apply security audit

frontend/src/utils/config.ts

@@ -1,7 +1,18 @@
+const apiUrl: string = import.meta.env.VITE_API_URL;
+const authentikUrl: string = import.meta.env.AUTHENTIK_URL || 'https://auth.firesuite.feuerwehr-rems.at';
+const clientId: string = import.meta.env.AUTHENTIK_CLIENT_ID;
+
+if (!apiUrl) {
+  console.error('Missing required environment variable: VITE_API_URL');
+}
+if (!clientId) {
+  console.error('Missing required environment variable: AUTHENTIK_CLIENT_ID');
+}
+
 export const config = {
-  apiUrl: import.meta.env.VITE_API_URL || 'http://localhost:3000',
-  authentikUrl: import.meta.env.AUTHENTIK_URL || 'https://auth.firesuite.feuerwehr-rems.at',
-  clientId: import.meta.env.AUTHENTIK_CLIENT_ID || 'your_client_id_here',
+  apiUrl,
+  authentikUrl,
+  clientId,
 };
 
 export const API_URL = config.apiUrl;

frontend/src/utils/safeOpenUrl.ts

@@ -0,0 +1,20 @@
+/**
+ * Safely opens a URL in a new tab.
+ *
+ * Validates the URL before opening it to prevent malicious URLs (e.g.
+ * javascript: or data: URIs) from being opened if an API response is
+ * ever compromised. Only http: and https: URLs are allowed.
+ */
+export function safeOpenUrl(url: string): void {
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+      console.warn(`safeOpenUrl: blocked URL with unexpected protocol "${parsed.protocol}": ${url}`);
+      return;
+    }
+  } catch {
+    console.warn(`safeOpenUrl: blocked invalid URL: ${url}`);
+    return;
+  }
+  window.open(url, '_blank', 'noopener,noreferrer');
+}