fix with url parsing being fatal

pcarleton · pcarleton · commit 0d679c60d46c · 2025-08-19T15:34:23.000+01:00
diff --git a/src/shared/auth.test.ts b/src/shared/auth.test.ts
@@ -25,6 +25,10 @@ describe('SafeUrlSchema', () => {
     expect(() => SafeUrlSchema.parse('not-a-url')).toThrow();
     expect(() => SafeUrlSchema.parse('')).toThrow();
   });
+
+  it('works with safeParse', () => {
+    expect(() => SafeUrlSchema.safeParse('not-a-url')).not.toThrow();
+  });
 });
 
 describe('OAuthMetadataSchema', () => {
diff --git a/src/shared/auth.ts b/src/shared/auth.ts
@@ -4,10 +4,17 @@ import { z } from "zod";
  * Reusable URL validation that disallows javascript: scheme
  */
 export const SafeUrlSchema = z.string().url()
-  .refine(
-    (url) => URL.canParse(url),
-    {message: "URL must be parseable"}
-  ).refine(
+  .superRefine((val, ctx) => {
+    if (!URL.canParse(val)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "URL must be parseable",
+        fatal: true,
+      });
+
+      return z.NEVER;
+    }
+  }).refine(
     (url) => {
       const u = new URL(url);
       return u.protocol !== 'javascript:' && u.protocol !== 'data:' && u.protocol !== 'vbscript:';
