Harden auth and outbound admin surfaces

backend/app/routers/admin.py

@@ -20,6 +20,7 @@ from ..auth import (
     resolve_user_auth_provider,
 )
 from ..config import settings as env_settings
+from ..network_security import validate_notification_target_url
 from ..db import (
     delete_setting,
     get_all_users,
@@ -153,6 +154,12 @@ URL_SETTING_KEYS = {
     "qbittorrent_base_url",
 }
 
+NOTIFICATION_URL_SETTING_KEYS = {
+    "magent_notify_discord_webhook_url",
+    "magent_notify_push_base_url",
+    "magent_notify_webhook_url",
+}
+
 SETTING_KEYS: List[str] = [
     "magent_application_url",
     "magent_application_port",
@@ -659,6 +666,12 @@ async def update_settings(payload: Dict[str, Any]) -> Dict[str, Any]:
             except ValueError as exc:
                 friendly_key = key.replace("_", " ")
                 raise HTTPException(status_code=400, detail=f"{friendly_key}: {exc}") from exc
+        if key in NOTIFICATION_URL_SETTING_KEYS and value_to_store:
+            try:
+                value_to_store = validate_notification_target_url(value_to_store)
+            except ValueError as exc:
+                friendly_key = key.replace("_", " ")
+                raise HTTPException(status_code=400, detail=f"{friendly_key}: {exc}") from exc
         set_setting(key, value_to_store)
         updates += 1
         changed_keys.append(key)