema,
     Client? httpClient,
     required YAJsonIsolate isolate,
+    int? timeout,
+    int urlLengthLimit = 8000,
   }) : super(
           PostgrestBuilder(
             url: Uri.parse(url),
             headers: headers ?? {},
             schema: schema,
             httpClient: httpClient,
             isolate: isolate,
+            timeout: timeout,
+            urlLengthLimit: urlLengthLimit,
           ),
         );
 

packages/postgrest/lib/src/raw_postgrest_builder.dart

@@ -14,6 +14,8 @@ class RawPostgrestBuilder<T, S, R> extends PostgrestBuilder<T, S, R> {
           isolate: builder._isolate,
           maybeSingle: builder._maybeSingle,
           converter: builder._converter,
+          timeout: builder._timeout,
+          urlLengthLimit: builder._urlLengthLimit,
         );
 
   /// Very similar to [_copyWith], but allows changing the generics, therefore [_converter] is omitted
@@ -38,6 +40,8 @@ class RawPostgrestBuilder<T, S, R> extends PostgrestBuilder<T, S, R> {
       isolate: isolate ?? _isolate,
       count: count ?? _count,
       maybeSingle: maybeSingle ?? _maybeSingle,
+      timeout: _timeout,
+      urlLengthLimit: _urlLengthLimit,
     ));
   }
 

packages/postgrest/test/timeout_url_length_test.dart

@@ -0,0 +1,149 @@
+import 'dart:async';
+import 'dart:typed_data';
+
+import 'package:http/http.dart';
+import 'package:logging/logging.dart';
+import 'package:postgrest/postgrest.dart';
+import 'package:test/test.dart';
+
+class _DelayedHttpClient extends BaseClient {
+  final Duration delay;
+  final int statusCode;
+  final String body;
+
+  _DelayedHttpClient({
+    required this.delay,
+    this.statusCode = 200,
+    this.body = '[]',
+  });
+
+  @override
+  Future<StreamedResponse> send(BaseRequest request) async {
+    await Future.delayed(delay);
+    return StreamedResponse(
+      Stream.value(Uint8List.fromList(body.codeUnits)),
+      statusCode,
+      request: request,
+    );
+  }
+}
+
+class _InstantHttpClient extends BaseClient {
+  final int statusCode;
+  final String body;
+
+  _InstantHttpClient({this.statusCode = 200, this.body = '[]'});
+
+  @override
+  Future<StreamedResponse> send(BaseRequest request) async {
+    return StreamedResponse(
+      Stream.value(Uint8List.fromList(body.codeUnits)),
+      statusCode,
+      request: request,
+    );
+  }
+}
+
+void main() {
+  group('URL length validation', () {
+    test('logs warning when URL exceeds urlLengthLimit', () async {
+      final warnings = <String>[];
+      final subscription = Logger.root.onRecord.listen((record) {
+        if (record.level == Level.WARNING) {
+          warnings.add(record.message);
+        }
+      });
+      Logger.root.level = Level.ALL;
+
+      final client = PostgrestClient(
+        'http://localhost:3000',
+        httpClient: _InstantHttpClient(),
+        urlLengthLimit: 50,
+      );
+
+      // URL: http://localhost:3000/users?select=id,username,email,created_at — well over 50 chars
+      await client
+          .from('users')
+          .select('id,username,email,created_at')
+          .catchError((_) => []);
+
+      await subscription.cancel();
+
+      expect(
+        warnings.any((w) => w.contains('exceeds the limit of 50')),
+        isTrue,
+        reason: 'Expected a warning about URL length',
+      );
+    });
+
+    test('does not log warning when URL is within urlLengthLimit', () async {
+      final warnings = <String>[];
+      final subscription = Logger.root.onRecord.listen((record) {
+        if (record.level == Level.WARNING &&
+            record.message.contains('exceeds the limit')) {
+          warnings.add(record.message);
+        }
+      });
+      Logger.root.level = Level.ALL;
+
+      final client = PostgrestClient(
+        'http://localhost:3000',
+        httpClient: _InstantHttpClient(),
+        urlLengthLimit: 8000,
+      );
+
+      await client.from('users').select().catchError((_) => []);
+
+      await subscription.cancel();
+
+      expect(warnings, isEmpty, reason: 'Expected no URL length warning');
+    });
+
+    test('default urlLengthLimit is 8000', () {
+      final client = PostgrestClient('http://localhost:3000');
+      expect(client.urlLengthLimit, equals(8000));
+    });
+
+    test('custom urlLengthLimit is stored', () {
+      final client =
+          PostgrestClient('http://localhost:3000', urlLengthLimit: 5000);
+      expect(client.urlLengthLimit, equals(5000));
+    });
+  });
+
+  group('Timeout configuration', () {
+    test('timeout is null by default', () {
+      final client = PostgrestClient('http://localhost:3000');
+      expect(client.timeout, isNull);
+    });
+
+    test('custom timeout is stored', () {
+      final client = PostgrestClient('http://localhost:3000', timeout: 5000);
+      expect(client.timeout, equals(5000));
+    });
+
+    test('request times out when response is delayed beyond timeout', () async {
+      final client = PostgrestClient(
+        'http://localhost:3000',
+        httpClient: _DelayedHttpClient(delay: const Duration(seconds: 5)),
+        timeout: 100, // 100ms timeout
+      );
+
+      expect(
+        () => client.from('users').select(),
+        throwsA(isA<TimeoutException>()),
+      );
+    });
+
+    test('request succeeds when response is within timeout', () async {
+      final client = PostgrestClient(
+        'http://localhost:3000',
+        httpClient: _InstantHttpClient(body: '[{"id": 1}]'),
+        timeout: 5000, // 5 second timeout
+      );
+
+      final result = await client.from('users').select();
+      expect(result, isA<List>());
+    });
+  });
+}

packages/supabase/lib/src/supabase_client.dart

@@ -183,6 +183,8 @@ class SupabaseClient {
       httpClient: _authHttpClient,
       incrementId: _incrementId.increment(),
       isolate: _isolate,
+      timeout: _postgrestOptions.timeout,
+      urlLengthLimit: _postgrestOptions.urlLengthLimit,
     );
   }
 
@@ -303,6 +305,8 @@ class SupabaseClient {
       schema: _postgrestOptions.schema,
       httpClient: _authHttpClient,
       isolate: _isolate,
+      timeout: _postgrestOptions.timeout,
+      urlLengthLimit: _postgrestOptions.urlLengthLimit,
     );
   }