Block SSRF via backchannel_logout_uri

backchannel_logout_uri was validated only for scheme/HTTPS, so an admin (or a
compromised admin account) could point it at internal infrastructure — cloud
metadata (169.254.169.254), loopback, or RFC1918 hosts — and every user logout
would fire a server-side POST there.

Add PrivateAddressCheck (app/lib) and apply it as defense-in-depth:
- Application validation rejects URIs whose host is, or is a literal, internal
  address (loopback / private / link-local / 0.0.0.0 / localhost / metadata
  hostnames). Fast, DNS-free, immediate admin feedback.
- BackchannelLogoutJob re-checks at request time WITH DNS resolution and aborts
  (no retry) if the host resolves to a non-public address — covering URIs that
  predate the validation and public hostnames pointed at internal IPs.

Tests cover the address classification, the model validation, and updates an
existing test that used a localhost logout URI.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

test/models/application_test.rb

@@ -56,4 +56,29 @@ class ApplicationTest < ActiveSupport::TestCase
     tempfile&.close
     tempfile&.unlink
   end
+
+  test "rejects backchannel_logout_uri pointing at internal addresses (SSRF guard)" do
+    app = applications(:kavita_app)
+
+    internal_uris = [
+      "http://127.0.0.1/logout",
+      "http://localhost/logout",
+      "https://169.254.169.254/latest/meta-data/",
+      "http://10.0.0.5/logout",
+      "http://192.168.1.10/logout"
+    ]
+
+    internal_uris.each do |uri|
+      app.backchannel_logout_uri = uri
+      refute app.valid?, "expected #{uri} to be rejected"
+      assert_includes app.errors[:backchannel_logout_uri].join, "private, loopback, or link-local"
+    end
+  end
+
+  test "allows backchannel_logout_uri pointing at a public host" do
+    app = applications(:kavita_app)
+    app.backchannel_logout_uri = "https://relying-party.example.com/backchannel-logout"
+
+    assert app.valid?, app.errors.full_messages.to_sentence
+  end
 end