Harden auth and outbound admin surfaces

backend/tests/test_backend_quality.py

@@ -8,6 +8,7 @@ from starlette.requests import Request
 
 from backend.app import db
 from backend.app.config import settings
+from backend.app.network_security import request_trusts_forwarded_headers, validate_notification_target_url
 from backend.app.routers import auth as auth_router
 from backend.app.routers import portal as portal_router
 from backend.app.security import PASSWORD_POLICY_MESSAGE, validate_password_policy
@@ -72,6 +73,27 @@ class PasswordPolicyTests(unittest.TestCase):
         self.assertEqual(validate_password_policy("  password123  "), "password123")
 
 
+class NetworkSecurityTests(unittest.TestCase):
+    def test_notification_targets_reject_loopback(self) -> None:
+        with self.assertRaisesRegex(ValueError, "Private or local notification targets are not allowed."):
+            validate_notification_target_url("http://127.0.0.1:8080/webhook")
+
+    def test_forwarded_headers_require_trusted_proxy(self) -> None:
+        original_enabled = settings.magent_proxy_enabled
+        original_trust = settings.magent_proxy_trust_forwarded_headers
+        original_proxies = settings.magent_proxy_trusted_proxies
+        settings.magent_proxy_enabled = True
+        settings.magent_proxy_trust_forwarded_headers = True
+        settings.magent_proxy_trusted_proxies = "127.0.0.1,::1"
+        try:
+            self.assertTrue(request_trusts_forwarded_headers("127.0.0.1"))
+            self.assertFalse(request_trusts_forwarded_headers("203.0.113.10"))
+        finally:
+            settings.magent_proxy_enabled = original_enabled
+            settings.magent_proxy_trust_forwarded_headers = original_trust
+            settings.magent_proxy_trusted_proxies = original_proxies
+
+
 class DatabaseEmailTests(TempDatabaseMixin, unittest.TestCase):
     def test_set_user_email_is_case_insensitive(self) -> None:
         created = db.create_user_if_missing(