.

Author: gildesmarais

.github/copilot-instructions.md

@@ -43,6 +43,7 @@ Fix rubocop `RSpec/MultipleExpectations` adding rspec tag `:aggregate_failures`.
 - ✅ **Frontend**: Use Astro components in `frontend/src/`. Keep it simple.
 - ✅ **CSS**: Use frontend styles provided by Astro Starlight.
 - ✅ **Specs**: RSpec for Ruby, build tests for frontend.
+- ✅ When a spec needs to tweak environment variables, wrap the example in `ClimateControl.modify` so state is restored automatically.
 
 ## Don't
 

.rubocop.yml

@@ -12,6 +12,9 @@ AllCops:
     - '**/*.yaml'
     - '**/.tool-versions'
 
+Style/Documentation:
+  Enabled: false
+
 Metrics/BlockLength:
   Exclude:
     - Rakefile

Makefile

@@ -47,8 +47,6 @@ test-frontend-unit: ## Run frontend unit tests only
 test-frontend-contract: ## Run frontend contract tests only
 	@cd frontend && npm run test:contract
 
-test-frontend-smoke: ## Run frontend smoke tests (Playwright)
-	@cd frontend && npm run test:smoke
 
 lint: lint-ruby lint-js ## Run all linters (Ruby + Frontend) - errors when issues found
 	@echo "All linting complete!"

README.md

@@ -203,7 +203,6 @@ The project includes a modern Astro frontend alongside the Ruby backend:
 | `make test-frontend` | Run frontend unit + contract tests    |
 | `make test-frontend-unit` | Run frontend unit tests only      |
 | `make test-frontend-contract` | Run frontend contract tests (Vitest + MSW) |
-| `make test-frontend-smoke` | Run frontend smoke tests (Playwright) |
 | `make lint`          | Run all linters (Ruby + Frontend)     |
 | `make lint-ruby`     | Run Ruby linter only                  |
 | `make lint-js`       | Run frontend linter only              |
@@ -221,7 +220,6 @@ The project includes a modern Astro frontend alongside the Ruby backend:
 | `cd frontend && npm run build` | Build frontend for production |
 | `cd frontend && npm run test:unit` | Run unit tests (Vitest) |
 | `cd frontend && npm run test:contract` | Run contract tests with MSW |
-| `cd frontend && npm run test:smoke` | Run Playwright smoke tests |
 
 ### Testing Strategy
 
@@ -230,14 +228,7 @@ The project includes a modern Astro frontend alongside the Ruby backend:
 | Ruby API         | RSpec + Rack::Test         | Deterministic request specs for the Roda app |
 | Frontend Unit    | Vitest + Testing Library   | Hook/component behaviour with mocked fetch |
 | Frontend Contract| Vitest + MSW               | Exercises real fetch flows against mocked API responses |
-| Smoke            | Playwright                 | Minimal API smoke checks via the real Puma server |
-
-To execute Playwright smoke tests locally for the first time, install the required browsers:
-
-```bash
-cd frontend
-npx playwright install --with-deps
-```
+| Docker Smoke     | RSpec (tagged `:docker`)   | Net::HTTP checks against a bundled Puma container |
 
 ## Contributing
 

Rakefile

@@ -50,22 +50,14 @@ task :test do
   Output.describe 'Listing docker containers matching html2rss-web-test filter'
   sh 'docker ps -a --filter name=html2rss-web-test'
 
-  Output.describe 'Generating feed from a html2rss-configs config'
-  sh 'curl -f "http://127.0.0.1:3000/github.com/releases.rss?username=html2rss&repository=html2rss-web" || exit 1'
-
-  Output.describe 'Generating example feed from feeds.yml'
-  sh 'curl -f http://127.0.0.1:3000/example.rss || exit 1'
-
-  Output.describe 'Health check endpoint'
-  sh <<~COMMAND
-    docker exec html2rss-web-test curl -f \
-      -H "Authorization: Bearer health-check-token-xyz789" \
-      http://127.0.0.1:3000/api/v1/health || exit 1
-  COMMAND
-
-  # skipped as html2rss is used in development version
-  # Output.describe 'Print output of `html2rss help`'
-  # sh 'docker exec html2rss-web-test html2rss help'
+  Output.describe 'Running RSpec smoke suite against container'
+  smoke_env = {
+    'SMOKE_BASE_URL' => 'http://127.0.0.1:3000',
+    'SMOKE_HEALTH_TOKEN' => 'health-check-token-xyz789',
+    'SMOKE_API_TOKEN' => 'allow-any-urls-abcd-4321',
+    'RUN_DOCKER_SPECS' => 'true'
+  }
+  sh smoke_env, 'bundle exec rspec --tag docker'
 ensure
   test_container_exists = JSON.parse(`docker inspect html2rss-web-test`).any?
 

app/account_manager.rb

@@ -20,8 +20,9 @@ def get_account(token)
         def accounts
           @accounts ||= begin # rubocop:disable ThreadSafety/ClassInstanceVariable
             auth_config = LocalConfig.global[:auth]
+            raw_accounts = auth_config&.dig(:accounts)
 
-            auth_config&.dig(:accounts) ? auth_config[:accounts].transform_keys(&:to_sym) : []
+            Array(raw_accounts).map { |account| account.transform_keys(&:to_sym) }
           end
         end
 

app/feed_token.rb

@@ -2,196 +2,127 @@
 
 require 'base64'
 require 'json'
-require 'zlib'
 require 'openssl'
+require 'zlib'
 require_relative 'url_validator'
 
 module Html2rss
   module Web
-    # Token configuration constants
     DEFAULT_EXPIRY = 315_360_000 # 10 years in seconds
     HMAC_ALGORITHM = 'SHA256'
+    REQUIRED_TOKEN_KEYS = %i[p s].freeze
+    COMPRESSED_PAYLOAD_KEYS = %i[u l e].freeze
 
-    # Compressed feed token with HMAC validation
     FeedToken = Data.define(:username, :url, :expires_at, :signature) do
-      # @param username [String]
-      # @param url [String]
-      # @param secret_key [String]
-      # @param expires_in [Integer] seconds (default: 10 years)
-      # @return [FeedToken, nil]
-      def self.create_with_validation(username:, url:, secret_key:, expires_in: Html2rss::Web::DEFAULT_EXPIRY)
-        return nil unless valid_inputs?(username, url, secret_key)
+      def self.create_with_validation(username:, url:, secret_key:, expires_in: DEFAULT_EXPIRY)
+        return unless valid_inputs?(username, url, secret_key)
 
         expires_at = Time.now.to_i + expires_in.to_i
-        payload = create_payload(username, url, expires_at)
+        payload = build_payload(username, url, expires_at)
         signature = generate_signature(secret_key, payload)
 
         new(username: username, url: url, expires_at: expires_at, signature: signature)
       end
 
-      # @param encoded_token [String]
-      # @return [FeedToken, nil]
-      def self.decode(encoded_token)
-        return nil unless encoded_token
+      def self.decode(encoded_token) # rubocop:disable Metrics/MethodLength
+        return unless encoded_token
 
         token_data = parse_token_data(encoded_token)
-        return nil unless valid_token_data?(token_data)
+        return unless valid_token_data?(token_data)
 
-        create_from_token_data(token_data)
+        payload = token_data[:p]
+        new(
+          username: payload[:u],
+          url: payload[:l],
+          expires_at: payload[:e],
+          signature: token_data[:s]
+        )
       rescue JSON::ParserError, ArgumentError, Zlib::DataError, Zlib::BufError
         nil
       end
 
-      # @return [String] compressed base64-encoded token
-      def encode
-        token_data = build_token_data
-        compressed_data = Zlib::Deflate.deflate(token_data.to_json)
-        Base64.urlsafe_encode64(compressed_data)
-      end
-
-      # @return [Boolean]
-      def expired?
-        Time.now.to_i > expires_at
-      end
-
-      # @param url [String]
-      # @return [Boolean]
-      def valid_for_url?(url)
-        self.url == url
-      end
-
-      # @param encoded_token [String]
-      # @param expected_url [String]
-      # @param secret_key [String]
-      # @return [FeedToken, nil]
       def self.validate_and_decode(encoded_token, expected_url, secret_key)
         token = decode(encoded_token)
-        return nil unless token
-
-        return nil unless token.valid_signature?(secret_key)
-        return nil unless token.valid_for_url?(expected_url)
-        return nil if token.expired?
+        return unless token
+        return unless token.valid_signature?(secret_key)
+        return unless token.valid_for_url?(expected_url)
+        return if token.expired?
 
         token
       end
 
-      # @return [Hash] payload for HMAC verification
-      def payload_for_signature
-        {
-          username: username,
-          url: url,
-          expires_at: expires_at
-        }
+      def encode
+        compressed = Zlib::Deflate.deflate(build_token_data.to_json)
+        Base64.urlsafe_encode64(compressed)
+      end
+
+      def expired?
+        Time.now.to_i > expires_at
       end
 
-      # @param username [String]
-      # @param url [String]
-      # @param secret_key [String]
-      # @return [Boolean]
-      def self.valid_inputs?(username, url, secret_key)
-        valid_username?(username) && UrlValidator.valid_url?(url) && secret_key
+      def valid_for_url?(candidate_url)
+        url == candidate_url
       end
 
-      # @param secret_key [String]
-      # @return [Boolean]
       def valid_signature?(secret_key)
-        return false unless secret_key
+        return false unless self.class.valid_secret_key?(secret_key)
 
         expected_signature = self.class.generate_signature(secret_key, payload_for_signature)
         secure_compare(signature, expected_signature)
       end
 
       private
 
-      # @param encoded_token [String]
-      # @return [Hash, nil]
-      def self.parse_token_data(encoded_token)
-        compressed_data = Base64.urlsafe_decode64(encoded_token)
-        json_data = Zlib::Inflate.inflate(compressed_data)
-        JSON.parse(json_data, symbolize_names: true)
+      def payload_for_signature
+        { username: username, url: url, expires_at: expires_at }
       end
 
-      # @param token_data [Hash]
-      # @return [Boolean]
-      def self.valid_token_data?(token_data)
-        return false unless token_data[:p] && token_data[:s]
-
-        payload = token_data[:p]
-        payload[:u] && payload[:l] && payload[:e]
+      def build_token_data
+        { p: { u: username, l: url, e: expires_at }, s: signature }
       end
 
-      # @param token_data [Hash]
-      # @return [FeedToken]
-      def self.create_from_token_data(token_data)
-        payload = token_data[:p]
-        new(
-          username: payload[:u],
-          url: payload[:l],
-          expires_at: payload[:e],
-          signature: token_data[:s]
-        )
-      end
+      def secure_compare(first, second)
+        return false unless first && second && first.bytesize == second.bytesize
 
-      # @return [Hash]
-      def build_token_data
-        compressed_payload = {
-          u: username,
-          l: url,
-          e: expires_at
-        }
-
-        {
-          p: compressed_payload,
-          s: signature
-        }
+        first.each_byte.zip(second.each_byte).reduce(0) { |acc, (a, b)| acc | (a ^ b) }.zero?
       end
 
-      # @param username [String]
-      # @param url [String]
-      # @param expires_at [Integer]
-      # @return [Hash]
-      def self.create_payload(username, url, expires_at)
-        {
-          username: username,
-          url: url,
-          expires_at: expires_at
-        }
-      end
+      class << self
+        def build_payload(username, url, expires_at)
+          { username: username, url: url, expires_at: expires_at }
+        end
 
-      # @param secret_key [String]
-      # @param payload [Hash]
-      # @return [String]
-      def self.generate_signature(secret_key, payload)
-        OpenSSL::HMAC.hexdigest(Html2rss::Web::HMAC_ALGORITHM, secret_key, payload.to_json)
-      end
+        def generate_signature(secret_key, payload)
+          data = payload.is_a?(String) ? payload : JSON.generate(payload)
+          OpenSSL::HMAC.hexdigest(HMAC_ALGORITHM, secret_key, data)
+        end
 
-      # @param username [String]
-      # @return [Boolean]
-      def self.valid_username?(username)
-        return false unless username.is_a?(String)
-        return false if username.empty? || username.length > 100
-        return false unless username.match?(/\A[a-zA-Z0-9_-]+\z/)
+        def parse_token_data(encoded_token)
+          decoded = Base64.urlsafe_decode64(encoded_token)
+          inflated = Zlib::Inflate.inflate(decoded)
+          JSON.parse(inflated, symbolize_names: true)
+        end
 
-        true
-      end
+        def valid_token_data?(token_data)
+          return false unless token_data.is_a?(Hash)
 
-      # @param url [String]
-      # @return [Boolean]
-      def self.valid_url?(url)
-        UrlValidator.valid_url?(url)
-      end
+          payload = token_data[:p]
+          signature = token_data[:s]
+          payload.is_a?(Hash) && signature.is_a?(String) && !signature.empty? &&
+            COMPRESSED_PAYLOAD_KEYS.all? { |key| payload[key] }
+        end
+
+        def valid_inputs?(username, url, secret_key)
+          valid_username?(username) && UrlValidator.valid_url?(url) && valid_secret_key?(secret_key)
+        end
+
+        def valid_username?(username)
+          username.is_a?(String) && !username.empty? && username.length <= 100 && username.match?(/\A[a-zA-Z0-9_-]+\z/)
+        end
 
-      # Constant-time comparison to prevent timing attacks
-      # @param first_string [String]
-      # @param second_string [String]
-      # @return [Boolean]
-      def secure_compare(first_string, second_string)
-        return false unless first_string && second_string
-        return false unless first_string.bytesize == second_string.bytesize
-
-        result = 0
-        first_string.bytes.zip(second_string.bytes) { |x, y| result |= x ^ y }
-        result.zero?
+        def valid_secret_key?(secret_key)
+          secret_key.is_a?(String) && !secret_key.empty?
+        end
       end
     end
   end