fix: blocks http requests (#27)

* fix: blocks http requests

* fix: fixes network sec config

* fix: retrofit

Author: pandeymangg

android/src/androidTest/java/com/formbricks/android/FormbricksInstrumentedTest.kt

@@ -29,7 +29,7 @@ import java.util.concurrent.TimeUnit
 class FormbricksInstrumentedTest {
 
     private val environmentId = "environmentId"
-    private val appUrl = "http://appUrl"
+    private val appUrl = "https://example.com"
     private val userId = "6CCCE716-6783-4D0F-8344-9C7DFA43D8F7"
     private val surveyID = "cm6ovw6j7000gsf0kduf4oo4i"
 

android/src/main/AndroidManifest.xml

@@ -3,4 +3,5 @@
     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-sdk android:minSdkVersion="24" android:targetSdkVersion="35" />
+    <application android:networkSecurityConfig="@xml/network_security_config" />
 </manifest>

android/src/main/java/com/formbricks/android/Formbricks.kt

@@ -52,6 +52,13 @@ object Formbricks {
             return
         }
 
+        // Validate HTTPS URL
+        if (!config.appUrl.startsWith("https://", ignoreCase = true)) {
+            val error = RuntimeException("Only HTTPS URLs are allowed for security reasons. HTTP URLs are not permitted. Provided URL: ${config.appUrl}")
+            Logger.e(error)
+            return
+        }
+
         applicationContext = context
 
         appUrl = config.appUrl

android/src/main/java/com/formbricks/android/network/FormbricksApiService.kt

@@ -2,6 +2,7 @@ package com.formbricks.android.network
 
 import com.formbricks.android.api.error.FormbricksAPIError
 import com.formbricks.android.helper.mapToJsonElement
+import com.formbricks.android.logger.Logger
 import com.formbricks.android.model.environment.EnvironmentDataHolder
 import com.formbricks.android.model.environment.EnvironmentResponse
 import com.formbricks.android.model.user.PostUserBody
@@ -14,19 +15,25 @@ import retrofit2.Call
 import retrofit2.Retrofit
 
 open class FormbricksApiService {
-
-    private lateinit var retrofit: Retrofit
+    private var retrofit: Retrofit? = null
 
     fun initialize(appUrl: String, isLoggingEnabled: Boolean) {
-        retrofit = FormbricksRetrofitBuilder(appUrl, isLoggingEnabled)
-            .getBuilder()
-            .build()
+        val builder = FormbricksRetrofitBuilder(appUrl, isLoggingEnabled).getBuilder()
+        if (builder != null) {
+            retrofit = builder.build()
+        } else {
+            // Builder returned null due to HTTP URL - log error and skip initialization
+            val error = RuntimeException("Failed to initialize API service due to invalid URL configuration. Only HTTPS URLs are allowed.")
+            Logger.e(error)
+            retrofit = null
+        }
     }
 
     open fun getEnvironmentStateObject(environmentId: String): Result<EnvironmentDataHolder> {
         return try {
+            val retrofitInstance = retrofit ?: return Result.failure(RuntimeException("API service not initialized due to invalid URL"))
             val result = execute {
-                retrofit.create(FormbricksService::class.java)
+                retrofitInstance.create(FormbricksService::class.java)
                     .getEnvironmentState(environmentId)
             }
             val json = Json { ignoreUnknownKeys = true }
@@ -41,8 +48,9 @@ open class FormbricksApiService {
     }
 
     open fun postUser(environmentId: String, body: PostUserBody): Result<UserResponse> {
+        val retrofitInstance = retrofit ?: return Result.failure(RuntimeException("API service not initialized due to invalid URL"))
         return execute {
-            retrofit.create(FormbricksService::class.java)
+            retrofitInstance.create(FormbricksService::class.java)
                 .postUser(environmentId, body)
         }
     }

android/src/main/java/com/formbricks/android/network/FormbricksRetrofitBuilder.kt

@@ -1,18 +1,30 @@
 package com.formbricks.android.network
 
+import com.formbricks.android.logger.Logger
+import okhttp3.Interceptor
 import okhttp3.OkHttpClient
+import okhttp3.Response
 import okhttp3.logging.HttpLoggingInterceptor
 import retrofit2.Retrofit
 import retrofit2.converter.gson.GsonConverterFactory
+import java.io.IOException
 import java.util.concurrent.TimeUnit
 
 class FormbricksRetrofitBuilder(private val baseUrl: String, private val loggingEnabled: Boolean) {
+    fun getBuilder(): Retrofit.Builder? {
+        // Validate base URL is HTTPS
+        if (!baseUrl.startsWith("https://", ignoreCase = true)) {
+            val error = RuntimeException("Only HTTPS URLs are allowed. HTTP URLs are not permitted for security reasons. Provided URL: $baseUrl")
+            Logger.e(error)
+            return null
+        }
 
-    fun getBuilder(): Retrofit.Builder {
         val clientBuilder = OkHttpClient.Builder()
             .connectTimeout(CONNECT_TIMEOUT_MS.toLong(), TimeUnit.MILLISECONDS)
             .readTimeout(READ_TIMEOUT_MS.toLong(), TimeUnit.MILLISECONDS)
             .followSslRedirects(true)
+            .addInterceptor(HttpsOnlyInterceptor())
+        
         if (loggingEnabled) {
             val logging = HttpLoggingInterceptor()
             logging.setLevel(HttpLoggingInterceptor.Level.BODY)
@@ -25,6 +37,25 @@ class FormbricksRetrofitBuilder(private val baseUrl: String, private val logging
             .client(clientBuilder.build())
     }
 
+    /**
+     * Interceptor that ensures all requests use HTTPS protocol
+     */
+    private class HttpsOnlyInterceptor : Interceptor {
+        @Throws(IOException::class)
+        override fun intercept(chain: Interceptor.Chain): Response {
+            val request = chain.request()
+            val url = request.url
+            
+            if (!url.isHttps) {
+                val error = RuntimeException("HTTP request blocked. Only HTTPS requests are allowed. Attempted URL: $url")
+                Logger.e(error)
+                throw IOException("HTTP request blocked. Only HTTPS requests are allowed. Attempted URL: $url")
+            }
+            
+            return chain.proceed(request)
+        }
+    }
+
     companion object {
         private const val CONNECT_TIMEOUT_MS = 30 * 1000 // 30 seconds
         private const val READ_TIMEOUT_MS = 30 * 1000 // 30 seconds

android/src/main/res/xml/network_security_config.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <base-config cleartextTrafficPermitted="false">
+        <trust-anchors>
+            <certificates src="system"/>
+        </trust-anchors>
+    </base-config>
+</network-security-config>