fix: add URL protocol validation and reaction type validation

server.js

@@ -1424,6 +1424,10 @@ ${excerpt}
     r.post('/together/share', async (req, res) => {
         const { group_id, shared_by, url = null, title = null, message = '', tags = [] } = req.body || {};
         if (!group_id || !shared_by) return res.status(400).json({ error: 'group_id と shared_by は必須です' });
+        if (url) {
+            try { const p = new URL(url); if (!['http:', 'https:'].includes(p.protocol)) throw new Error(); }
+            catch { return res.status(400).json({ error: 'url は http/https のみ有効です' }); }
+        }
         try {
             const grpCheck = await pool.query('SELECT id FROM together_groups WHERE id=$1', [group_id]);
             if (grpCheck.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' });
@@ -1488,6 +1492,7 @@ ${excerpt}
     r.post('/together/react', async (req, res) => {
         const { share_id, username, type = 'like' } = req.body || {};
         if (!share_id || !username) return res.status(400).json({ error: 'share_id と username は必須です' });
+        if (!['like', 'star', 'fire'].includes(type)) return res.status(400).json({ error: 'type は like/star/fire のみ有効です' });
         try {
             const existing = await pool.query(
                 'SELECT 1 FROM together_reactions WHERE share_id=$1 AND username=$2 AND type=$3',