feat: WebView OPEN_EXTERNAL_URL 메시지 핸들러 추가

[seongwon030]

WebView OPEN_EXTERNAL_URL 메시지 핸들러 누락 트러블슈팅

Summary by CodeRabbit

새로운 기능

• 웹뷰에서 외부 URL을 기본 브라우저로 열 수 있는 기능이 추가되었습니다.

[coderabbitai]

개요

WebView 메시지 프로토콜에 외부 URL을 열기 위한 새 메시지 타입 OPEN_EXTERNAL_URL을 추가하고, 이 메시지를 처리하는 핸들러 로직을 구현합니다. react-native의 Linking API를 사용하여 URL을 네이티브 앱으로 열도록 위임합니다.

변경 사항

웹뷰 메시지 프로토콜 확장

계층 / 파일(s)	요약
메시지 타입 정의 types/webview-message.types.ts	WebViewMessageTypes에 OPEN_EXTERNAL_URL 상수 추가하고, WebViewMessage discriminated union에 { type: 'OPEN_EXTERNAL_URL'; payload: { url: string } } 변형 추가
메시지 핸들러 구현 hooks/use-webview-message-handler.ts	react-native의 Linking API를 import하고, 메시지 핸들러의 switch문에 OPEN_EXTERNAL_URL 케이스 추가하여 Linking.openURL(url) 호출 및 오류 처리

예상 코드 리뷰 난이도

🎯 2 (Simple) | ⏱️ ~10분

관련된 가능성 있는 PR

• Moadong/moadong-react-native#5: 동일한 WebView 메시징 계층에서 SHARE 메시지 타입과 핸들러 추가 변경과 직접 연관
• Moadong/moadong-react-native#15: HomeWebViewScreen에서 OPEN_EXTERNAL_URL 메시지를 실제로 발송하는 구현과 보완 관계
• Moadong/moadong-react-native#4: WebView 메시지 브리지의 WebViewMessage 타입과 핸들러 확장의 후속 변경

제안된 검수자

• SeongHoonC

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Pull request 제목이 변경 사항의 주요 목적을 명확하게 설명합니다. WebView의 OPEN_EXTERNAL_URL 메시지 핸들러 추가라는 핵심 변경 사항을 직접적으로 반영하고 있습니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/open-external-url-handler

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hooks/use-webview-message-handler.ts`:
- Around line 49-57: WebView에서 받은 URL을 검증 없이 Linking.openURL에 전달하고
있으니(WebViewMessageTypes.OPEN_EXTERNAL_URL 케이스, message.payload.url), 허용 스킴(예:
http/https)만 통과시키고 안전하게 열도록 수정하세요: URL 문자열에서 스킴을 파싱해 허용 목록에 있는지 확인하고, 허용될 때만
Linking.canOpenURL(url)로 열 수 있는지 검사한 뒤 Linking.openURL(url)을 호출하며, 그렇지 않으면
경고/오류를 로깅해 차단하도록 구현합니다.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9a143d25-d1de-4e5e-97e6-8503647876fb

📥 Commits

Reviewing files that changed from the base of the PR and between 263febf and 7b99452.

📒 Files selected for processing (2)

• hooks/use-webview-message-handler.ts
• types/webview-message.types.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

fd -t f "use-webview-message-handler.ts" --type f

Repository: Moadong/moadong-react-native

Length of output: 109

---

🏁 Script executed:

cat -n hooks/use-webview-message-handler.ts

Repository: Moadong/moadong-react-native

Length of output: 2695

---

🏁 Script executed:

head -80 hooks/use-webview-message-handler.ts | cat -n

Repository: Moadong/moadong-react-native

Length of output: 2695

---

🏁 Script executed:

rg -t ts "WebViewMessageTypes" --max-count 5 -A 3

Repository: Moadong/moadong-react-native

Length of output: 1846

---

🏁 Script executed:

find . -type f -name "*webview*" | grep -E "\.(ts|tsx)$"

Repository: Moadong/moadong-react-native

Length of output: 358

---

🏁 Script executed:

cat -n types/webview-message.types.ts

Repository: Moadong/moadong-react-native

Length of output: 1041

---

🏁 Script executed:

cat -n ui/home/home-webview-screen.tsx | head -100

Repository: Moadong/moadong-react-native

Length of output: 4522

---

🏁 Script executed:

rg "useWebViewMessageHandler" --type ts --type tsx

Repository: Moadong/moadong-react-native

Length of output: 100

---

🏁 Script executed:

rg "Linking.openURL" --type ts --type tsx -B 3 -A 3

Repository: Moadong/moadong-react-native

Length of output: 100

---

🏁 Script executed:

rg "useWebViewMessageHandler" -A 5 -B 5

Repository: Moadong/moadong-react-native

Length of output: 4194

---

🏁 Script executed:

rg "Linking.openURL" -A 3 -B 3

Repository: Moadong/moadong-react-native

Length of output: 1372

---

WebView에서 전달된 URL을 스킴 검증 없이 바로 여는 것은 보안 위험입니다.

49~56줄에서 WebView payload의 URL을 검증 없이 Linking.openURL()에 전달하고 있어, 의도치 않은 커스텀 스킴(예: tel:, mailto: 등) 실행 위험이 있습니다. 허용 스킴 제한(예: https/http)과 Linking.canOpenURL() 확인 후 열도록 수정해주세요.

수정 예시

         case WebViewMessageTypes.OPEN_EXTERNAL_URL: {
-          const { url } = message.payload;
-          if (url) {
-            Linking.openURL(url).catch(err =>
-              console.error('[WebViewHandler] URL 열기 실패:', err)
-            );
-          }
+          const url = message.payload?.url;
+          if (!url) break;
+
+          try {
+            const parsed = new URL(url);
+            const allowedProtocols = new Set(['https:', 'http:']);
+            if (!allowedProtocols.has(parsed.protocol)) {
+              console.warn('[WebViewHandler] 허용되지 않은 URL 스킴:', parsed.protocol);
+              break;
+            }
+
+            Linking.canOpenURL(parsed.toString())
+              .then(canOpen => {
+                if (!canOpen) {
+                  console.warn('[WebViewHandler] 열 수 없는 URL:', parsed.toString());
+                  return;
+                }
+                return Linking.openURL(parsed.toString());
+              })
+              .catch(err => console.error('[WebViewHandler] URL 열기 실패:', err));
+          } catch {
+            console.warn('[WebViewHandler] 유효하지 않은 URL:', url);
+          }
           break;
         }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	case WebViewMessageTypes.OPEN_EXTERNAL_URL: {
	const { url } = message.payload;
	if (url) {
	Linking.openURL(url).catch(err =>
	console.error('[WebViewHandler] URL 열기 실패:', err)
	);
	}
	break;
	}
	case WebViewMessageTypes.OPEN_EXTERNAL_URL: {
	const url = message.payload?.url;
	if (!url) break;
	try {
	const parsed = new URL(url);
	const allowedProtocols = new Set(['https:', 'http:']);
	if (!allowedProtocols.has(parsed.protocol)) {
	console.warn('[WebViewHandler] 허용되지 않은 URL 스킴:', parsed.protocol);
	break;
	}
	Linking.canOpenURL(parsed.toString())
	.then(canOpen => {
	if (!canOpen) {
	console.warn('[WebViewHandler] 열 수 없는 URL:', parsed.toString());
	return;
	}
	return Linking.openURL(parsed.toString());
	})
	.catch(err => console.error('[WebViewHandler] URL 열기 실패:', err));
	} catch {
	console.warn('[WebViewHandler] 유효하지 않은 URL:', url);
	}
	break;
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hooks/use-webview-message-handler.ts` around lines 49 - 57, WebView에서 받은 URL을
검증 없이 Linking.openURL에 전달하고 있으니(WebViewMessageTypes.OPEN_EXTERNAL_URL 케이스,
message.payload.url), 허용 스킴(예: http/https)만 통과시키고 안전하게 열도록 수정하세요: URL 문자열에서 스킴을
파싱해 허용 목록에 있는지 확인하고, 허용될 때만 Linking.canOpenURL(url)로 열 수 있는지 검사한 뒤
Linking.openURL(url)을 호출하며, 그렇지 않으면 경고/오류를 로깅해 차단하도록 구현합니다.