[PM-25250] Prevent configuration and access of self hosted urls over http (#17095)

* feat: ban urls not using https

* feat: add exception for dev env

* feat: block fetching of insecure URLs

* feat: add exception for dev env

* feat: block notifications from using insecure URL

* fix: bug where submission was possible regardless of error

* feat: add exception for dev env

* fix: missing constructor param

libs/common/src/platform/server-notifications/internal/signalr-connection.service.ts

@@ -10,8 +10,10 @@ import { Observable, Subscription } from "rxjs";
 
 import { ApiService } from "../../../abstractions/api.service";
 import { NotificationResponse } from "../../../models/response/notification.response";
+import { InsecureUrlNotAllowedError } from "../../../services/api-errors";
 import { UserId } from "../../../types/guid";
 import { LogService } from "../../abstractions/log.service";
+import { PlatformUtilsService } from "../../abstractions/platform-utils.service";
 
 // 2 Minutes
 const MIN_RECONNECT_TIME = 2 * 60 * 1000;
@@ -69,12 +71,17 @@ export class SignalRConnectionService {
   constructor(
     private readonly apiService: ApiService,
     private readonly logService: LogService,
+    private readonly platformUtilsService: PlatformUtilsService,
     private readonly hubConnectionBuilderFactory: () => HubConnectionBuilder = () =>
       new HubConnectionBuilder(),
     private readonly timeoutManager: TimeoutManager = globalThis,
   ) {}
 
   connect$(userId: UserId, notificationsUrl: string) {
+    if (!notificationsUrl.startsWith("https://") && !this.platformUtilsService.isDev()) {
+      throw new InsecureUrlNotAllowedError();
+    }
+
     return new Observable<SignalRNotification>((subsciber) => {
       const connection = this.hubConnectionBuilderFactory()
         .withUrl(notificationsUrl + "/hub", {