INTENG-22685 - Integration validator protected endpoint bugfix

[rob-gioia-branch]

Reference

INTENG-22685

Description

If a customer is using Advanced Compliance and then runs the Integration Validator code, the Integration Validator will not work. This is because the protected-api endpoint gets used for the requests, and there is no app-settings protected equivalent for that endpoint. Since the Integration Validator code is never released into the wild, but only used for testing, we can safely keep that endpoint going to the regular Branch endpoint, with all other calls like opens, installs, etc... still going through the protected endpoint for Advanced Compliance customers. To address this, I've added a boolean parameter to the getAPIBaseUrl() function, which can take in false in the case of any test code, like the integration validator, so that the regular endpoint (instead of protected-api) is used.

Testing Instructions

Risk Assessment [LOW]

• I, the PR creator, have tested — integration, unit, or otherwise — this code.

cc @BranchMetrics/saas-sdk-devs for visibility.

[matter-code-review]

Reference

INTENG-22685 -- Integration validator protected endpoint bugfix.

Description

Summary By MatterAI

🔄 What Changed

• The PrefHelper.getAPIBaseUrl() method now accepts a boolean useCustom parameter. This parameter controls whether a custom server URL (for Advanced Compliance) should be used.
• Calls to getAPIBaseUrl() in Branch.java (for short links), ServerRequest.java (general requests), and SettingsActivity.java (UI display) have been updated to pass true for the useCustom parameter, maintaining their original behavior of attempting to use the custom URL if configured.
• Crucially, ServerRequestGetAppConfig.java (specifically for the integration validator's app config endpoint) now calls getAPIBaseUrl(false). This forces the use of the default Branch API endpoint, bypassing any custom protected API URL.
• SettingsActivity.java also includes a null check for the currentApiUrl retrieved from PrefHelper before setting it to the apiUrlText EditText, preventing potential NullPointerException.

🔍 Impact of the Change

This change directly addresses a bug where the Integration Validator, when used by customers with Advanced Compliance (who use protected API endpoints), would fail because the validator's app-settings endpoint was incorrectly routed to the protected API. By forcing the Integration Validator's specific requests to the default Branch endpoint, it ensures the validator functions correctly without affecting other SDK calls that should still use the protected endpoint for Advanced Compliance customers. The null check in SettingsActivity improves robustness.

📁 Total Files Changed

5 files changed.

🧪 Test Added

No new dedicated unit or integration tests are explicitly added in the patch. However, the fix is for the Integration Validator, which is a testing tool itself. The expectation is that existing integration validator tests, which previously failed under Advanced Compliance configurations, will now pass successfully due to this change.

🔒Security Vulnerabilities

No new security vulnerabilities are introduced. On the contrary, this change enhances security by ensuring that a specific internal testing endpoint (app-settings for the Integration Validator) correctly uses the default, non-protected API URL, preventing it from inadvertently attempting to access a protected endpoint for which it has no equivalent. This prevents potential misconfigurations or unexpected behavior in a testing context.

Testing Instructions

N/A

Risk Assessment [LOW]

• I, the PR creator, have tested — integration, unit, or otherwise — this code.

Reviewer Checklist (To be checked off by the reviewer only)

• JIRA Ticket is referenced in PR title.
• Correctness & Style
  • Conforms to AOSP Style Guides
  • Mission critical pieces are documented in code and out of code as needed.
• Unit Tests reviewed and test issue sufficiently.
• Functionality was reviewed in QA independently by another engineer on the team.

cc @BranchMetrics/saas-sdk-devs for visibility.

Tip

Quality Recommendations

1. Consider adding a default getAPIBaseUrl() method (without parameters) that internally calls getAPIBaseUrl(true). This would improve backward compatibility and reduce the need to update all existing call sites if true is the most common use case, making the API cleaner.

2. Ensure that PrefHelper.getAPIBaseUrl() consistently returns a non-null value, perhaps a default URL, even if customServerURL_ is null. While SettingsActivity adds a null check, relying on callers to handle potential null returns from a base URL getter can lead to runtime issues if not universally applied.

Sequence Diagram

sequenceDiagram
    participant SA as SettingsActivity
    participant B as Branch.java
    participant SR as ServerRequest.java
    participant SRGAC as ServerRequestGetAppConfig.java
    participant PH as PrefHelper.java

    SA->>PH: getAPIBaseUrl(true)
    activate PH
    PH-->>SA: currentApiUrl (String)
    deactivate PH
    SA->>SA: Check currentApiUrl for null

    B->>PH: getAPIBaseUrl(true)
    activate PH
    PH-->>B: APIBaseUrl (String)
    deactivate PH

    SR->>PH: getAPIBaseUrl(true)
    activate PH
    PH-->>SR: APIBaseUrl (String)
    deactivate PH

    SRGAC->>PH: getAPIBaseUrl(false)
    activate PH
    PH-->>SRGAC: APIBaseUrl (String)
    deactivate PH

    Note over PH: PrefHelper.getAPIBaseUrl(boolean useCustom)
    Note over PH: IF (useCustom AND URLUtil.isHttpsUrl(customServerURL_))
    Note over PH:   RETURN customServerURL_
    Note over PH: ELSE
    Note over PH:   RETURN default_branch_api_url

Loading

[matter-code-review]

This PR addresses an important bug fix for the integration validator protected endpoint. The implementation looks good overall, with a clear approach to ensure protected endpoints always use the default URL while allowing other endpoints to use custom URLs when appropriate. I have a few suggestions to improve the code:

[matter-code-review]

🛠️ Code Refactor

Issue: The URL validation is only checking if the URL starts with https, but not validating if it's a properly formatted URL.
Fix: Use additional URL validation to ensure the custom URL is properly formatted.
Impact: Prevents potential issues with malformed URLs that happen to start with https.

Suggested change

	public String getAPIBaseUrl(boolean useCustom) {
	if (useCustom && URLUtil.isHttpsUrl(customServerURL_)) {
	public String getAPIBaseUrl(boolean useCustom) {
	if (useCustom && !TextUtils.isEmpty(customServerURL_) && URLUtil.isHttpsUrl(customServerURL_)) {

[rob-gioia-branch]

Omitting this change since that is something outside of this PR (pre-existing code not related to the change)

[Copilot]

Pull Request Overview

This PR adds a boolean flag to PrefHelper.getAPIBaseUrl() to allow test code (like the integration validator) to bypass the protected endpoint, and updates all callers to pass the appropriate flag value.

• Change getAPIBaseUrl() signature to accept a boolean for endpoint selection
• Update validator and core request classes to pass false or true as needed
• Adjust TestBed settings to use the new method

Comments suppressed due to low confidence (6)

Branch-SDK/src/main/java/io/branch/referral/PrefHelper.java:242

• [nitpick] Parameter name 'useCustom' is ambiguous; consider renaming it to something more descriptive like 'includeCustomServerUrl' or splitting into two methods (e.g., getDefaultAPIBaseUrl() and getProtectedAPIBaseUrl()).

public String getAPIBaseUrl(boolean useCustom) {

Branch-SDK/src/main/java/io/branch/referral/PrefHelper.java:239

• Javadoc is missing a @param entry for the new 'useCustom' parameter; please add a description explaining its purpose and effects.

* @return A {@link String} variable containing the hard-coded base URL that the Branch API uses.

Branch-SDK/src/main/java/io/branch/referral/PrefHelper.java:242

• The new boolean flag introduces branching behavior; consider adding unit tests covering both true and false cases to ensure protected and default endpoints behave as expected.

public String getAPIBaseUrl(boolean useCustom) {

Branch-SDK/src/main/java/io/branch/referral/validators/ServerRequestGetAppConfig.java:46

• [nitpick] Passing a raw boolean literal ('false') makes the call’s intent unclear; consider providing a named helper method or constant to indicate why the protected endpoint is skipped here.

return prefHelper_.getAPIBaseUrl(false) + getRequestPath() + "/" + prefHelper_.getBranchKey();

Branch-SDK/src/main/java/io/branch/referral/ServerRequest.java:255

• [nitpick] Using a literal 'true' hides the fact that this call should hit the protected endpoint; consider overloading or renaming for clarity (e.g., getProtectedAPIBaseUrl()).

return prefHelper_.getAPIBaseUrl(true) + requestPath_.getPath();

Branch-SDK/src/main/java/io/branch/referral/Branch.java:1796

• [nitpick] Literal boolean arguments can be confusing; extracting this into a clearly named method (e.g., getProtectedAPIBaseUrl()) would improve readability.

prefHelper_.getAPIBaseUrl(true) + Defines.RequestPath.GetURL.getPath(),

[matter-code-review]

Important

PR Review Skipped

PR review skipped as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use Matter AI

Command List

• /matter summary: Generate AI Summary for the PR
• /matter review: Generate AI Reviews for the latest commit in the PR
• /matter review-full: Generate AI Reviews for the complete PR
• /matter release-notes: Generate AI release-notes for the PR
• /matter : Chat with your PR with Matter AI Agent
• /matter remember : Generate AI memories for the PR
• /matter explain: Get an explanation of the PR
• /matter help: Show the list of available commands and documentation
• Need help? Join our Discord server: https://discord.gg/fJU5DvanU3

[matter-code-review]

Important

PR Review Skipped

PR review skipped as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use Matter AI

Command List

• /matter summary: Generate AI Summary for the PR
• /matter review: Generate AI Reviews for the latest commit in the PR
• /matter review-full: Generate AI Reviews for the complete PR
• /matter release-notes: Generate AI release-notes for the PR
• /matter : Chat with your PR with Matter AI Agent
• /matter remember : Generate AI memories for the PR
• /matter explain: Get an explanation of the PR
• /matter help: Show the list of available commands and documentation
• Need help? Join our Discord server: https://discord.gg/fJU5DvanU3