api/v1, legacy clean, token in url path and zlib'ed

Author: gildesmarais

.github/copilot-instructions.md

@@ -4,7 +4,6 @@
 
 - Ruby web app that converts websites into RSS 2.0 feeds.
 - Built with **Roda** backend + **Astro** frontend, using the **html2rss** gem (+ `html2rss-configs`).
-- **Principle:** _All features must work without JavaScript._ JS is only progressive enhancement.
 - **Frontend:** Modern Astro-based UI with component architecture, served alongside Ruby backend.
 
 ## Documentation website of core dependencies
@@ -46,12 +45,11 @@ Fix rubocop `RSpec/MultipleExpectations` adding rspec tag `:aggregate_failures`.
 - ✅ **Specs**: RSpec for Ruby, build tests for frontend.
 
 ## Don't
-
-- ❌ Don't depend on JS for core flows.
+- ❌ Don't use Ruby's URI class or addressable gem directly. Strictly use `Html2rss::Url` only.
 - ❌ Don't bypass SSRF filter or weaken CSP.
 - ❌ Don't add databases, ORMs, or background jobs.
 - ❌ Don't leak stack traces or secrets in responses.
-- ❌ Don't add complex frontend frameworks (React, Vue, etc.). Keep Astro simple.
+- ❌ Don't test private methods using `send(...)`
 - ❌ Don't modify `frontend/dist/` - it's generated by build process.
 - ❌ NEVER expose the auth token a user provides.
 

README.md

@@ -102,13 +102,13 @@ curl -X POST "https://your-domain.com/api/v1/feeds" \
       "id": "abc123",
       "name": "Example Feed", 
       "url": "https://example.com",
-      "public_url": "/feeds/abc123?token=...&url=https%3A%2F%2Fexample.com"
+      "public_url": "/api/v1/feeds/eyJwYXlsb2FkIjoi..."
     }
   }
 }
 
-# Access the feed publicly
-curl "https://your-domain.com/feeds/abc123?token=...&url=https%3A%2F%2Fexample.com"
+# Access the feed publicly using the signed token
+curl "https://your-domain.com/api/v1/feeds/eyJwYXlsb2FkIjoi..."
 ```
 
 ### Security Features

app.rb

@@ -24,9 +24,7 @@
 module Html2rss
   module Web
     ##
-    # This app uses html2rss and serves the feeds via HTTP.
-    #
-    # It is built with [Roda](https://roda.jeremyevans.net/).
+    # Roda app serving RSS feeds via html2rss
     class App < Roda
       CONTENT_TYPE_RSS = 'application/xml'
 
@@ -54,7 +52,7 @@ def development? = self.class.development?
         csp.font_src :self, 'data:'
         csp.form_action :self
         csp.base_uri :none
-        csp.frame_ancestors :none
+        csp.frame_ancestors development? ? ['http://localhost:*', 'https://localhost:*'] : :none
         csp.frame_src :self
         csp.object_src :none
         csp.media_src :none
@@ -66,12 +64,18 @@ def development? = self.class.development?
       end
 
       plugin :default_headers, {
-        'X-Content-Type-Options' => 'nosniff', 'X-XSS-Protection' => '1; mode=block',
-        'X-Frame-Options' => 'SAMEORIGIN', 'X-Permitted-Cross-Domain-Policies' => 'none',
-        'Referrer-Policy' => 'strict-origin-when-cross-origin', 'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()',
+        'X-Content-Type-Options' => 'nosniff',
+        'X-XSS-Protection' => '1; mode=block',
+        'X-Frame-Options' => 'SAMEORIGIN',
+        'X-Permitted-Cross-Domain-Policies' => 'none',
+        'Referrer-Policy' => 'strict-origin-when-cross-origin',
+        'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()',
         'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
-        'Cross-Origin-Embedder-Policy' => 'require-corp', 'Cross-Origin-Opener-Policy' => 'same-origin',
-        'Cross-Origin-Resource-Policy' => 'same-origin', 'X-DNS-Prefetch-Control' => 'off', 'X-Download-Options' => 'noopen'
+        'Cross-Origin-Embedder-Policy' => 'require-corp',
+        'Cross-Origin-Opener-Policy' => 'same-origin',
+        'Cross-Origin-Resource-Policy' => 'same-origin',
+        'X-DNS-Prefetch-Control' => 'off',
+        'X-Download-Options' => 'noopen'
       }
 
       plugin :json_parser
@@ -112,18 +116,6 @@ def development? = self.class.development?
       route do |r|
         r.public
 
-        r.get 'feeds.json' do
-          r.response['Cache-Control'] = 'public, max-age=300'
-          JSON.generate(Feeds.list_feeds)
-        end
-
-        r.get 'strategies.json' do
-          r.response['Cache-Control'] = 'public, max-age=3600'
-          JSON.generate({ strategies: Html2rss::RequestService.strategy_names.map do |name|
-            { name: name.to_s, display_name: name.to_s.split('_').map(&:capitalize).join(' ') }
-          end })
-        end
-
         r.on 'api', 'v1' do
           r.response['Content-Type'] = 'application/json'
 
@@ -149,8 +141,8 @@ def development? = self.class.development?
           end
 
           r.on 'feeds' do
-            r.get String do |feed_id|
-              result = Api::V1::Feeds.show(r, feed_id)
+            r.get String do |token|
+              result = Api::V1::Feeds.show(r, token)
               result.is_a?(Hash) ? JSON.generate(result) : result
             end
             r.post do
@@ -179,25 +171,13 @@ def development? = self.class.development?
           end
         end
 
-        r.on 'auto_source' do
-          if AutoSource.enabled?
-            r.post 'create' do
-              handle_create_feed(r)
-            end
+        # Backward compatibility: /{feed_name} (no auth required)
+        r.get String do |feed_name|
+          # Skip static file requests
+          next if feed_name.include?('.') && !feed_name.end_with?('.xml', '.rss')
 
-            r.get String do |encoded_url|
-              handle_legacy_feed(r, encoded_url)
-            end
-          else
-            r.response.status = 400
-            'Auto source feature is disabled'
-          end
-        end
-
-        r.on 'feeds' do
-          r.get String do |_feed_id|
-            handle_feed_with_auth(r, r.params['token'])
-          end
+          # Route to feed generation without auth for backward compatibility
+          handle_feed_generation(r, feed_name)
         end
         r.get 'health_check.txt' do
           handle_health_check(r)
@@ -210,7 +190,25 @@ def development? = self.class.development?
       end
 
       def fallback_html
-        '<!DOCTYPE html><html><head><title>html2rss-web</title><meta name="viewport" content="width=device-width,initial-scale=1"><style>body{font-family:system-ui,sans-serif;max-width:800px;margin:0 auto;padding:2rem;line-height:1.6}h1{color:#111827}code{background:#f3f4f6;padding:0.2rem 0.4rem;border-radius:0.25rem}</style></head><body><h1>html2rss-web</h1><p>Convert websites to RSS feeds</p><p>API available at <code>/api/</code></p></body></html>'
+        <<~HTML
+          <!DOCTYPE html>
+          <html>
+            <head>
+              <title>html2rss-web</title>
+              <meta name="viewport" content="width=device-width,initial-scale=1">
+              <style>
+                body{font-family:system-ui,sans-serif;max-width:800px;margin:0 auto;padding:2rem;line-height:1.6}
+                h1{color:#111827}
+                code{background:#f3f4f6;padding:0.2rem 0.4rem;border-radius:0.25rem}
+              </style>
+            </head>
+            <body>
+              <h1>html2rss-web</h1>
+              <p>Convert websites to RSS feeds</p>
+              <p>API available at <code>/api/</code></p>
+            </body>
+          </html>
+        HTML
       end
 
       private
@@ -223,65 +221,6 @@ def handle_feed_generation(router, feed_name)
         rss_content
       end
 
-      def handle_create_feed(router)
-        account = Auth.authenticate(router)
-        unless account
-          router.response.status = 401
-          return 'Unauthorized'
-        end
-
-        url = router.params['url']
-        unless url && Auth.valid_url?(url)
-          router.response.status = 400
-          return 'URL parameter required'
-        end
-
-        unless Auth.url_allowed?(account, url)
-          router.response.status = 403
-          return 'Access Denied'
-        end
-
-        strategy = router.params['strategy'] || 'ssrf_filter'
-        name = router.params['name'] || "Auto-generated feed for #{url}"
-        feed_data = AutoSource.create_stable_feed(name, url, account, strategy)
-        unless feed_data
-          router.response.status = 500
-          return 'Internal Server Error'
-        end
-
-        router.response['Content-Type'] = 'application/json'
-        JSON.generate(feed_data)
-      end
-
-      def handle_legacy_feed(router, encoded_url)
-        account = Auth.authenticate(router)
-        return error_response(router, 401, 'Unauthorized') unless account
-        return error_response(router, 403, 'Access Denied') unless AutoSource.allowed_origin?(router)
-
-        decoded_url = Base64.urlsafe_decode64(encoded_url)
-        return error_response(router, 400, 'Invalid URL') unless decoded_url && Auth.valid_url?(decoded_url)
-        return error_response(router, 403, 'Access Denied') unless AutoSource.url_allowed_for_token?(account,
-                                                                                                     decoded_url)
-
-        generate_rss_response(router, decoded_url)
-      rescue ArgumentError
-        error_response(router, 400, 'Invalid encoded URL')
-      end
-
-      def handle_feed_with_auth(router, feed_token = nil)
-        url = router.params['url']
-        return error_response(router, 400, 'url parameter required') unless url && Auth.valid_url?(url)
-
-        if feed_token
-          return error_response(router, 403, 'Access Denied') unless Auth.feed_url_allowed?(feed_token, url)
-        else
-          account = Auth.authenticate(router)
-          return error_response(router, 401, 'Unauthorized') unless account
-          return error_response(router, 403, 'Access Denied') unless Auth.url_allowed?(account, url)
-        end
-        generate_rss_response(router, url)
-      end
-
       def generate_rss_response(router, url)
         router.response['Content-Type'] = 'application/xml'
         HttpCache.expires(router.response, 600, cache_control: 'public')

app/api/v1/feeds.rb

@@ -5,14 +5,13 @@
 require_relative '../../feeds'
 require_relative '../../xml_builder'
 require_relative '../../exceptions'
+require_relative '../../feed_token'
 
 module Html2rss
   module Web
     module Api
       module V1
-        ##
-        # RESTful API v1 for feeds resource
-        # Handles CRUD operations for RSS feeds
+        # RESTful API v1 for feeds
         module Feeds
           module_function
 
@@ -31,39 +30,19 @@ def index(_request)
             { success: true, data: { feeds: feeds }, meta: { total: feeds.count } }
           end
 
-          def show(request, feed_id)
-            if json_request?(request)
-              show_feed_metadata(feed_id)
-            else
-              generate_feed_content(request, feed_id)
-            end
+          def show(request, token)
+            handle_token_based_feed(request, token)
           end
 
           def create(request)
-            account = Auth.authenticate(request)
-            raise UnauthorizedError, 'Authentication required' unless account
-
-            url = request.params['url']
-            name = request.params['name'] || extract_site_title(url)
-            strategy = request.params['strategy'] || 'ssrf_filter'
+            account = authenticate_request(request)
+            params = extract_create_params(request)
+            validate_create_params(params, account)
 
-            raise BadRequestError, 'URL parameter is required' if url.nil? || url.empty?
-            raise BadRequestError, 'Invalid URL format' unless Auth.valid_url?(url)
-            raise ForbiddenError, 'URL not allowed for this account' unless Auth.url_allowed?(account, url)
-
-            feed_data = AutoSource.create_stable_feed(name, url, account, strategy)
+            feed_data = AutoSource.create_stable_feed(params[:name], params[:url], account, params[:strategy])
             raise InternalServerError, 'Failed to create feed' unless feed_data
 
-            request.response['Content-Type'] = 'application/json'
-            { success: true, data: { feed: {
-              id: feed_data[:id],
-              name: feed_data[:name],
-              url: feed_data[:url],
-              strategy: feed_data[:strategy],
-              public_url: feed_data[:public_url],
-              created_at: Time.now.iso8601,
-              updated_at: Time.now.iso8601
-            } }, meta: { created: true } }
+            build_create_response(request, feed_data)
           end
 
           def json_request?(request)
@@ -91,17 +70,88 @@ def generate_feed_content(request, feed_id)
             config = LocalConfig.find(feed_id)
             ttl = config&.dig(:channel, :ttl) || 3600
 
-            # Set appropriate headers for XML response
             request.response['Content-Type'] = 'application/xml'
             request.response['Cache-Control'] = "public, max-age=#{ttl}"
 
-            # Convert RSS object to string
             rss_content.to_s
           end
 
+          def handle_token_based_feed(request, token)
+            feed_token = validate_feed_token(token)
+            account = get_account_for_token(feed_token)
+            validate_account_access(account, feed_token.url)
+
+            generate_feed_response(request, feed_token.url)
+          end
+
           def extract_site_title(url)
             AutoSource.extract_site_title(url)
           end
+
+          def validate_feed_token(token)
+            feed_token = FeedToken.validate_and_decode(token, nil, Auth.secret_key)
+            raise UnauthorizedError, 'Invalid token' unless feed_token
+
+            feed_token
+          end
+
+          def get_account_for_token(feed_token)
+            account = Auth.get_account_by_username(feed_token.username)
+            raise UnauthorizedError, 'Account not found' unless account
+
+            account
+          end
+
+          def validate_account_access(account, url)
+            raise ForbiddenError, 'Access Denied' unless Auth.url_allowed?(account, url)
+          end
+
+          def generate_feed_response(request, url)
+            strategy = request.params['strategy'] || 'ssrf_filter'
+            rss_content = AutoSource.generate_feed_content(url, strategy)
+
+            request.response['Content-Type'] = 'application/xml'
+            HttpCache.expires(request.response, 600, cache_control: 'public')
+
+            rss_content.to_s
+          end
+
+          def authenticate_request(request)
+            account = Auth.authenticate(request)
+            raise UnauthorizedError, 'Authentication required' unless account
+
+            account
+          end
+
+          private
+
+          def extract_create_params(request)
+            url = request.params['url']
+            {
+              url: url,
+              name: request.params['name'] || extract_site_title(url),
+              strategy: request.params['strategy'] || 'ssrf_filter'
+            }
+          end
+
+          def validate_create_params(params, account)
+            raise BadRequestError, 'URL parameter is required' if params[:url].nil? || params[:url].empty?
+            raise BadRequestError, 'Invalid URL format' unless Auth.valid_url?(params[:url])
+            raise ForbiddenError, 'URL not allowed for this account' unless Auth.url_allowed?(account, params[:url])
+          end
+
+          def build_create_response(request, feed_data)
+            request.response['Content-Type'] = 'application/json'
+            { success: true, data: { feed: {
+              id: feed_data[:id],
+              name: feed_data[:name],
+              url: feed_data[:url],
+              strategy: feed_data[:strategy],
+              public_url: feed_data[:public_url],
+              created_at: Time.now.iso8601,
+              updated_at: Time.now.iso8601
+            } }, meta: { created: true } }
+          end
         end
       end
     end