Use internal Url struct in favor of url::Url to minimize the url dep in payjoin

[benalleng]

Closes #1124

This adds the internal Url Struct to no longer depend on the url crate directly for it.

However we still have reqwest inside payjoin url from payjoin-directory and test-utils which pull in the url dep, but that is only available on the io feature.

I have also added a fuzz target, which already helped me better shape the parse function better.

I have only ran the fuzzer for a limited amount of time however and some more cpu hours might be helpful

Claude really helped me get through the brunt of this.

You can test the lack of an accessible url dep not including the io feature with this command.

cargo tree -p payjoin --no-default-features --features v1,v2,directory,_manual-tls,_test-utils -e no-dev,no-build -i url

Pull Request Checklist

Please confirm the following before requesting review:

• I have disclosed my use of
  AI
  in the body of this PR.
• I have read CONTRIBUTING.md and rebased my branch to produce hygienic commits.

[coveralls]

Coverage Report for CI Build 24569919310

Coverage increased (+0.4%) to 84.801%

Details

• Coverage increased (+0.4%) from the base build.
• Patch coverage: 20 uncovered changes across 8 files (477 of 497 lines covered, 95.98%).
• 2 coverage regressions across 2 files.

Uncovered Changes

File	Changed	Covered	%
payjoin/src/core/url.rs	436	428	98.17%
payjoin-cli/src/app/v1.rs	5	1	20.0%
payjoin-cli/src/app/config.rs	6	4	66.67%
payjoin/src/core/io.rs	3	1	33.33%
payjoin-cli/src/app/v2/ohttp.rs	6	5	83.33%
payjoin/src/core/ohttp.rs	4	3	75.0%
payjoin/src/core/receive/error.rs	1	0	0.0%
payjoin/src/core/receive/optional_parameters.rs	11	10	90.91%

Coverage Regressions

2 previously-covered lines in 2 files lost coverage.

File	Lines Losing Coverage	Coverage
payjoin-cli/src/app/v1.rs	1	68.46%
payjoin/src/core/into_url.rs	1	96.23%

---

Coverage Stats

Relevant Lines:	13211
Covered Lines:	11203
Line Coverage:	84.8%
Coverage Strength:	405.31 hits per line

---

💛 - Coveralls

[DanGould]

We can edit the spec to say "the host component of any URL in a BIP77 message MUST be an ASCII LDH (Letters, Digits, Hyphens) plus dots: [a-zA-Z0-9.-] hostname or an IPv4 address literal" to kill IDNA once and for all. For the full URL, we restrict the character set to RFC 3986 unreserved plus the structural delimiters we actually need (:/, ?, #, @). Reject any byte outside printable ASCII (0x21–0x7E) that isn't percent-encoded.

There's a specific URL fuzzer we might consider here: https://github.com/orangetw/Tiny-URL-Fuzzer https://github.com/orangetw/Tiny-URL-Fuzzer/blob/master/samples.txt could also test against

https://payjo.in\@evil.com/path
https://payjo.in%40evil.com/path
https://payjo.in#\@evil.com
https://payjo.in/../evil.com
https://payjo.in/%2e%2e/evil.com
https://evil.com:443@payjo.in/
https://payjo.in%00.evil.com/path
https://payjo.in:@evil.com/

not that these are reall attacks but just so we knwo we parse the same as url for stuff we could actually encounter. Low prio but I wanted to document.

[DanGould]

note to self that this is removed by the time the PR's last commit comes around.

[benalleng]

Do we want support for ipv4 or ipv6 hosts in payjoin::Url if not we can just keep Host::Domain.

[DanGould]

I think for testing especially this is still useful. What do you think?

[DanGould]

Tnull says "Def. no huge blocker if there is a path to dropping it!" but this seems pretty darn close so I'd like to close it out to keep the prs flowing

[xstoicunicornx]

Have a bit of feedback.

One other thing, seems like we are replicating the url::form_urlencoded::parse method in two different places so maybe its worth creating a native implementation of this in url.rs?

[xstoicunicornx]

Maybe just use ParseError::InvalidScheme instead, as this is more consistent with how parse_port errors are handled

[xstoicunicornx]

This is a bit confusing to follow why not just:

Suggested change

	let mut path = String::new();
	let mut query: Option<String> = None;
	let mut fragment: Option<String> = None;
	if let Some(frag_pos) = input.find('#') {
	let before_fragment = &input[..frag_pos];
	fragment = Some(input[frag_pos + 1..].to_string());
	if let Some(q_pos) = before_fragment.find('?') {
	path.push_str(&before_fragment[..q_pos]);
	query = Some(before_fragment[q_pos + 1..].to_string());
	} else {
	path.push_str(before_fragment);
	}
	} else if let Some(q_pos) = input.find('?') {
	path.push_str(&input[..q_pos]);
	query = Some(input[q_pos + 1..].to_string());
	} else {
	path.push_str(input);
	}
	let (before_fragment, fragment) = match input.find('#') {
	Some(pos) => (&input[..pos], Some(input[pos + 1..].to_string())),
	None => (&input[..], None),
	};
	let (path, query) = match before_fragment.find('?') {
	Some(pos) =>
	(before_fragment[..pos].to_string(), Some(before_fragment[pos + 1..].to_string())),
	None => (before_fragment.to_string(), None),
	};

[xstoicunicornx]

Wouldn't it make more sense for these parsing errors to be caught in parse_host (would also be more consistent with the other parsing functions)?

Also, if we are erroring for ParseError::EmptyHost why does the host need to be an Option<Host> rather than just Host? This validation seems to ensure that the host will always exist. Not using an Option<Host> would also eliminate the need for has_host.

[benalleng]

Good point, this simplifies the logic and any mutants created from host quite a bit