Improve domain validation error message with actionable guidance

[Linker44]

Summary

• Updates the domain validation ValueError to include actionable guidance for customers
• Error now suggests contacting Ethyca support and mentions FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION=true as a temporary workaround
• Addresses the upgrade scenario where a customer has a previously-configured domain that becomes invalid under new enforcement

Test plan

• All 16 TestSaaSConnectionSecretsDomainValidation tests pass
• All test_authenticated_client domain tests pass
• Error message substring matches in existing tests still work (no test changes needed)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Domain validation error messages updated to provide clearer guidance to users.
  • Messages now include instructions for temporarily disabling domain validation via an environment variable, while validation behavior remains unchanged.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 6, 2026 7:35pm
fides-privacy-center	Ignored		Mar 6, 2026 7:35pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc5f60bb-b6dc-4932-b7de-e25bd50a5c32

📥 Commits

Reviewing files that changed from the base of the PR and between 66dba20 and c77fdcb.

📒 Files selected for processing (1)

• src/fides/api/util/domain_util.py

🚧 Files skipped from review as they are similar to previous changes (1)

• src/fides/api/util/domain_util.py

---

📝 Walkthrough

Walkthrough

Updated ValueError message in domain validation utility to append guidance on temporarily disabling domain validation via the FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION environment variable; no control-flow or validation logic changes.

Changes

Cohort / File(s)	Summary
Domain Validation Error Message src/fides/api/util/domain_util.py	ValueError message updated to append instructions about temporarily disabling domain validation using the FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION environment variable. No logic changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• Vagoasdf

Suggested labels

run unsafe ci checks

Poem

🐇 I hopped through code with nimble cheer,
A note was added, calm and clear,
"Disable the check" for a moment's grace,
A tiny flag to ease the pace,
From this rabbit — a helpful trace.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides a clear summary and test plan but lacks compliance with the required template structure and sections.	Restructure the description to follow the template with sections: Ticket, Description Of Changes, Code Changes, Steps to Confirm, and Pre-Merge Checklist with required items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: improving the domain validation error message by adding actionable guidance for users.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch improve-domain-validation-error-message

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR improves the domain validation error message in src/fides/api/util/domain_util.py by adding actionable guidance: a prompt to contact Ethyca support to have a domain added, and the FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION=true environment variable as a temporary workaround. This directly addresses the upgrade scenario where a previously-valid domain becomes rejected under new enforcement, giving operators a clear path forward instead of a bare "not in allowed list" error.

The change is minimal and correctly scoped — only the error message text is modified, with no logic changes. The environment variable name is embedded as a magic string; extracting it to a named constant would prevent silent staleness if the variable name ever changes, since the same string is already referenced elsewhere in security_settings.py.

Confidence Score: 4/5

• Safe to merge — only the error message text is changed, with no impact on validation logic or security behavior.
• The change is a single-function error message update with no logic, schema, or security behavior changes. Existing tests continue to pass. The one identified style concern (magic string for env var name) is minor and doesn't block the PR from merging.
• No files require special attention.

_{Last reviewed commit: b132662}

[RobertKeyser]

This is only half-related to this PR but just throwing it out there in a public thread:

now that we've changed our approach from being allowed_domains to allowed_values, 2 things regarding FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION

1. Does that env var also affect non-domain ones should we add them?
2. Depending on the answer above, should we change the name of FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION?

[Linker44]

This is only half-related to this PR but just throwing it out there in a public thread:

now that we've changed our approach from being allowed_domains to allowed_values, 2 things regarding FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION

1. Does that env var also affect non-domain ones should we add them?
2. Depending on the answer above, should we change the name of FIDES__SECURITY__DISABLE_DOMAIN_VALIDATION?

1. nope it just affects domain validation specifically. Those params that are of type endpoint and have allowed_values
2. answered by 1