Validate the NEXT_PUBLIC_STABLEROUTE_API_BASE environment variable at startup

[mikewheeleer]

Harden API base configuration with explicit env validation

Description

Both src/lib/apiClient.ts and src/app/quote/page.tsx read process.env.NEXT_PUBLIC_STABLEROUTE_API_BASE and silently fall back to http://localhost:3001. A typo or missing prod value ships a build that quietly points at localhost, and an http:// value downgrades transport in production. This issue centralizes and validates the API base.

Requirements and context

• Repository scope: StableRoute-Org/Stableroute-frontend only.
• Create src/lib/env.ts that reads, trims, and validates the API base (must be a valid absolute URL; warn or throw if http: is used outside development).
• Re-export the validated base and have apiClient.ts and quote/page.tsx consume it instead of reading process.env directly.
• Add an .env.example documenting NEXT_PUBLIC_STABLEROUTE_API_BASE with a safe placeholder.
• Fail loudly in production builds when the value is missing/invalid, but keep the localhost dev fallback.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/config-21-env-validation
• Implement changes
  • Write code in: create src/lib/env.ts; update src/lib/apiClient.ts and src/app/quote/page.tsx.
  • Write comprehensive tests in: create src/lib/__tests__/env.test.ts covering valid/invalid/missing values.
  • Add documentation: document env handling in README.md and add .env.example.
  • Add JSDoc to the validator.
  • Validate no secrets are read into client bundles beyond the intended public base.
• Test and commit

Test and commit

• Run npm run lint, npm test, and npm run build.
• Cover edge cases: missing var, valid https, http in dev vs prod, and trailing-slash normalization.
• Include the full npm test output in the PR description.

Example commit message

security: centralize and validate NEXT_PUBLIC_STABLEROUTE_API_BASE

Guidelines

• Minimum 95 percent test coverage for impacted modules.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

[jaynomyaro]

Hi! I’m a full-stack developer with a strong blockchain background. I’d love to handle this issue and can deliver a clean, reliable solution. Kindly assign it to me.

[Menjay7]

Hi! I came across this issue and would love to work on it. I have experience with similar tasks and I'm confident I can investigate, implement a clean solution, and thoroughly test it before submitting a PR. If the issue is still open, I would appreciate it if you could assign it to me. Thank you!