.

Author: gildesmarais

app/api/v1/feeds.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
+require 'time'
+
 require_relative '../../auth'
 require_relative '../../auto_source'
 require_relative '../../feeds'
-require_relative '../../xml_builder'
 require_relative '../../exceptions'
 require_relative '../../feed_token'
 
@@ -21,7 +22,7 @@ def index(_request) # rubocop:disable Metrics/MethodLength
                 id: feed[:name],
                 name: feed[:name],
                 description: feed[:description],
-                url: "/api/v1/feeds/#{feed[:name]}",
+                public_url: "/#{feed[:name]}",
                 created_at: nil,
                 updated_at: nil
               }
@@ -35,6 +36,9 @@ def show(request, token)
           end
 
           def create(request)
+            raise ForbiddenError, 'Auto source feature is disabled' unless AutoSource.enabled?
+            raise ForbiddenError, 'Request origin not allowed' unless AutoSource.allowed_origin?(request)
+
             account = authenticate_request(request)
             params = extract_create_params(request)
             validate_create_params(params, account)
@@ -45,43 +49,10 @@ def create(request)
             build_create_response(request, feed_data)
           end
 
-          def json_request?(request)
-            accept_header = request.env['HTTP_ACCEPT'].to_s
-            accept_header.include?('application/json') && !accept_header.include?('application/xml')
-          end
-
-          def show_feed_metadata(feed_id) # rubocop:disable Metrics/MethodLength
-            config = LocalConfig.find(feed_id)
-            raise NotFoundError, 'Feed not found' unless config
-
-            {
-              success: true,
-              data: {
-                feed: {
-                  id: feed_id,
-                  name: feed_id,
-                  description: "RSS feed for #{feed_id}",
-                  url: "/api/v1/feeds/#{feed_id}",
-                  strategy: config[:strategy] || 'ssrf_filter',
-                  created_at: nil,
-                  updated_at: nil
-                }
-              }
-            }
-          end
-
-          def generate_feed_content(request, feed_id)
-            rss_content = Html2rss::Web::Feeds.generate_feed(feed_id, request.params)
-            config = LocalConfig.find(feed_id)
-            ttl = config&.dig(:channel, :ttl) || 3600
-
-            request.response['Content-Type'] = 'application/xml'
-            request.response['Cache-Control'] = "public, max-age=#{ttl}"
-
-            rss_content.to_s
-          end
-
           def handle_token_based_feed(request, token)
+            raise ForbiddenError, 'Auto source feature is disabled' unless AutoSource.enabled?
+            raise ForbiddenError, 'Request origin not allowed' unless AutoSource.allowed_origin?(request)
+
             feed_token = validate_feed_token(token)
             account = get_account_for_token(feed_token)
             validate_account_access(account, feed_token.url)

app/api/v1/health.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'time'
+
 require_relative '../../auth'
 require_relative '../../health_check'
 require_relative '../../exceptions'

app/auto_source.rb

@@ -44,7 +44,7 @@ def allowed_origins
         else
           origins = ENV.fetch('AUTO_SOURCE_ALLOWED_ORIGINS', '')
         end
-        origins.split(',').map(&:strip)
+        origins.split(',').map(&:strip).reject(&:empty?)
       end
 
       # @param token_data [Hash]

app/security_logger.rb

@@ -3,6 +3,7 @@
 require 'logger'
 require 'json'
 require 'digest'
+require 'time'
 
 module Html2rss
   module Web
@@ -45,7 +46,7 @@ def log_auth_failure(ip, user_agent, reason)
                     ip: ip,
                     user_agent: user_agent,
                     reason: reason
-                  })
+                  }, severity: :warn)
       end
 
       ##
@@ -56,7 +57,7 @@ def log_auth_success(username, ip)
         log_event('auth_success', {
                     username: username,
                     ip: ip
-                  })
+                  }, severity: :info)
       end
 
       ##
@@ -69,7 +70,7 @@ def log_rate_limit_exceeded(ip, endpoint, limit)
                     ip: ip,
                     endpoint: endpoint,
                     limit: limit
-                  })
+                  }, severity: :warn)
       end
 
       ##
@@ -78,11 +79,13 @@ def log_rate_limit_exceeded(ip, endpoint, limit)
       # @param url [String] URL being accessed
       # @param success [Boolean] whether the token was valid
       def log_token_usage(feed_token, url, success)
+        severity = success ? :info : :warn
+
         log_event('token_usage', {
                     success: success,
                     url: url,
                     token_hash: Digest::SHA256.hexdigest(feed_token)[0..7]
-                  })
+                  }, severity: severity)
       end
 
       ##
@@ -95,7 +98,7 @@ def log_suspicious_activity(ip, activity, details = {})
                     ip: ip,
                     activity: activity,
                     **details
-                  })
+                  }, severity: :warn)
       end
 
       ##
@@ -108,7 +111,7 @@ def log_blocked_request(ip, reason, endpoint)
                     ip: ip,
                     reason: reason,
                     endpoint: endpoint
-                  })
+                  }, severity: :warn)
       end
 
       ##
@@ -119,18 +122,20 @@ def log_config_validation_failure(component, details)
         log_event('config_validation_failure', {
                     component: component,
                     details: details
-                  })
+                  }, severity: :error)
       end
 
       ##
       # Log a security event
       # @param event_type [String] type of security event
       # @param data [Hash] event data
-      def log_event(event_type, data)
-        logger.warn({
+      def log_event(event_type, data, severity: :warn)
+        payload = {
           security_event: event_type,
           **data
-        }.to_json)
+        }.to_json
+
+        logger.public_send(severity, payload)
       rescue StandardError => error
         handle_logging_error(error, event_type, data)
       end
@@ -141,11 +146,8 @@ def log_event(event_type, data)
       # @param event_type [String] type of security event
       # @param data [Hash] event data
       def handle_logging_error(error, event_type, data)
-        logger.error("Security logging error: #{error.message}")
-        logger.warn("Security event: #{event_type} - #{data}")
-      rescue StandardError
-        # If even the fallback fails, just print to stderr
-        warn("Security logging failed: #{error.message}")
+        Kernel.warn("Security logging error: #{error.message}")
+        Kernel.warn("Security event: #{event_type} - #{data}")
       end
     end
   end

app/xml_builder.rb

@@ -2,6 +2,7 @@
 
 require 'nokogiri'
 require 'sanitize'
+require 'time'
 
 module Html2rss
   module Web

spec/html2rss/web/api/v1_spec.rb

@@ -7,7 +7,11 @@
 RSpec.describe 'api/v1' do # rubocop:disable RSpec/DescribeClass
   include Rack::Test::Methods
 
-  def app = described_class
+  def app = Html2rss::Web::App.freeze.app
+
+  before do
+    allow(Html2rss::Web::AutoSource).to receive_messages(enabled?: true, allowed_origin?: true)
+  end
 
   describe 'GET /api/v1' do
     it 'returns API information', :aggregate_failures do
@@ -43,6 +47,7 @@ def app = described_class
       response_data = JSON.parse(last_response.body)
       expect(response_data['success']).to be true
       expect(response_data['data']).to have_key('feeds')
+      expect(response_data['data']['feeds'].first).to have_key('public_url')
       expect(response_data['meta']).to have_key('total')
     end
   end
@@ -107,6 +112,17 @@ def app = described_class
         expect(last_response.body).to include('Invalid token')
       end
     end
+
+    context 'when auto source disabled' do
+      it 'returns 403 forbidden', :aggregate_failures do
+        allow(Html2rss::Web::AutoSource).to receive(:enabled?).and_return(false)
+
+        get '/api/v1/feeds/some-token'
+
+        expect(last_response.status).to eq(403)
+        expect(last_response.body).to include('Auto source feature is disabled')
+      end
+    end
   end
 
   describe 'POST /api/v1/feeds' do
@@ -123,6 +139,19 @@ def app = described_class
         expect(response_data['error']['code']).to eq('UNAUTHORIZED')
       end
     end
+
+    context 'when auto source origin not allowed' do
+      it 'returns 403 forbidden', :aggregate_failures do
+        allow(Html2rss::Web::AutoSource).to receive(:allowed_origin?).and_return(false)
+        header 'HTTP_HOST', 'unauthorized.example'
+
+        post '/api/v1/feeds', { url: 'https://example.com' }.to_json,
+             'CONTENT_TYPE' => 'application/json'
+
+        expect(last_response.status).to eq(403)
+        expect(last_response.body).to include('Request origin not allowed')
+      end
+    end
   end
 
   describe 'GET /api/v1/health/ready' do

spec/html2rss/web/security_logger_spec.rb

@@ -4,14 +4,15 @@
 require_relative '../../../app/security_logger'
 
 RSpec.describe Html2rss::Web::SecurityLogger do
-  let(:test_output) { StringIO.new }
   let(:mock_logger) { instance_double(Logger) }
 
   before do
     allow(Logger).to receive(:new).with($stdout).and_return(mock_logger)
     allow(mock_logger).to receive(:formatter=)
+    allow(mock_logger).to receive(:info)
     allow(mock_logger).to receive(:warn)
     allow(mock_logger).to receive(:error)
+    allow(Kernel).to receive(:warn)
     described_class.reset_logger!
   end
 
@@ -51,7 +52,7 @@
     it 'logs token usage with basic data' do
       described_class.log_token_usage('test-token-123', 'https://example.com', true)
 
-      expect(mock_logger).to have_received(:warn) do |message|
+      expect(mock_logger).to have_received(:info) do |message|
         data = JSON.parse(message, symbolize_names: true)
         data.include?(
           security_event: 'token_usage',
@@ -64,7 +65,7 @@
     it 'includes hashed token in log data' do
       described_class.log_token_usage('test-token-123', 'https://example.com', true)
 
-      expect(mock_logger).to have_received(:warn) do |message|
+      expect(mock_logger).to have_received(:info) do |message|
         data = JSON.parse(message, symbolize_names: true)
         data[:token_hash].match?(/\A[a-f0-9]{8}\z/)
       end
@@ -107,7 +108,7 @@
     it 'logs configuration validation failure' do
       described_class.log_config_validation_failure('secret_key', 'Invalid secret key')
 
-      expect(mock_logger).to have_received(:warn) do |message|
+      expect(mock_logger).to have_received(:error) do |message|
         data = JSON.parse(message, symbolize_names: true)
         data.include?(
           security_event: 'config_validation_failure',
@@ -122,32 +123,25 @@
     it 'does not raise error when logger fails' do
       # Mock the logger to raise an error when warn is called
       allow(mock_logger).to receive(:warn).and_raise(StandardError, 'Logger error')
-      allow(mock_logger).to receive(:error)
 
       # Should not raise an error
       expect { described_class.log_auth_failure('192.168.1.1', 'Mozilla/5.0', 'invalid_token') }.not_to raise_error
     end
 
     it 'logs error when logger fails' do
-      # Mock the logger to raise an error when warn is called
       allow(mock_logger).to receive(:warn).and_raise(StandardError, 'Logger error')
-      allow(mock_logger).to receive(:error)
 
       described_class.log_auth_failure('192.168.1.1', 'Mozilla/5.0', 'invalid_token')
 
-      expect(mock_logger).to have_received(:error).with('Security logging error: Logger error')
+      expect(Kernel).to have_received(:warn).with('Security logging error: Logger error')
     end
 
     it 'logs fallback message when logger fails' do
-      # Mock the logger to raise an error when warn is called
       allow(mock_logger).to receive(:warn).and_raise(StandardError, 'Logger error')
-      allow(mock_logger).to receive(:error)
 
       described_class.log_auth_failure('192.168.1.1', 'Mozilla/5.0', 'invalid_token')
 
-      expected_message = 'Security event: auth_failure - {ip: "192.168.1.1", ' \
-                         'user_agent: "Mozilla/5.0", reason: "invalid_token"}'
-      expect(mock_logger).to have_received(:warn).with(expected_message)
+      expect(Kernel).to have_received(:warn).with(a_string_including('Security event: auth_failure'))
     end
   end
 end