preact

Author: gildesmarais

.github/workflows/frontend.yml

@@ -36,13 +36,6 @@ jobs:
           cd frontend
           npm run build
 
-      - name: Verify build output
-        run: |
-          ls -la frontend/dist/
-          test -f frontend/dist/index.html
-          test -f frontend/dist/gallery/index.html
-          test -f frontend/dist/styles.css
-
   frontend-test:
     runs-on: ubuntu-latest
     steps:

.vscode/extensions.json

@@ -3,7 +3,6 @@
     "redhat.vscode-yaml",
     "esbenp.prettier-vscode",
     "github.copilot",
-    "github.copilot-chat",
     "shopify.ruby-lsp"
   ]
 }

app/auth.rb

@@ -23,18 +23,35 @@ module Auth
 
       ##
       # Authenticate a request and return account data if valid
-      # @param request [Roda::Request] request object
+      # @param request [Rack::Request] request object
       # @return [Hash, nil] account data if authenticated
       def authenticate(request)
         token = extract_token(request)
-        return nil unless token
+        return log_auth_failure(request, 'missing_token') unless token
 
         account = get_account(token)
-        if account
-          SecurityLogger.log_auth_failure(request.ip, request.user_agent, 'success')
-        else
-          SecurityLogger.log_auth_failure(request.ip, request.user_agent, 'invalid_token')
-        end
+        return log_auth_success(account, request) if account
+
+        log_auth_failure(request, 'invalid_token')
+      end
+
+      ##
+      # Log auth failure and return nil
+      # @param request [Rack::Request] request object
+      # @param reason [String] failure reason
+      # @return [nil]
+      def log_auth_failure(request, reason)
+        SecurityLogger.log_auth_failure(request.ip, request.user_agent, reason)
+        nil
+      end
+
+      ##
+      # Log auth success and return account
+      # @param account [Hash] account data
+      # @param request [Rack::Request] request object
+      # @return [Hash] account data
+      def log_auth_success(account, request)
+        SecurityLogger.log_auth_success(account[:username], request.ip)
         account
       end
 
@@ -43,7 +60,7 @@ def authenticate(request)
       # @param token [String] authentication token
       # @return [Hash, nil] account data if found
       def get_account(token)
-        return nil unless token
+        return nil unless token && token_index.key?(token)
 
         token_index[token]
       end
@@ -52,7 +69,14 @@ def get_account(token)
       # Get token index for O(1) lookups
       # @return [Hash] token to account mapping
       def token_index
-        @token_index ||= accounts.each_with_object({}) { |account, hash| hash[account[:token]] = account } # rubocop:disable ThreadSafety/ClassInstanceVariable
+        @token_index ||= build_token_index # rubocop:disable ThreadSafety/ClassInstanceVariable
+      end
+
+      ##
+      # Build token index in a thread-safe manner
+      # @return [Hash] token to account mapping
+      def build_token_index
+        accounts.each_with_object({}) { |account, hash| hash[account[:token]] = account }
       end
 
       ##
@@ -127,7 +151,7 @@ def validate_feed_token(feed_token, url)
         return nil unless valid
 
         get_account_by_username(token_data[:payload][:username])
-      rescue StandardError
+      rescue JSON::ParserError, ArgumentError
         SecurityLogger.log_token_usage(feed_token, url, false)
         nil
       end
@@ -174,7 +198,7 @@ def token_valid?(token_data, url)
       # @param url [String] full URL with query parameters
       # @return [String, nil] feed token if found
       def extract_feed_token_from_url(url)
-        URI.parse(url).then { |uri| URI.decode_www_form(uri.query || '').to_h['token'] }
+        URI.parse(url).then { |uri| CGI.parse(uri.query || '')['token']&.first }
       rescue StandardError
         nil
       end
@@ -193,7 +217,7 @@ def feed_url_allowed?(feed_token, url)
 
       ##
       # Extract token from request (Authorization header only)
-      # @param request [Roda::Request] request object
+      # @param request [Rack::Request] request object
       # @return [String, nil] token if found
       def extract_token(request)
         auth_header = request.env['HTTP_AUTHORIZATION']
@@ -266,7 +290,8 @@ def url_matches_pattern?(url, pattern)
           escaped_pattern = Regexp.escape(pattern).gsub('\\*', '.*')
           url.match?(/\A#{escaped_pattern}\z/)
         else
-          url.include?(pattern)
+          # Exact match for non-wildcard patterns
+          url == pattern
         end
       end
 
@@ -282,38 +307,18 @@ def sanitize_xml(text)
       end
 
       ##
-      # Validate URL format and scheme using Html2rss::Url.for_channel
+      # Validate URL format and scheme
       # @param url [String] URL to validate
-      # @return [Boolean] true if URL is valid and allowed
+      # @return [Boolean] true if URL is valid
       def valid_url?(url)
-        return false unless basic_url_valid?(url)
+        return false unless url.is_a?(String) && !url.empty? && url.length <= 2048
 
-        validate_url_with_html2rss(url)
+        uri = URI.parse(url)
+        uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
       rescue StandardError
         false
       end
 
-      ##
-      # Basic URL format validation
-      # @param url [String] URL to validate
-      # @return [Boolean] true if basic format is valid
-      def basic_url_valid?(url)
-        url.is_a?(String) && !url.empty? && url.length <= 2048 && url.match?(%r{\Ahttps?://.+})
-      end
-
-      ##
-      # Validate URL using Html2rss if available, otherwise basic validation
-      # @param url [String] URL to validate
-      # @return [Boolean] true if URL is valid
-      def validate_url_with_html2rss(url)
-        if defined?(Html2rss::Url) && Html2rss::Url.respond_to?(:for_channel)
-          !Html2rss::Url.for_channel(url).nil?
-        else
-          # Fallback to basic URL validation for tests
-          URI.parse(url).is_a?(URI::HTTP) || URI.parse(url).is_a?(URI::HTTPS)
-        end
-      end
-
       ##
       # Validate username format and length
       # @param username [String] username to validate

app/roda_config.rb

@@ -66,7 +66,7 @@ def configure_csp_sources(csp)
 
       def configure_csp_security(csp)
         csp.frame_ancestors :none # More restrictive than :self
-        csp.frame_src :none # More restrictive than :self
+        csp.frame_src :self # Allow iframes for RSS feeds
         csp.object_src :none # Prevent object/embed/applet
         csp.media_src :none # Prevent media sources
         csp.manifest_src :none # Prevent manifest
@@ -85,7 +85,7 @@ def basic_security_headers
           'Content-Type' => 'text/html',
           'X-Content-Type-Options' => 'nosniff',
           'X-XSS-Protection' => '1; mode=block',
-          'X-Frame-Options' => 'DENY',
+          'X-Frame-Options' => 'SAMEORIGIN',
           'X-Permitted-Cross-Domain-Policies' => 'none',
           'Referrer-Policy' => 'strict-origin-when-cross-origin'
         }

app/security_logger.rb

@@ -47,6 +47,17 @@ def log_auth_failure(ip, user_agent, reason)
                   })
       end
 
+      ##
+      # Log authentication success
+      # @param username [String] authenticated username
+      # @param ip [String] client IP address
+      def log_auth_success(username, ip)
+        log_event('auth_success', {
+                    username: username,
+                    ip: ip
+                  })
+      end
+
       ##
       # Log rate limit exceeded
       # @param ip [String] client IP address

config/feeds.yml

@@ -4,11 +4,12 @@ auth:
       token: "allow-any-urls-abcd"
       allowed_urls:
         - "*" # Full access
-    - username: "limited"
-      token: "limited-urls-token"
+    - username: "demo"
+      token: "self-host-for-full-access"
       allowed_urls:
-        - "https://example.com/*"
-        - "https://news.ycombinator.com/*"
+        - "https://www.chip.de/testberichte"
+        - "https://news.ycombinator.com"
+        - "https://github.com/trending"
     - username: "health-check"
       token: "health-check-token-xyz789"
       allowed_urls: [] # Health check doesn't need URL access

frontend/astro.config.mjs

@@ -1,5 +1,6 @@
 import { defineConfig } from "astro/config";
 import starlight from "@astrojs/starlight";
+import preact from "@astrojs/preact";
 
 export default defineConfig({
   output: "static",
@@ -30,6 +31,7 @@ export default defineConfig({
     },
   },
   integrations: [
+    preact(),
     starlight({
       title: "html2rss-web",
       description: "Convert websites to RSS feeds instantly",