security: medium-severity fixes (proxies, ssrf, uploads, lnurl, github_data)

- Trust the Forge reverse proxy and force https URLs in production so
  generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
  loopback / private (RFC1918) addresses to close an SSRF vector in
  FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
  create/edit components: explicit mimes whitelist (jpeg, png, webp),
  max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
  updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
  the whitelisted keys (top, left, state) with strict type coercion to
  prevent storing arbitrary attacker-controlled JSON.

app/Http/Controllers/LnurlAuthController.php

@@ -154,14 +154,10 @@ final class LnurlAuthController extends Controller
      */
     private function ensureLoginKeyExists(string $k1, int $userId): void
     {
-        $loginKey = LoginKey::where('k1', $k1)->first();
-
-        if (! $loginKey) {
-            LoginKey::create([
-                'k1' => $k1,
-                'user_id' => $userId,
-            ]);
-        }
+        LoginKey::query()->updateOrCreate(
+            ['k1' => $k1],
+            ['user_id' => $userId],
+        );
     }
 
     /**

app/Jobs/FetchNostrProfileJob.php

@@ -133,6 +133,15 @@ class FetchNostrProfileJob implements ShouldQueue
 
     private function downloadAndSaveProfilePhoto(User $user, string $photoUrl): void
     {
+        if (!$this->isPublicHttpUrl($photoUrl)) {
+            \Log::warning('Refused to download Nostr profile photo from disallowed URL', [
+                'user_id' => $user->id,
+                'url' => $photoUrl,
+            ]);
+
+            return;
+        }
+
         try {
             // Download the image from the URL
             $response = Http::timeout(10)->get($photoUrl);
@@ -178,6 +187,41 @@ class FetchNostrProfileJob implements ShouldQueue
         }
     }
 
+    /**
+     * Reject URLs that are not http(s) or that resolve to a private/loopback
+     * address, to prevent SSRF when fetching arbitrary profile photo URLs.
+     */
+    private function isPublicHttpUrl(string $url): bool
+    {
+        $parts = parse_url($url);
+        if ($parts === false || empty($parts['scheme']) || empty($parts['host'])) {
+            return false;
+        }
+
+        if (!in_array(strtolower($parts['scheme']), ['http', 'https'], true)) {
+            return false;
+        }
+
+        $host = $parts['host'];
+        $ips = filter_var($host, FILTER_VALIDATE_IP) ? [$host] : (gethostbynamel($host) ?: []);
+
+        if (empty($ips)) {
+            return false;
+        }
+
+        foreach ($ips as $ip) {
+            if (!filter_var(
+                $ip,
+                FILTER_VALIDATE_IP,
+                FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
+            )) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     private function getImageExtension(?string $contentType, string $url): string
     {
         // Try to get extension from content type

app/Providers/AppServiceProvider.php

@@ -12,6 +12,7 @@ use Illuminate\Support\Facades\Date;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Facades\Route;
+use Illuminate\Support\Facades\URL;
 use Illuminate\Support\ServiceProvider;
 use Laravel\Nightwatch\Facades\Nightwatch;
 use Laravel\Nightwatch\Http\Middleware\Sample;
@@ -36,6 +37,10 @@ class AppServiceProvider extends ServiceProvider
     {
         $this->configureRateLimiting();
 
+        if ($this->app->environment('production')) {
+            URL::forceScheme('https');
+        }
+
         Livewire::setUpdateRoute(function ($handle) {
             return Route::post('/livewire/update', $handle)
                 ->middleware(['web', Sample::rate(0)]);