fix: login page warnings and implement secure URL testing

Fix browser console warnings on login page: - Make COOP header conditional on development mode (suppress HTTP warnings) - Add autocomplete attributes to 11 email/password inputs across 5 pages Implement server-side URL testing with enterprise-grade SSRF protection: - Replace window.open() with API-based connectivity check - Block private IPs (RFC 1918, loopback, link-local, ULA, IPv6 ranges) - DNS validation with 3s timeout before HTTP request - Block AWS metadata endpoint (169.254.169.254) - Block GCP metadata endpoint (metadata.google.internal) - HTTP HEAD request with 5s timeout - Maximum 2 redirects - Admin-only access enforcement Technical Implementation: - Backend: url_testing.go utility with isPrivateIP validation - Handler: TestPublicURL in settings_handler.go - Route: POST /settings/test-url (authenticated, admin-only) - Frontend: testPublicURL API call in settings.ts - UI: testPublicURLHandler in SystemSettings.tsx with toast feedback Test Coverage: - Backend: 85.8% (72 SSRF protection test cases passing) - Frontend: 86.85% (1,140 tests passing) - Security scans: Clean (Trivy, Go vuln check) - TypeScript: 0 type errors Closes: [issue number if applicable]
2025-12-22 01:31:57 +00:00
parent 3324b94be8
commit 0c90ab04d8
11 changed files with 2193 additions and 1586 deletions
--- a/frontend/src/pages/SystemSettings.tsx
+++ b/frontend/src/pages/SystemSettings.tsx
@@ -12,7 +12,7 @@ import { Skeleton } from '../components/ui/Skeleton'
 import { Select, SelectTrigger, SelectContent, SelectItem, SelectValue } from '../components/ui/Select'
 import { Tooltip, TooltipTrigger, TooltipContent, TooltipProvider } from '../components/ui/Tooltip'
 import { toast } from '../utils/toast'
-import { getSettings, updateSetting } from '../api/settings'
+import { getSettings, updateSetting, testPublicURL } from '../api/settings'
 import { getFeatureFlags, updateFeatureFlags } from '../api/featureFlags'
 import client from '../api/client'
 import { Server, RefreshCw, Save, Activity, Info, ExternalLink, CheckCircle2, XCircle, AlertTriangle } from 'lucide-react'
@@ -100,18 +100,24 @@ export default function SystemSettings() {
    },
  })

-  // Test Public URL
-  const testPublicURL = async () => {
+  // Test Public URL - Server-side connectivity test with SSRF protection
+  const testPublicURLHandler = async () => {
    if (!publicURL) {
      toast.error(t('systemSettings.applicationUrl.invalidUrl'))
      return
    }
    setPublicURLSaving(true)
    try {
-      window.open(publicURL, '_blank')
-      toast.success(t('systemSettings.applicationUrl.testSuccess') || 'URL opened in new tab')
-    } catch {
-      toast.error(t('systemSettings.applicationUrl.testFailed') || 'Failed to open URL')
+      const result = await testPublicURL(publicURL)
+      if (result.reachable) {
+        toast.success(
+          result.message || `URL reachable (${result.latency?.toFixed(0)}ms)`
+        )
+      } else {
+        toast.error(result.error || 'URL not reachable')
+      }
+    } catch (error) {
+      toast.error(error instanceof Error ? error.message : 'Test failed')
    } finally {
      setPublicURLSaving(false)
    }
@@ -414,7 +420,7 @@ export default function SystemSettings() {
            <div className="flex gap-2">
              <Button
                variant="secondary"
-                onClick={testPublicURL}
+                onClick={testPublicURLHandler}
                disabled={!publicURL || publicURLSaving}
              >
                <ExternalLink className="h-4 w-4 mr-2" />