From ada44ab1fa948d33a0f10eda35e916b9fa1c9e7b Mon Sep 17 00:00:00 2001
From: taqin <cp@imtaqin.id>
Date: Mon, 20 Apr 2026 17:01:25 +0700
Subject: [PATCH] fix: align JWT secret default, correct frontend backend URL,
 validate webhook URL scheme

- auth.py JWT fallback now matches the string server.py warns on, so default-secret warning actually fires
- frontend/.env points to backend port 9442 (matches docker-compose), not 8001
- webhook create rejects non-http(s) URLs to close an SSRF surface
---
 backend/routes/webhooks.py | 8 +++++++-
 backend/services/auth.py   | 2 +-
 frontend/.env              | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/backend/routes/webhooks.py b/backend/routes/webhooks.py
index acaf08f..4137528 100644
--- a/backend/routes/webhooks.py
+++ b/backend/routes/webhooks.py
@@ -1,5 +1,6 @@
 import logging
 from typing import Any
+from urllib.parse import urlparse
 
 import httpx
 from fastapi import APIRouter, Depends, HTTPException
@@ -37,9 +38,14 @@ async def create_webhook(data: dict[str, Any], current_user: User = Depends(get_
     if current_user.role not in ("admin", "instructor"):
         raise HTTPException(status_code=403, detail="Insufficient permissions")
 
+    url = data.get("url", "")
+    parsed = urlparse(url)
+    if parsed.scheme not in ("http", "https") or not parsed.netloc:
+        raise HTTPException(status_code=400, detail="Webhook URL must be http(s) with a host")
+
     webhook = WebhookConfig(
         name=data["name"],
-        url=data["url"],
+        url=url,
         events=data.get("events", ["simulation_complete"]),
         secret=data.get("secret"),
         organization_id=current_user.organization_id,
diff --git a/backend/services/auth.py b/backend/services/auth.py
index 3e664be..dde1101 100644
--- a/backend/services/auth.py
+++ b/backend/services/auth.py
@@ -9,7 +9,7 @@
 from models.schemas import User
 from services.database import db
 
-JWT_SECRET = os.environ.get("JWT_SECRET", "soceng-lab-secret-key-change-in-production")
+JWT_SECRET = os.environ.get("JWT_SECRET", "change-this-secret-key-in-production")
 JWT_ALGORITHM = "HS256"
 JWT_EXPIRATION_HOURS = 24
 
diff --git a/frontend/.env b/frontend/.env
index 57e3e26..3d51dc2 100644
--- a/frontend/.env
+++ b/frontend/.env
@@ -1,2 +1,2 @@
 # REACT_APP_BACKEND_URL
-REACT_APP_BACKEND_URL="http://localhost:8001"
+REACT_APP_BACKEND_URL="http://localhost:9442"