refactor: implement safe URL validation for whitelabeling settings in both client and server schemas

packages/server/src/db/schema/web-server-settings.ts

@@ -187,16 +187,23 @@ export const apiUpdateDockerCleanup = z.object({
 });
 
 // Whitelabeling validation schemas
+const safeUrl = z
+	.string()
+	.refine((url) => /^https?:\/\//i.test(url), {
+		message: "Only http:// and https:// URLs are allowed",
+	})
+	.nullable();
+
 export const whitelabelingConfigSchema = z.object({
 	appName: z.string().nullable(),
 	appDescription: z.string().nullable(),
-	logoUrl: z.string().nullable(),
-	faviconUrl: z.string().nullable(),
+	logoUrl: safeUrl,
+	faviconUrl: safeUrl,
 	primaryColor: z.string().nullable(),
 	customCss: z.string().nullable(),
-	loginLogoUrl: z.string().nullable(),
-	supportUrl: z.string().nullable(),
-	docsUrl: z.string().nullable(),
+	loginLogoUrl: safeUrl,
+	supportUrl: safeUrl,
+	docsUrl: safeUrl,
 	errorPageTitle: z.string().nullable(),
 	errorPageDescription: z.string().nullable(),
 	metaTitle: z.string().nullable(),

packages/server/src/verification/send-verification-email.tsx

@@ -1,7 +1,4 @@
-import {
-	sendDiscordNotification,
-	sendEmailNotification,
-} from "../utils/notifications/utils";
+import { sendEmailNotification } from "../utils/notifications/utils";
 export const sendEmail = async ({
 	email,
 	subject,
@@ -26,26 +23,3 @@ export const sendEmail = async ({
 
 	return true;
 };
-
-export const sendDiscordNotificationWelcome = async (email: string) => {
-	await sendDiscordNotification(
-		{
-			webhookUrl: process.env.DISCORD_WEBHOOK_URL || "",
-		},
-		{
-			title: "New User Registered",
-			color: 0x00ff00,
-			fields: [
-				{
-					name: "Email",
-					value: email,
-					inline: true,
-				},
-			],
-			timestamp: new Date(),
-			footer: {
-				text: "Dokploy User Registration Notification",
-			},
-		},
-	);
-};