[PM-25250] Prevent configuration and access of self hosted urls over http (#17095)

* feat: ban urls not using https * feat: add exception for dev env * feat: block fetching of insecure URLs * feat: add exception for dev env * feat: block notifications from using insecure URL * fix: bug where submission was possible regardless of error * feat: add exception for dev env * fix: missing constructor param
2026-01-03 17:13:47 +00:00 · 2025-10-31 08:12:44 +01:00
parent 2dd314e992
commit 48fb8b2bfe
11 changed files with 106 additions and 11 deletions
--- a/libs/common/src/auth/services/anonymous-hub.service.ts
+++ b/libs/common/src/auth/services/anonymous-hub.service.ts
@@ -18,6 +18,8 @@ import {
  NotificationResponse,
 } from "../../models/response/notification.response";
 import { EnvironmentService } from "../../platform/abstractions/environment.service";
+import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
+import { InsecureUrlNotAllowedError } from "../../services/api-errors";
 import { AnonymousHubService as AnonymousHubServiceAbstraction } from "../abstractions/anonymous-hub.service";

 export class AnonymousHubService implements AnonymousHubServiceAbstraction {
@@ -27,10 +29,14 @@ export class AnonymousHubService implements AnonymousHubServiceAbstraction {
  constructor(
    private environmentService: EnvironmentService,
    private authRequestService: AuthRequestServiceAbstraction,
+    private platformUtilsService: PlatformUtilsService,
  ) {}

  async createHubConnection(token: string) {
    this.url = (await firstValueFrom(this.environmentService.environment$)).getNotificationsUrl();
+    if (!this.url.startsWith("https://") && !this.platformUtilsService.isDev()) {
+      throw new InsecureUrlNotAllowedError();
+    }

    this.anonHubConnection = new HubConnectionBuilder()
      .withUrl(this.url + "/anonymous-hub?Token=" + token, {