fix(security): harden dashboard JWT issuer validation against SSRF

@abir-taheerchecks n/achecks…abir/dashboard-api-key-endpoints → production1 files · +45 −21review: @sohamganatrareview: @kaavee315review: @anshugarg15updated 2w ago

GitHub

▸Description · 2 noise

Description

Harden the dashboard JWT issuer validation to prevent SSRF attacks. The iss claim was used to build the JWKS fetch URL — an attacker could set it to an internal URL (e.g. cloud metadata endpoint) and trigger server-side requests.

Require HTTPS scheme, reject IPs, ports, paths, query strings
Reconstruct JWKS URL from validated hostname only (not raw iss value)
Remove unused extractDomainFromUrl helper

Also includes prior commits:

getDashboardRouter() as standard auth mode (addresses CryogenicPlanet's review)
Bugbot fixes: admin role check on allowed_ips, email-based membership resolution, Error_404 type fix

How did I test this PR

Verified issuer validation rejects http://, IPs, ports, paths, query strings
Verified JWKS URL is reconstructed from hostname only
tsgo type-check passes with no errors on dashboard-related files

🤖 Generated with Claude Code

▸ 2 bot/status comments hidden

@github-actions[bot]2w ago

OpenAPI Changelog (Production)

❌ Breaking changes

@github-actions[bot]2w ago

🧪 Test Results Summary (E2E Tests)

loading diff…