Currently, URLs used for callbacks and validation (e.g., Twilio or auth) are a combination of using General.PublicURL and trying to rebuild the incoming URL from HTTP headers like host, forwarded scheme, and referer.

We should switch to using the public URL for validation and URL generation, with the added ability to override/set the Public URL by a command-line flag, falling back to the DB config value.

This will prevent issues with reverse proxies sending the wrong headers and causing hard to debug problems. We should also update the OIDC code to always issue a redirect to the Public URL instead of relying on the referer & whitelist. With the ability to set a per-instance public URL it will still be possible to achieve what was needed with the whitelist.

Work's been started in the branch strict-url-validation using just the Public URL via command line flag (taking precedence over General.PublicURL) and adding deprecation support to show it as deprecated in the UI