From 60b2e561b0c2157a63f100f5a1b5d151b0d17dad Mon Sep 17 00:00:00 2001
From: Ivan Prodanov <mail@iprodanov.com>
Date: Mon, 14 Nov 2022 22:47:27 +0200
Subject: [PATCH] fix(4): Fixed URL validation when adding new instances

---
 app.js         |  6 ++++--
 web/index.html | 34 ++++++++++++++++++++++++++--------
 2 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/app.js b/app.js
index 713493a..2fbab66 100644
--- a/app.js
+++ b/app.js
@@ -95,7 +95,8 @@ function availabilityCheck() {
     return;
   }
 
-  const request = net.request(`${instance}/auth/providers`);
+  let url = new URL(instance);
+  const request = net.request(`${url.origin}/auth/providers`);
 
   request.on('response', (response) => {
     if (response.statusCode !== 200) {
@@ -175,7 +176,8 @@ function checkForAvailableInstance() {
     });
     let found;
     for (let instance of instances.filter((e) => e.url !== currentInstance())) {
-      const request = net.request(`${instance}/auth/providers`);
+      const url = new URL(instance);
+      const request = net.request(`${url.origin}/auth/providers`);
       request.on('response', (response) => {
         if (response.statusCode === 200) {
           found = instance;
diff --git a/web/index.html b/web/index.html
index e3b9fc6..d76aa31 100644
--- a/web/index.html
+++ b/web/index.html
@@ -45,7 +45,17 @@
     })
 
     function addInstance(url) {
-      ipcRenderer.send('ha-instance', url);
+      const urlField = document.getElementById('url');
+      urlField.value = url;
+      checkUrl();
+    }
+
+    function saveInstance() {
+      const urlField = document.getElementById('url');
+      document.getElementById('check-wrapper').style.display = 'block';
+      document.getElementById('url-wrapper').style.display = 'none';
+      showCheckmark = true;
+      ipcRenderer.send('ha-instance', urlField.value);
     }
 
     ipcRenderer.send('ha-instance');
@@ -77,27 +87,34 @@
 
     function checkUrl() {
       const urlField = document.getElementById('url');
-      const url = urlField.value;
+      const submitBtn = document.getElementById('submit');
+      submitBtn.disabled = true;
+      let url = urlField.value;
       urlField.classList.remove('is-invalid', 'is-valid');
 
       if (!url.startsWith('http') || !isValidUrl(url)) {
         urlField.classList.add('is-invalid');
         return;
       }
+
+      url = new URL(url);
+
+      if (url.pathname.length > 1 && !url.pathname.startsWith('/lovelace') && !url.pathname.startsWith('/energy')) {
+        console.log(url.pathname, !url.pathname.startsWith('/lovelace'));
+        urlField.classList.add('is-invalid');
+        return;
+      }
+
       urlField.classList.add('is-valid');
 
-      fetch(`${url}/auth/providers`)
+      fetch(`${url.origin}/auth/providers`)
         .then(response => response.text())
         .then(data => {
           if (!data.includes('homeassistant')) {
             return;
           }
 
-          urlField.disabled = true;
-          document.getElementById('check-wrapper').style.display = 'block';
-          document.getElementById('url-wrapper').style.display = 'none';
-          showCheckmark = true;
-          ipcRenderer.send('ha-instance', url);
+          submitBtn.disabled = false;
         }).catch((_) => {
       });
     }
@@ -141,6 +158,7 @@
         <span class="bar"></span>
         <label for="url">Home Assistant URL</label>
         <div class="invalid-feedback">Please provide a valid url.</div>
+        <button class="pure-material-button-contained" id="submit" onclick="saveInstance()" disabled>Submit</button>
       </div>
     </div>
   </div>