Security Hardening and Messaging Framework Fixes

🔧 What's Improved

This release focuses on security hardening and bug fixes to ensure a more reliable and secure experience.

---

🔒 Security Enhancements

analyze-source-url Endpoint Protection

We've added comprehensive security measures to the URL analysis endpoint:

• Authentication Required - All requests now require a valid user session
• Rate Limiting - Maximum 5 requests per 15 minutes per user to prevent API abuse
• SSRF Protection - Blocks private IPs and local addresses to prevent server-side request forgery attacks
• URL Validation - Only public http/https URLs are now accepted

These changes protect your Firecrawl API quota from unauthorized usage while maintaining full functionality for authenticated users.

---

🐛 Bug Fixes

Messaging Framework Generation

Fixed critical issues preventing messaging framework generation:

• 403 Access Denied Error - Resolved brand kit access verification that was failing due to auth context issues in edge functions
• 500 Internal Server Error - Corrected the AI API endpoint URL for proper connectivity
• Access Control Logic - Refactored to use direct database queries instead of RPC calls that relied on session-based auth

How to Use

The messaging framework wizard should now work reliably. Navigate to Knowledge Files → Messaging Framework and click Generate to create your brand's messaging framework.

---

📚 Technical Details

For developers and those interested in the implementation:

• Edge functions now validate JWT tokens directly and query brand kit ownership/membership explicitly
• Rate limiting uses the existing rate_limits table with per-user, per-function tracking
• Response headers include Retry-After for rate-limited requests to help clients handle quota gracefully