app-expo/plugins/withIosInsecureHttp.js

// @ts-check
/**
 * Allow HTTP / WS to staging API host via App Transport Security exception.
 *
 * Enabled when EXPO_PUBLIC_API_URL uses http:// (same rule as Android cleartext).
 * Host is parsed from the URL so IP:port staging endpoints work without hard-coding.
 */
const { withInfoPlist } = require('@expo/config-plugins');

/**
 * @returns {string | null}
 */
function getHttpExceptionHost() {
  const raw = process.env.EXPO_PUBLIC_API_URL ?? '';
  if (!raw.startsWith('http://')) {
    return null;
  }
  try {
    return new URL(raw).hostname;
  } catch {
    return null;
  }
}

/**
 * @param {import('expo/config').ExpoConfig} config
 * @param {{ enabled?: boolean }} props
 */
function withIosInsecureHttp(config, props = {}) {
  const enabled = props.enabled ?? false;

  return withInfoPlist(config, (mod) => {
    if (!enabled) {
      return mod;
    }

    const host = getHttpExceptionHost();
    if (!host) {
      console.warn(
        '[withIosInsecureHttp] enabled but EXPO_PUBLIC_API_URL has no http host; skipping ATS exception.',
      );
      return mod;
    }

    const existing = mod.modResults.NSAppTransportSecurity ?? {};
    const existingDomains = existing.NSExceptionDomains ?? {};

    mod.modResults.NSAppTransportSecurity = {
      ...existing,
      NSExceptionDomains: {
        ...existingDomains,
        [host]: {
          NSExceptionAllowsInsecureHTTPLoads: true,
          NSIncludesSubdomains: true,
        },
      },
    };

    return mod;
  });
}

module.exports = withIosInsecureHttp;
feat(app-expo): env variants, local iOS prebuild, and About diagnostics Align staging/production builds with APP_VARIANT bundle IDs, allow staging HTTP on iOS, add ios-prebuild scripts for TestFlight, and show connected API URL on About for non-production builds. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-19 15:43:16 +08:00			`// @ts-check`
			`/**`
			`* Allow HTTP / WS to staging API host via App Transport Security exception.`
			`*`
			`* Enabled when EXPO_PUBLIC_API_URL uses http:// (same rule as Android cleartext).`
			`* Host is parsed from the URL so IP:port staging endpoints work without hard-coding.`
			`*/`
			`const { withInfoPlist } = require('@expo/config-plugins');`

			`/**`
			`* @returns {string \| null}`
			`*/`
			`function getHttpExceptionHost() {`
			`const raw = process.env.EXPO_PUBLIC_API_URL ?? '';`
			`if (!raw.startsWith('http://')) {`
			`return null;`
			`}`
			`try {`
			`return new URL(raw).hostname;`
			`} catch {`
			`return null;`
			`}`
			`}`

			`/**`
			`* @param {import('expo/config').ExpoConfig} config`
			`* @param {{ enabled?: boolean }} props`
			`*/`
			`function withIosInsecureHttp(config, props = {}) {`
			`const enabled = props.enabled ?? false;`

			`return withInfoPlist(config, (mod) => {`
			`if (!enabled) {`
			`return mod;`
			`}`

			`const host = getHttpExceptionHost();`
			`if (!host) {`
			`console.warn(`
			`'[withIosInsecureHttp] enabled but EXPO_PUBLIC_API_URL has no http host; skipping ATS exception.',`
			`);`
			`return mod;`
			`}`

			`const existing = mod.modResults.NSAppTransportSecurity ?? {};`
			`const existingDomains = existing.NSExceptionDomains ?? {};`

			`mod.modResults.NSAppTransportSecurity = {`
			`...existing,`
			`NSExceptionDomains: {`
			`...existingDomains,`
			`[host]: {`
			`NSExceptionAllowsInsecureHTTPLoads: true,`
			`NSIncludesSubdomains: true,`
			`},`
			`},`
			`};`

			`return mod;`
			`});`
			`}`

			`module.exports = withIosInsecureHttp;`