Security: Implement QR Scanner Domain Whitelisting

js/config.js

@@ -1,6 +1,11 @@
 const brandConfig = {
     brandName: "TwinpathNet",
     portalUrl: "http://welcome.dyzulk.com/login",
+    allowedDomains: [
+        "welcome.dyzulk.com", // Main Portal
+        "10.0.0.1",           // Default Gateway (Local IP)
+        "dyzulk.com"          // Custom Domain
+    ],
     creditName: "dyzulk.com",
     creditUrl: "https://dyzulk.com",
     assets: {

js/qr-scanner.js

@@ -28,11 +28,19 @@ function handleDecodedText(decodedText) {
     let password = "";
     scannedUrl = "";
 
-    // Check if result is a URL (common for Mikhmon vouchers)
+    // Check if result is a URL
     try {
         if (decodedText.startsWith('http://') || decodedText.startsWith('https://')) {
-            scannedUrl = decodedText; // Store for redirection
             const url = new URL(decodedText);
+            const hostname = url.hostname;
+            
+            // SECURITY CHECK: Check against Allowed Domains
+            const isAllowed = brandConfig.allowedDomains.some(domain => 
+                hostname === domain || hostname.endsWith('.' + domain)
+            );
+
+            if (isAllowed) {
+                scannedUrl = decodedText; // Store for redirection
                 const searchParams = url.search || (decodedText.includes('?') ? '?' + decodedText.split('?')[1] : '');
                 const params = new URLSearchParams(searchParams);
                 
@@ -42,6 +50,12 @@ function handleDecodedText(decodedText) {
                 if (params.has('password')) {
                     password = params.get('password');
                 }
+            } else {
+                // Not in whitelist: Treat as plain text and warn user
+                console.warn(`Blocked unauthorized domain: ${hostname}`);
+                scannedUrl = ""; // Reset URL redirect
+                // Optionally: alert user or handle it as raw text
+            }
         }
     } catch (e) {
         console.error("Error parsing QR URL:", e);