Skip to content

feat(postgrest): add URL length validation and timeout protection#1348

Closed
grdsdev wants to merge 4 commits into
mainfrom
guilherme/sdk-698-paritypostgrest-add-url-length-validation-and-timeout
Closed

feat(postgrest): add URL length validation and timeout protection#1348
grdsdev wants to merge 4 commits into
mainfrom
guilherme/sdk-698-paritypostgrest-add-url-length-validation-and-timeout

Conversation

@grdsdev
Copy link
Copy Markdown
Contributor

@grdsdev grdsdev commented Apr 9, 2026

Summary

  • Adds timeout (optional int, milliseconds) to PostgrestClient — wraps requests with Future.timeout to auto-abort slow requests
  • Adds urlLengthLimit (default 8000) to log a warning before requests with very long URLs that may exceed server limits
  • Both options propagate from PostgrestClientOptions through all builders and SupabaseClient

Changes

  • PostgrestClient: New timeout: int? and urlLengthLimit: int fields
  • PostgrestBuilder._execute(): Checks URL length and logs warning; wraps HTTP calls with Future.timeout
  • RawPostgrestBuilder._copyWithType(): Propagates both fields through builder chain
  • PostgrestQueryBuilder / PostgrestRpcBuilder: Accept and forward both fields
  • PostgrestClientOptions: Exposes both options to SupabaseClient users
  • SupabaseClient: Passes options when creating PostgrestClient and SupabaseQueryBuilder
  • SupabaseQueryBuilder / SupabaseQuerySchema: Accept and forward both fields
  • Tests: 8 unit tests covering configuration defaults, timeout behavior, and URL length warning

Testing

  • Unit tests: timeout_url_length_test.dart — 8/8 passing
  • Existing filter/transform tests require a running PostgREST server (unaffected by this change)

Risk Assessment

  • Breaking changes: None — all new fields have defaults
  • Backward compatibility: Maintained
  • Performance impact: Negligible (one string length check per request)

Acceptance Criteria

  • timeout option added to PostgrestClient and SupabaseClient
  • urlLengthLimit option added with default of 8000
  • URL length validation before request execution
  • Timeout auto-cancels requests via Future.timeout
  • Unit tests cover both features

Closes: SDK-698
Related: SDK-646

🤖 Generated with Claude Code /take

grdsdev and others added 2 commits April 9, 2026 11:53
@grdsdev @claude
feat(postgrest): add URL length validation and timeout protection
783c6ef 
Adds two new configuration options to PostgrestClient to prevent
indefinite hangs on queries with very long URLs (10k+ characters):

- `timeout`: Optional int (milliseconds) to auto-abort requests via
  Future.timeout, propagated through PostgrestClientOptions
- `urlLengthLimit`: Max URL length (default 8000) before logging a
  warning, guiding users toward views or RPC functions for large queries

Both options propagate from PostgrestClient through all builders
(PostgrestQueryBuilder, PostgrestRpcBuilder) and from SupabaseClient
via PostgrestClientOptions.

Acceptance Criteria:
- [x] timeout option added to PostgrestClient and SupabaseClient
- [x] urlLengthLimit option added with default of 8000
- [x] URL length validation before request execution
- [x] Timeout auto-cancels requests via Future.timeout
- [x] Unit tests cover timeout and URL length scenarios

Linear: SDK-698

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@grdsdev @claude
fix(postgrest): fix field promotion null-safety issues in PostgrestBu…
ba1d22e 
…ilder

Use local variable extraction to enable null promotion for final fields
in PostgrestBuilder that could not be promoted due to class inheritance.
This fixes dart test compilation errors affecting all test files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@grdsdev grdsdev force-pushed the guilherme/sdk-698-paritypostgrest-add-url-length-validation-and-timeout branch from fdf65a3 to ba1d22e Compare April 9, 2026 14:57
grdsdev and others added 2 commits April 9, 2026 11:59
@grdsdev @claude
style: format dart code after melos bootstrap
8360bdb 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@grdsdev @claude
fix(postgrest): resolve dart analyze warnings from URL length and tim…
7620084 
…eout changes

Remove unnecessary null assertion operators on final field `_timeout` (Dart promotes final fields through null checks). Remove unused optional parameters `statusCode` and `body` from test HTTP client helpers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@grdsdev grdsdev requested review from a team and Vinzent03 April 9, 2026 15:20
@grdsdev grdsdev closed this Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vinzent03 Vinzent03 Awaiting requested review from Vinzent03

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@grdsdev