feat: enhance HTTP handling and configuration

- Introduced a new utility function `safe_urlopen` to ensure only allowed URL schemes (http, https) are opened, enhancing security against path traversal vulnerabilities.
- Updated the `run.py` and `calendar_ics.py` files to utilize `safe_urlopen` for HTTP requests, improving error handling and security.
- Added `HTTP_HOST` configuration to the settings, allowing dynamic binding of the HTTP server host.
- Revised the `.env.example` file to include the new `HTTP_HOST` variable with a description.
- Enhanced tests for `safe_urlopen` to validate behavior with disallowed URL schemes and ensure proper integration in existing functionality.

duty_teller/config.py

@@ -53,6 +53,7 @@ class Settings:
     bot_token: str
     database_url: str
     mini_app_base_url: str
+    http_host: str
     http_port: int
     allowed_usernames: set[str]
     admin_usernames: set[str]
@@ -90,10 +91,13 @@ class Settings:
             if raw_cors and raw_cors != "*"
             else ["*"]
         )
+        raw_host = (os.getenv("HTTP_HOST") or "127.0.0.1").strip()
+        http_host = raw_host if raw_host else "127.0.0.1"
         return cls(
             bot_token=bot_token,
             database_url=os.getenv("DATABASE_URL", "sqlite:///data/duty_teller.db"),
             mini_app_base_url=os.getenv("MINI_APP_BASE_URL", "").rstrip("/"),
+            http_host=http_host,
             http_port=int(os.getenv("HTTP_PORT", "8080")),
             allowed_usernames=allowed,
             admin_usernames=admin,
@@ -120,6 +124,7 @@ _settings = Settings.from_env()
 BOT_TOKEN = _settings.bot_token
 DATABASE_URL = _settings.database_url
 MINI_APP_BASE_URL = _settings.mini_app_base_url
+HTTP_HOST = _settings.http_host
 HTTP_PORT = _settings.http_port
 ALLOWED_USERNAMES = _settings.allowed_usernames
 ADMIN_USERNAMES = _settings.admin_usernames