security: medium-severity fixes (proxies, ssrf, uploads, lnurl, github_data)

- Trust the Forge reverse proxy and force https URLs in production so
  generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
  loopback / private (RFC1918) addresses to close an SSRF vector in
  FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
  create/edit components: explicit mimes whitelist (jpeg, png, webp),
  max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
  updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
  the whitelisted keys (top, left, state) with strict type coercion to
  prevent storing arbitrary attacker-controlled JSON.

resources/views/livewire/courses/create.blade.php

@@ -14,7 +14,7 @@ class extends Component {
     use WithFileUploads;
     use SeoTrait;
 
-    #[Validate('image|max:10240')] // 10MB Max
+    #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
     public $logo;
 
     public string $name = '';

resources/views/livewire/courses/edit.blade.php

@@ -16,7 +16,7 @@ class extends Component {
     use WithFileUploads;
     use SeoTrait;
 
-    #[Validate('image|max:10240')] // 10MB Max
+    #[Validate('image|mimes:jpeg,png,webp|max:5120|dimensions:max_width=4000,max_height=4000')]
     public $logo;
 
     public Course $course;