Harden auth and outbound admin surfaces

backend/app/services/notifications.py

@@ -8,6 +8,7 @@ import httpx
 
 from ..config import settings as env_settings
 from ..db import get_setting
+from ..network_security import validate_notification_target_url
 from ..runtime import get_runtime_settings
 from .invite_email import send_generic_email
 
@@ -49,6 +50,7 @@ def _portal_item_url(item_id: int) -> str:
 
 
 async def _http_post_json(url: str, payload: Dict[str, Any]) -> Dict[str, Any]:
+    validate_notification_target_url(url)
     async with httpx.AsyncClient(timeout=12.0) as client:
         response = await client.post(url, json=payload)
         response.raise_for_status()
@@ -115,6 +117,7 @@ async def _send_push(title: str, message: str, payload: Dict[str, Any]) -> Dict[
     if provider == "ntfy":
         if not base_url or not topic:
             return {"status": "skipped", "detail": "ntfy needs base URL and topic."}
+        validate_notification_target_url(base_url)
         url = f"{base_url.rstrip('/')}/{quote(topic)}"
         headers = {"Title": title, "Tags": "magent,portal"}
         async with httpx.AsyncClient(timeout=12.0) as client:
@@ -124,6 +127,7 @@ async def _send_push(title: str, message: str, payload: Dict[str, Any]) -> Dict[
     if provider == "gotify":
         if not base_url or not token:
             return {"status": "skipped", "detail": "Gotify needs base URL and token."}
+        validate_notification_target_url(base_url)
         url = f"{base_url.rstrip('/')}/message?token={quote(token)}"
         body = {"title": title, "message": message, "priority": 5, "extras": {"client::display": {"contentType": "text/plain"}}}
         result = await _http_post_json(url, body)