log for rack-attack

Author: gildesmarais

app.rb

@@ -5,7 +5,9 @@
 require 'json'
 
 require 'html2rss'
-require_relative 'app/ssrf_filter_strategy'
+require_relative 'app/environment_validator'
+require_relative 'app/roda_config'
+require_relative 'app/app_routes'
 require_relative 'app/auth'
 require_relative 'app/auto_source'
 require_relative 'app/feeds'
@@ -16,6 +18,7 @@
 require_relative 'app/xml_builder'
 require_relative 'app/auto_source_routes'
 require_relative 'app/health_check_routes'
+require_relative 'app/security_logger'
 
 module Html2rss
   module Web
@@ -33,150 +36,19 @@ class App < Roda
       CONTENT_TYPE_RSS = 'application/xml'
 
       def self.development? = ENV['RACK_ENV'] == 'development'
-
-      # Validate required environment variables on startup
-      def self.validate_environment!
-        return if ENV['HTML2RSS_SECRET_KEY']
-
-        if development? || ENV['RACK_ENV'] == 'test'
-          set_development_key
-        else
-          show_production_error
-        end
-      end
-
-      def self.set_development_key
-        ENV['HTML2RSS_SECRET_KEY'] = 'development-default-key-not-for-production'
-        puts '⚠️  WARNING: Using default secret key for development/testing only!'
-        puts '   Set HTML2RSS_SECRET_KEY environment variable for production use.'
-      end
-
-      def self.show_production_error
-        puts production_error_message
-        exit 1
-      end
-
-      def self.production_error_message
-        <<~ERROR
-          ❌ ERROR: HTML2RSS_SECRET_KEY environment variable is not set!
-
-          This application is designed to be used via Docker Compose only.
-          Please read the project's README.md for setup instructions.
-
-          To generate a secure secret key and start the application:
-            1. Generate a secret key: openssl rand -hex 32
-            2. Edit docker-compose.yml and replace 'your-generated-secret-key-here' with your key
-            3. Start with: docker-compose up
-
-          For more information, see: https://github.com/html2rss/html2rss-web#configuration
-        ERROR
-      end
-
       def development? = self.class.development?
 
       # Validate environment on class load
-      validate_environment!
-
-      Html2rss::RequestService.register_strategy(:ssrf_filter, SsrfFilterStrategy)
-      Html2rss::RequestService.default_strategy_name = :ssrf_filter
-      Html2rss::RequestService.unregister_strategy(:faraday)
-
-      opts[:check_dynamic_arity] = false
-      opts[:check_arity] = :warn
-
-      use Rack::Cache,
-          metastore: 'file:./tmp/rack-cache-meta',
-          entitystore: 'file:./tmp/rack-cache-body',
-          verbose: false
-
-      plugin :content_security_policy do |csp|
-        csp.default_src :none
-        csp.style_src :self, "'unsafe-inline'" # Allow inline styles for Starlight
-        csp.script_src :self, "'unsafe-inline'" # Allow inline scripts for progressive enhancement
-        csp.connect_src :self
-        csp.img_src :self, 'data:', 'blob:'
-        csp.font_src :self, 'data:'
-        csp.form_action :self
-        csp.base_uri :none
-        csp.frame_ancestors :none # More restrictive than :self
-        csp.frame_src :none # More restrictive than :self
-        csp.object_src :none # Prevent object/embed/applet
-        csp.media_src :none # Prevent media sources
-        csp.manifest_src :none # Prevent manifest
-        csp.worker_src :none # Prevent workers
-        csp.child_src :none # Prevent child contexts
-        csp.block_all_mixed_content
-        csp.upgrade_insecure_requests # Upgrade HTTP to HTTPS
-      end
-
-      plugin :default_headers,
-             'Content-Type' => 'text/html',
-             'X-Content-Type-Options' => 'nosniff',
-             'X-XSS-Protection' => '1; mode=block',
-             'X-Frame-Options' => 'DENY',
-             'X-Permitted-Cross-Domain-Policies' => 'none',
-             'Referrer-Policy' => 'strict-origin-when-cross-origin',
-             'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()',
-             'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
-             'Cross-Origin-Embedder-Policy' => 'require-corp',
-             'Cross-Origin-Opener-Policy' => 'same-origin',
-             'Cross-Origin-Resource-Policy' => 'same-origin'
-
-      plugin :exception_page
-      plugin :error_handler do |error|
-        next exception_page(error) if development?
-
-        response.status = 500
-        response['Content-Type'] = CONTENT_TYPE_RSS
-        XmlBuilder.build_error_feed(message: error.message)
-      end
-
-      plugin :public
-      plugin :hash_branches
-
-      @show_backtrace = !ENV['CI'].to_s.empty? || development?
-
-      # API routes
-      hash_branch 'api' do |r|
-        response['Content-Type'] = 'application/json'
-
-        r.on 'feeds.json' do
-          response['Cache-Control'] = 'public, max-age=300'
-          JSON.generate(Feeds.list_feeds)
-        end
-
-        r.on 'strategies.json' do
-          response['Cache-Control'] = 'public, max-age=3600'
-          JSON.generate(ApiRoutes.list_available_strategies)
-        end
-
-        r.on String do |feed_name|
-          ApiRoutes.handle_feed_generation(r, feed_name)
-        end
-      end
-
-      # Stable feed routes (new)
-      hash_branch 'feeds' do |r|
-        r.on String do |feed_id|
-          AutoSourceRoutes.handle_stable_feed(r, feed_id)
-        end
-      end
+      EnvironmentValidator.validate_environment!
+      EnvironmentValidator.validate_production_security!
 
-      # Auto source routes
-      hash_branch 'auto_source' do |r|
-        handle_auto_source_routes(r)
-      end
+      # Configure Roda app
+      RodaConfig.configure(self)
 
-      # Health check route
-      hash_branch 'health_check.txt' do |r|
-        handle_health_check_routes(r)
-      end
+      @show_backtrace = development? && !ENV['CI']
 
-      route do |r|
-        r.public
-        r.hash_branches
-        handle_static_files(r)
-      end
+      # Define all routes
+      AppRoutes.define_routes(self)
     end
   end
 end

app/api_routes.rb

@@ -9,6 +9,9 @@ module Web
     module ApiRoutes
       module_function
 
+      ##
+      # List available request strategies
+      # @return [Hash] hash with strategies array
       def list_available_strategies
         strategies = Html2rss::RequestService.strategy_names.map do |name|
           {
@@ -20,11 +23,15 @@ def list_available_strategies
         { strategies: strategies }
       end
 
+      ##
+      # Handle feed generation request
+      # @param router [Roda::Request] request router
+      # @param feed_name [String] name of the feed to generate
+      # @return [String] RSS content
       def handle_feed_generation(router, feed_name)
         params = router.params
         rss_content = Feeds.generate_feed(feed_name, params)
 
-        # Extract TTL from feed configuration
         config = LocalConfig.find(feed_name)
         ttl = config.dig(:channel, :ttl) || 3600
 
@@ -36,6 +43,10 @@ def handle_feed_generation(router, feed_name)
         Feeds.error_feed(error.message)
       end
 
+      ##
+      # Set RSS response headers
+      # @param router [Roda::Request] request router
+      # @param ttl [Integer] time to live in seconds
       def rss_headers(router, ttl: 3600)
         router.response['Content-Type'] = 'application/xml'
         router.response['Cache-Control'] = "public, max-age=#{ttl}"

app/app_routes.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Html2rss
+  module Web
+    ##
+    # Main application routes for html2rss-web
+    # Handles all route definitions and routing logic
+    module AppRoutes
+      module_function
+
+      ##
+      # Define all application routes
+      # @param app [Class] The Roda app class
+      def define_routes(app)
+        define_api_routes(app)
+        define_feed_routes(app)
+        define_auto_source_routes(app)
+        define_health_check_routes(app)
+        define_main_route(app)
+      end
+
+      def define_api_routes(app)
+        app.hash_branch 'api' do |r|
+          r.response['Content-Type'] = 'application/json'
+
+          r.on 'feeds.json' do
+            r.response['Cache-Control'] = 'public, max-age=300'
+            JSON.generate(Feeds.list_feeds)
+          end
+
+          r.on 'strategies.json' do
+            r.response['Cache-Control'] = 'public, max-age=3600'
+            JSON.generate(ApiRoutes.list_available_strategies)
+          end
+
+          r.on String do |feed_name|
+            ApiRoutes.handle_feed_generation(r, feed_name)
+          end
+        end
+      end
+
+      def define_feed_routes(app)
+        app.hash_branch 'feeds' do |r|
+          r.on String do |feed_id|
+            AutoSourceRoutes.handle_stable_feed(r, feed_id)
+          end
+        end
+      end
+
+      def define_auto_source_routes(app)
+        app.hash_branch 'auto_source' do |r|
+          handle_auto_source_routes(r)
+        end
+      end
+
+      def define_health_check_routes(app)
+        app.hash_branch 'health_check.txt' do |r|
+          handle_health_check_routes(r)
+        end
+      end
+
+      def define_main_route(app)
+        app.route do |r|
+          r.public
+          r.hash_branches
+          handle_static_files(r)
+        end
+      end
+    end
+  end
+end

app/auth.rb

@@ -7,6 +7,7 @@
 require 'json'
 require 'cgi'
 require_relative 'local_config'
+require_relative 'security_logger'
 
 module Html2rss
   ##
@@ -28,7 +29,13 @@ def authenticate(request)
         token = extract_token(request)
         return nil unless token
 
-        get_account(token)
+        account = get_account(token)
+        if account
+          SecurityLogger.log_auth_failure(request.ip, request.user_agent, 'success')
+        else
+          SecurityLogger.log_auth_failure(request.ip, request.user_agent, 'invalid_token')
+        end
+        account
       end
 
       ##
@@ -113,10 +120,15 @@ def validate_feed_token(feed_token, url)
         return nil unless feed_token && url
 
         token_data = decode_feed_token(feed_token)
-        return nil unless token_data && verify_token_signature(token_data) && token_valid?(token_data, url)
+        valid = token_data && verify_token_signature(token_data) && token_valid?(token_data, url)
+
+        SecurityLogger.log_token_usage(feed_token, url, valid)
+
+        return nil unless valid
 
         get_account_by_username(token_data[:payload][:username])
       rescue StandardError
+        SecurityLogger.log_token_usage(feed_token, url, false)
         nil
       end
 

app/auto_source.rb

@@ -12,25 +12,38 @@ module Web
     module AutoSource
       module_function
 
+      ##
+      # Check if auto source is enabled
+      # @return [Boolean] true if enabled
       def enabled?
-        # Enable by default in development, require explicit setting in production
         if development?
           ENV.fetch('AUTO_SOURCE_ENABLED', nil) != 'false'
         else
           ENV.fetch('AUTO_SOURCE_ENABLED', nil) == 'true'
         end
       end
 
+      ##
+      # Authenticate request with token
+      # @param request [Roda::Request] request object
+      # @return [Hash, nil] account data if authenticated
       def authenticate_with_token(request)
         Auth.authenticate(request)
       end
 
+      ##
+      # Check if origin is allowed
+      # @param request [Roda::Request] request object
+      # @return [Boolean] true if origin is allowed
       def allowed_origin?(request)
         origin = request.env['HTTP_HOST'] || request.env['HTTP_X_FORWARDED_HOST']
         origins = allowed_origins
         origins.empty? || origins.include?(origin)
       end
 
+      ##
+      # Get allowed origins from configuration
+      # @return [Array<String>] list of allowed origins
       def allowed_origins
         if development?
           default_origins = 'localhost:3000,localhost:3001,127.0.0.1:3000,127.0.0.1:3001'
@@ -41,8 +54,12 @@ def allowed_origins
         origins.split(',').map(&:strip)
       end
 
+      ##
+      # Check if URL is allowed for token
+      # @param token_data [Hash] token data
+      # @param url [String] URL to check
+      # @return [Boolean] true if URL is allowed
       def url_allowed_for_token?(token_data, url)
-        # Get full account data from config
         account = Auth.get_account_by_username(token_data[:username])
         return false unless account