From 02ac049c97e28f709b9bfd9c49df6be27096f082 Mon Sep 17 00:00:00 2001
From: Bhuvanesh S <YOUR_GITHUB_EMAIL>
Date: Fri, 5 Jun 2026 22:25:18 +0530
Subject: [PATCH] Security hardening: enforce HTTPS URLs

---
 .../data/repository/HomeServerRepository.kt   |  9 +++-----
 .../tv/data/repository/IptvRepository.kt      |  9 ++------
 util/NetworkUtils.kt                          | 23 +++++++++++++++++++
 3 files changed, 28 insertions(+), 13 deletions(-)
 create mode 100644 util/NetworkUtils.kt

diff --git a/app/src/main/kotlin/com/arflix/tv/data/repository/HomeServerRepository.kt b/app/src/main/kotlin/com/arflix/tv/data/repository/HomeServerRepository.kt
index a624ee04..3dde7208 100644
--- a/app/src/main/kotlin/com/arflix/tv/data/repository/HomeServerRepository.kt
+++ b/app/src/main/kotlin/com/arflix/tv/data/repository/HomeServerRepository.kt
@@ -775,12 +775,9 @@ class HomeServerRepository @Inject constructor(
     private fun normalizeServerUrl(rawUrl: String): String {
         val trimmed = rawUrl.trim().trimEnd('/')
         if (trimmed.isBlank()) return ""
-        val withScheme = if (trimmed.startsWith("http://", true) || trimmed.startsWith("https://", true)) {
-            trimmed
-        } else {
-            "http://$trimmed"
-        }
-        return withScheme.toHttpUrlOrNull()?.toString()?.trimEnd('/').orEmpty()
+        // Ensure HTTPS scheme using NetworkUtils.
+        val secure = com.arflix.tv.util.NetworkUtils.ensureHttps(trimmed)
+        return secure.toHttpUrlOrNull()?.toString()?.trimEnd('/')?.orEmpty() ?: ""
     }
 
     private fun detectServerKind(productName: String, serverName: String): HomeServerKind {
diff --git a/app/src/main/kotlin/com/arflix/tv/data/repository/IptvRepository.kt b/app/src/main/kotlin/com/arflix/tv/data/repository/IptvRepository.kt
index 435e107c..7e642eb9 100644
--- a/app/src/main/kotlin/com/arflix/tv/data/repository/IptvRepository.kt
+++ b/app/src/main/kotlin/com/arflix/tv/data/repository/IptvRepository.kt
@@ -753,13 +753,8 @@ class IptvRepository @Inject constructor(
                 }
             }
 
-        // Add scheme if missing.
-        return if (cleaned.startsWith("http://", true) || cleaned.startsWith("https://", true)) {
-            cleaned.removeSuffix("/")
-        } else {
-            // Default to http (most providers use http).
-            "http://${cleaned.removeSuffix("/")}"
-        }
+        // Use NetworkUtils to enforce HTTPS scheme.
+        return com.arflix.tv.util.NetworkUtils.ensureHttps(cleaned)
     }
 
     private fun buildXtreamM3uUrl(baseUrl: String, username: String, password: String): String {
diff --git a/util/NetworkUtils.kt b/util/NetworkUtils.kt
new file mode 100644
index 00000000..e399cf7c
--- /dev/null
+++ b/util/NetworkUtils.kt
@@ -0,0 +1,23 @@
+package com.arflix.tv.util
+
+object NetworkUtils {
+    /**
+     * Returns true if the given URL uses HTTPS scheme.
+     */
+    fun isSecureUrl(url: String): Boolean {
+        return url.trim().startsWith("https://", ignoreCase = true)
+    }
+
+    /**
+     * Ensures the URL has an HTTPS scheme. If the URL starts with http:// it will be replaced.
+     * If no scheme is present, https:// is prefixed.
+     */
+    fun ensureHttps(url: String): String {
+        val trimmed = url.trim().trimEnd('/')
+        return when {
+            trimmed.startsWith("https://", ignoreCase = true) -> trimmed
+            trimmed.startsWith("http://", ignoreCase = true) -> trimmed.replaceFirst("http://", "https://")
+            else -> "https://$trimmed"
+        }
+    }
+}