Refactor auto source configuration and improve request handling

- Simplified the auto source configuration in CONFIGURATION.md.
- Removed obsolete allowed origin checks from feeds.rb.
- Updated session storage usage in frontend tests and hooks.
- Enhanced error handling for unsupported strategies in API endpoints.
- Improved rate limiting responses in rack_attack.rb.

Author: gildesmarais

CONFIGURATION.md

@@ -4,13 +4,9 @@
 
 ### Auto Source Configuration
 
-| Variable                      | Description                            | Default           | Example                                               |
-| ----------------------------- | -------------------------------------- | ----------------- | ----------------------------------------------------- |
-| `AUTO_SOURCE_ENABLED`         | Enable auto source feature             | `false`           | `true`                                                |
-| `AUTO_SOURCE_USERNAME`        | Basic auth username                    | Required          | `admin`                                               |
-| `AUTO_SOURCE_PASSWORD`        | Basic auth password                    | Required          | `changeme`                                            |
-| `AUTO_SOURCE_ALLOWED_ORIGINS` | Allowed request origins                | Required          | `localhost:3000,example.com`                          |
-| `AUTO_SOURCE_ALLOWED_URLS`    | **URL whitelist for public instances** | `""` (allows all) | `https://github.com/*,https://news.ycombinator.com/*` |
+| Variable              | Description                | Default | Example |
+| --------------------- | -------------------------- | ------- | ------- |
+| `AUTO_SOURCE_ENABLED` | Enable auto source feature | `false` | `true`  |
 
 ### Health Check Configuration
 
@@ -27,41 +23,16 @@ Health check authentication relies on the `health-check` account defined in `con
 | `RUBY_PATH` | Path to Ruby executable    | `ruby`  | `/usr/bin/ruby` |
 | `APP_ROOT`  | Application root directory | `.`     | `/app`          |
 
-## URL Restriction Patterns
-
-The `AUTO_SOURCE_ALLOWED_URLS` variable supports:
-
-- **Exact URLs**: `https://example.com/news`
-- **Wildcard patterns**: `https://example.com/*` (matches any path)
-- **Domain patterns**: `https://*.example.com` (matches subdomains)
-- **Multiple patterns**: Comma-separated list
-
-### Examples
-
-```bash
-# Allow only specific sites
-AUTO_SOURCE_ALLOWED_URLS=https://github.com/*,https://news.ycombinator.com/*,https://example.com/news
-
-# Allow all subdomains of a domain
-AUTO_SOURCE_ALLOWED_URLS=https://*.example.com/*
-
-# Allow everything (for private instances)
-AUTO_SOURCE_ALLOWED_URLS=
-
-# Block everything (disable auto source)
-AUTO_SOURCE_ENABLED=false
-```
-
 ## Security Considerations
 
 ### Public Instances
-- **Always set** `AUTO_SOURCE_ALLOWED_URLS` to restrict URLs
+- Define per-account `allowed_urls` in `config/feeds.yml`
 - Use strong authentication credentials
 - Monitor usage and set up rate limiting
 - Consider IP whitelisting for additional security
 
 ### Private Instances
-- Leave `AUTO_SOURCE_ALLOWED_URLS` empty to allow all URLs
+- Use `allowed_urls: ['*']` to allow all URLs for trusted accounts
 - Still use authentication to prevent unauthorized access
 - Consider network-level restrictions
 
@@ -70,20 +41,20 @@ AUTO_SOURCE_ENABLED=false
 ### Public Demo Instance
 ```bash
 AUTO_SOURCE_ENABLED=true
-AUTO_SOURCE_USERNAME=demo
-AUTO_SOURCE_PASSWORD=secure_password
-AUTO_SOURCE_ALLOWED_URLS=https://github.com/*,https://news.ycombinator.com/*,https://example.com/*
 ```
 
 ### Private Instance
 ```bash
 AUTO_SOURCE_ENABLED=true
-AUTO_SOURCE_USERNAME=admin
-AUTO_SOURCE_PASSWORD=very_secure_password
-AUTO_SOURCE_ALLOWED_URLS=
 ```
 
 ### Disabled Auto Source
 ```bash
 AUTO_SOURCE_ENABLED=false
 ```
+
+## Managing Accounts
+
+Authentication for auto source is configured in `config/feeds.yml`. Define accounts with unique tokens and optional
+`allowed_urls` patterns to control which sites each token may access. Tokens are stored client-side in session storage,
+so treat them like sensitive credentials and rotate when necessary.

app/api/v1/feeds.rb

@@ -27,7 +27,6 @@ def show(request, token)
 
           def create(request)
             raise ForbiddenError, 'Auto source feature is disabled' unless AutoSource.enabled?
-            raise ForbiddenError, 'Request origin not allowed' unless AutoSource.allowed_origin?(request)
 
             account = authenticate_request(request)
             params = extract_create_params(request)
@@ -41,7 +40,6 @@ def create(request)
 
           def handle_token_based_feed(request, token)
             raise ForbiddenError, 'Auto source feature is disabled' unless AutoSource.enabled?
-            raise ForbiddenError, 'Request origin not allowed' unless AutoSource.allowed_origin?(request)
 
             feed_token = validate_feed_token(token)
             account = get_account_for_token(feed_token)
@@ -76,7 +74,7 @@ def validate_account_access(account, url)
           end
 
           def generate_feed_response(request, url)
-            strategy = request.params['strategy'] || 'ssrf_filter'
+            strategy = select_strategy(request.params['strategy'])
             rss_content = AutoSource.generate_feed_content(url, strategy)
 
             request.response['Content-Type'] = 'application/xml'
@@ -96,10 +94,11 @@ def authenticate_request(request)
 
           def extract_create_params(request)
             url = request.params['url']
+            strategy = select_strategy(request.params['strategy'])
             {
               url: url,
               name: request.params['name'] || extract_site_title(url),
-              strategy: request.params['strategy'] || 'ssrf_filter'
+              strategy: strategy
             }
           end
 
@@ -111,19 +110,49 @@ def validate_create_params(params, account)
 
           def build_create_response(request, feed_data)
             request.response['Content-Type'] = 'application/json'
-            { success: true, data: { feed: {
-              id: feed_data[:id],
-              name: feed_data[:name],
-              url: feed_data[:url],
-              strategy: feed_data[:strategy],
-              public_url: feed_data[:public_url],
-              created_at: Time.now.iso8601,
-              updated_at: Time.now.iso8601
-            } }, meta: { created: true } }
-          end
-          module_function :extract_create_params, :validate_create_params, :build_create_response, :authenticate_request
+            request.response.status = 201
+            feed_response_payload(feed_data)
+          end
+
+          def select_strategy(raw_strategy)
+            strategy = raw_strategy.to_s.strip
+            strategy = default_strategy if strategy.empty?
+
+            raise BadRequestError, 'Unsupported strategy' unless supported_strategies.include?(strategy)
+
+            strategy
+          end
+
+          def supported_strategies
+            Html2rss::RequestService.strategy_names.map(&:to_s)
+          end
+
+          def default_strategy
+            Html2rss::RequestService.default_strategy_name.to_s
+          end
+
+          def feed_response_payload(feed_data)
+            {
+              success: true,
+              data: { feed: {
+                id: feed_data[:id],
+                name: feed_data[:name],
+                url: feed_data[:url],
+                strategy: feed_data[:strategy],
+                public_url: feed_data[:public_url],
+                created_at: Time.now.iso8601,
+                updated_at: Time.now.iso8601
+              } },
+              meta: { created: true }
+            }
+          end
+
+          module_function :extract_create_params, :validate_create_params, :build_create_response,
+                          :authenticate_request, :select_strategy, :supported_strategies, :default_strategy,
+                          :feed_response_payload
           private_class_method :extract_create_params, :validate_create_params, :build_create_response,
-                               :authenticate_request
+                               :authenticate_request, :select_strategy, :supported_strategies, :default_strategy,
+                               :feed_response_payload
         end
       end
     end

app/auto_source.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'uri'
 require_relative 'auth'
 require_relative 'feed_generator'
 
@@ -28,25 +27,6 @@ def authenticate_with_token(request)
         Auth.authenticate(request)
       end
 
-      # @param request [Roda::Request]
-      # @return [Boolean]
-      def allowed_origin?(request)
-        origin = request.env['HTTP_HOST'] || request.env['HTTP_X_FORWARDED_HOST']
-        origins = allowed_origins
-        origins.empty? || origins.include?(origin)
-      end
-
-      # @return [Array<String>]
-      def allowed_origins
-        if development?
-          default_origins = 'localhost:3000,localhost:3001,127.0.0.1:3000,127.0.0.1:3001'
-          origins = ENV.fetch('AUTO_SOURCE_ALLOWED_ORIGINS', default_origins)
-        else
-          origins = ENV.fetch('AUTO_SOURCE_ALLOWED_ORIGINS', '')
-        end
-        origins.split(',').map(&:strip).reject(&:empty?)
-      end
-
       # @param token_data [Hash]
       # @param url [String]
       # @return [Boolean]

config/rack_attack.rb

@@ -1,75 +1,84 @@
 # frozen_string_literal: true
 
+require 'json'
 require 'rack/attack'
 require_relative '../app/security_logger'
 
 # In-memory store (resets on restart)
 # Note: In production, consider using Redis for persistent rate limiting
 Rack::Attack.cache.store = {}
 
-# Whitelist health checks and internal IPs
-Rack::Attack.safelist('health-check') do |req|
-  req.path.start_with?('/health', '/status')
-end
+STANDARD_WINDOW = 60
+STANDARD_LIMIT = 100
+TOKEN_LIMIT = 60
 
-# Whitelist localhost in development
-Rack::Attack.safelist('localhost') do |req|
-  %w[127.0.0.1 ::1].include?(req.ip) if ENV['RACK_ENV'] == 'development'
-end
+Rack::Attack.throttle('requests per ip', limit: STANDARD_LIMIT, period: STANDARD_WINDOW, &:ip)
 
-# Rate limiting by IP
-Rack::Attack.throttle('requests per IP', limit: 100, period: 60) do |req|
-  Html2rss::Web::SecurityLogger.log_rate_limit_exceeded(req.ip, req.path, 100) if req.env['rack.attack.throttle_data']
-  req.ip
-end
+token_from_header = lambda do |req|
+  header = req.get_header('HTTP_AUTHORIZATION')
+  next unless header&.start_with?('Bearer ')
 
-# Rate limiting for API endpoints
-Rack::Attack.throttle('api requests per IP', limit: 200, period: 60) do |req|
-  if req.path.start_with?('/api/')
-    Html2rss::Web::SecurityLogger.log_rate_limit_exceeded(req.ip, req.path, 200) if req.env['rack.attack.throttle_data']
-    req.ip
-  end
+  token = header.split(' ', 2)[1]&.strip
+  token unless token.nil? || token.empty?
 end
 
-# Rate limiting for API feed generation (more restrictive)
-Rack::Attack.throttle('api feed generation per IP', limit: 10, period: 60) do |req|
-  if req.path.include?('/api/v1/feeds/') && req.params['token']
-    Html2rss::Web::SecurityLogger.log_rate_limit_exceeded(req.ip, req.path, 10) if req.env['rack.attack.throttle_data']
-    req.ip
-  end
+token_from_path = lambda do |req|
+  match = req.path.match(%r{^/api/v1/feeds/([^/]+)})
+  match && match[1]
 end
 
-# Block suspicious patterns
-Rack::Attack.blocklist('block bad user agents') do |req|
-  if req.user_agent&.match?(/bot|crawler|spider/i) && !req.user_agent&.match?(/googlebot|bingbot/i)
-    Html2rss::Web::SecurityLogger.log_blocked_request(req.ip, 'suspicious_user_agent', req.path)
-    true
-  end
+Rack::Attack.throttle('requests per token', limit: TOKEN_LIMIT, period: STANDARD_WINDOW) do |req|
+  token_from_header.call(req) || token_from_path.call(req)
 end
 
-# Custom responses with proper headers
-Rack::Attack.throttled_response = lambda do |_env|
-  retry_after = 60
-  [
-    429,
-    {
-      'Content-Type' => 'application/xml',
-      'Retry-After' => retry_after.to_s,
-      'X-RateLimit-Limit' => '100',
-      'X-RateLimit-Remaining' => '0',
-      'X-RateLimit-Reset' => (Time.now + retry_after).to_i.to_s
-    },
-    ['<rss><channel><title>Rate Limited</title><description>Too many requests. ' \
-     'Please try again later.</description></channel></rss>']
-  ]
+Rack::Attack.throttled_response = lambda do |env|
+  Html2rss::Web::RackAttackResponse.call(env)
 end
 
-# Track blocked requests for monitoring
-Rack::Attack.blocklisted_response = lambda do |_env|
-  [
-    403,
-    { 'Content-Type' => 'application/xml' },
-    ['<rss><channel><title>Access Denied</title><description>Request blocked by ' \
-     'security policy.</description></channel></rss>']
-  ]
+module Html2rss
+  module Web
+    module RackAttackResponse
+      module_function
+
+      def call(env)
+        request = Rack::Request.new(env)
+        match_data = env['rack.attack.match_data'] || {}
+        limit = match_data[:limit] || STANDARD_LIMIT
+
+        Html2rss::Web::SecurityLogger.log_rate_limit_exceeded(request.ip, request.path, limit)
+
+        retry_after = STANDARD_WINDOW
+        return api_response(retry_after) if request.path.start_with?('/api/')
+
+        text_response(retry_after)
+      end
+
+      def api_response(retry_after)
+        body = {
+          success: false,
+          error: { code: 'TOO_MANY_REQUESTS', message: 'Too many requests. Please try again later.' }
+        }.to_json
+
+        [
+          429,
+          {
+            'Content-Type' => 'application/json',
+            'Retry-After' => retry_after.to_s
+          },
+          [body]
+        ]
+      end
+
+      def text_response(retry_after)
+        [
+          429,
+          {
+            'Content-Type' => 'text/plain',
+            'Retry-After' => retry_after.to_s
+          },
+          ['Too many requests. Please try again later.']
+        ]
+      end
+    end
+  end
 end

frontend/playwright.config.ts

@@ -21,10 +21,6 @@ export default defineConfig({
         ...process.env,
         RACK_ENV: 'test',
         AUTO_SOURCE_ENABLED: 'true',
-        AUTO_SOURCE_USERNAME: 'admin',
-        AUTO_SOURCE_PASSWORD: 'changeme',
-        AUTO_SOURCE_ALLOWED_ORIGINS: '127.0.0.1:3000,localhost:3000',
-        AUTO_SOURCE_ALLOWED_URLS: 'https://example.com/*,https://test.com/*',
         HEALTH_CHECK_TOKEN: 'health-check-token-xyz789',
         HTML2RSS_SECRET_KEY: process.env.HTML2RSS_SECRET_KEY ?? 'test-secret-key-for-smoke',
       },

frontend/src/__tests__/App.contract.test.tsx

@@ -9,8 +9,8 @@ describe('App contract', () => {
   const token = 'contract-token';
 
   const authenticate = () => {
-    window.localStorage.setItem('html2rss_username', username);
-    window.localStorage.setItem('html2rss_token', token);
+    window.sessionStorage.setItem('html2rss_username', username);
+    window.sessionStorage.setItem('html2rss_token', token);
   };
 
   it('shows feed result when API responds with success', async () => {

frontend/src/__tests__/App.test.tsx

@@ -108,5 +108,4 @@ describe('App', () => {
     expect(screen.getByText('❌ Error')).toBeInTheDocument();
     expect(screen.getByText('Access Denied')).toBeInTheDocument();
   });
-
 });

frontend/src/__tests__/DemoButtons.test.tsx

@@ -28,5 +28,4 @@ describe('DemoButtons', () => {
       expect(mockOnConvert).toHaveBeenCalledWith('https://www.chip.de/testberichte');
     });
   });
-
 });