🐛 Throw a proper error on invalid callback scheme

Author: LinusU

lib/flutter_web_auth.dart

@@ -1,4 +1,5 @@
 import 'dart:async';
+import 'dart:core';
 
 import 'package:flutter/cupertino.dart';
 import 'package:flutter/services.dart' show MethodChannel;
@@ -18,6 +19,7 @@ class _OnAppLifecycleResumeObserver extends WidgetsBindingObserver {
 
 class FlutterWebAuth {
   static const MethodChannel _channel = const MethodChannel('flutter_web_auth');
+  static RegExp _schemeRegExp = new RegExp(r"^[a-z][a-z0-9+.-]*$");
 
   static final _OnAppLifecycleResumeObserver _resumedObserver = _OnAppLifecycleResumeObserver(() {
     _cleanUpDanglingCalls(); // unawaited
@@ -30,6 +32,10 @@ class FlutterWebAuth {
   /// [callbackUrlScheme] should be a string specifying the scheme of the url that the page will redirect to upon successful authentication.
   /// [preferEphemeral] if this is specified as `true`, an ephemeral web browser session will be used where possible (`FLAG_ACTIVITY_NO_HISTORY` on Android, `prefersEphemeralWebBrowserSession` on iOS/macOS)
   static Future<String> authenticate({required String url, required String callbackUrlScheme, bool? preferEphemeral}) async {
+    if (!_schemeRegExp.hasMatch(callbackUrlScheme)) {
+      throw ArgumentError.value(callbackUrlScheme, 'callbackUrlScheme', 'must be a valid URL scheme');
+    }
+
     WidgetsBinding.instance.removeObserver(_resumedObserver); // safety measure so we never add this observer twice
     WidgetsBinding.instance.addObserver(_resumedObserver);
     return await _channel.invokeMethod('authenticate', <String, dynamic>{

test/flutter_web_auth_test.dart

@@ -28,4 +28,11 @@ void main() {
       'https://example.com/success',
     );
   });
+
+  test('invalid scheme', () async {
+    await expectLater(
+      FlutterWebAuth.authenticate(url: 'https://example.com/login', callbackUrlScheme: 'foobar://test'),
+      throwsA(isA<ArgumentError>()),
+    );
+  });
 }