b55b75cbe7
Fix silent fallbacks for unsupported formats and fit modes
...
- Return ErrUnsupportedOutputFormat for WebP/AVIF encoding
- Return ErrInvalidFitMode for unknown fit mode values
- Add ValidateFitMode() for input validation
- Validate fit mode at handler level before processing
Silent fallbacks violate the principle of least surprise and mask bugs.
When a user explicitly specifies a value, we should either honor it or
return an error - never silently substitute a different value.
2026-01-08 11:08:22 -08:00
df6d347e68
Add tests for unsupported output format errors
...
Tests verify that WebP and AVIF encoding requests return
ErrUnsupportedOutputFormat instead of silently falling back
to a different format.
2026-01-08 11:08:16 -08:00
014c144d73
Add 'Never' expiry option for encrypted URLs
...
- Make ExpiresAt optional in CBOR (omitempty) for smaller tokens
- Treat ExpiresAt=0 as 'never expires' in parser
- URL-encode token with url.PathEscape() for safety
- Add 'Never' as default TTL option in generator form
2026-01-08 11:08:11 -08:00
d9f4e2038e
Add manual test script for auth and encrypted URLs
...
scripts/manual-test.sh tests:
1. Healthcheck endpoint
2. Login page displays
3. Wrong password shows error
4. Correct password shows generator
5. Generate encrypted URL
6. Fetch image via encrypted URL
7. Fetch image via direct proxy (whitelisted)
8. Logout redirects to login
9. Expired URL returns 410
2026-01-08 10:53:02 -08:00
b233871241
Add detailed logging for image conversions on cache miss
...
Log includes:
- file path
- input/output format
- input/output size in bytes
- input/output dimensions
- size ratio (percentage)
Also adds InputWidth, InputHeight, InputFormat to ProcessResult
2026-01-08 10:44:34 -08:00
02de534cc2
Reorganize TODO.md: remove completed, prioritize for 1.0
...
P0 Critical: Manual testing, cache eviction, config validation
P1 Production: Blocked networks, rate limiting, EXIF stripping
P2 Nice to have: Everything else
2026-01-08 10:41:00 -08:00
d8bb374f73
Merge feature/http-response-handling: ETag, HEAD, conditional requests
2026-01-08 10:09:14 -08:00
774ee97ba1
Update TODO.md: mark HTTP response handling items complete
...
Completed:
- ETag generation and validation
- Conditional requests (If-None-Match)
- HEAD request support
- Metrics endpoint with auth (already implemented)
2026-01-08 10:09:10 -08:00
1f809a6fc9
Implement ETag, HEAD requests, and conditional requests
...
- Add ETag generation based on output content hash (first 16 chars)
- Add ContentLength to ImageResponse from cache
- Add LoadWithSize method to ContentStorage
- Add GetOutputWithSize method to Cache
- Handle HEAD requests returning headers only
- Handle If-None-Match conditional requests returning 304
- Register HEAD route for image proxy endpoint
2026-01-08 10:08:38 -08:00
4df3e44eff
Add failing tests for ETag, HEAD requests, and conditional requests
...
TDD: Write tests first before implementation for:
- ETag generation and consistency in service layer
- HEAD request support (headers only, no body)
- Conditional requests with If-None-Match header (304 responses)
2026-01-08 10:06:18 -08:00
aed9dd6e8d
Merge feature/graceful-shutdown-and-sanitization: Add security headers middleware
2026-01-08 10:02:34 -08:00
6f423af65d
Update TODO.md: mark graceful shutdown and sanitization as complete
2026-01-08 10:02:29 -08:00
2e349a8b83
Implement security headers middleware
...
Adds X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
and X-XSS-Protection headers to all responses.
2026-01-08 10:02:17 -08:00
5de7a26735
Add failing tests for security headers middleware
...
Tests for X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
X-XSS-Protection headers on responses.
2026-01-08 10:01:36 -08:00
9592175238
Merge feature/security-validations: Add input dimension and path traversal validation
2026-01-08 08:50:43 -08:00
90be4e7763
Update TODO.md: mark security validations as complete
2026-01-08 08:50:37 -08:00
95408e68d4
Implement max input dimensions and path traversal validation
...
- Reject input images exceeding MaxInputDimension (8192px) to prevent DoS
- Detect path traversal: ../, encoded variants, backslashes, null bytes
2026-01-08 08:50:18 -08:00
c964feac7e
Add failing tests for input dimension and path traversal validation
...
Tests for:
- ErrInputTooLarge when input image exceeds MaxInputDimension
- ErrPathTraversal for ../, encoded traversal, backslashes, null bytes
2026-01-08 08:48:11 -08:00
857be30e82
Update TODO.md: mark auth/encrypted URLs feature as complete
2026-01-08 08:43:23 -08:00
06c99b6f4e
Merge feature/auth-and-encrypted-urls: Add login, sessions, and encrypted URLs
2026-01-08 07:41:28 -08:00
f601e17812
Add implementation plan for auth and encrypted URLs feature
2026-01-08 07:39:31 -08:00
6355886dba
Add vendoring and repo size guidelines to CLAUDE.md
2026-01-08 07:39:27 -08:00
2cbafe374c
Add mock fetcher and service tests for imgcache
...
Introduces Fetcher interface, mock implementation for testing,
and ApplyMigrations helper for test database setup.
2026-01-08 07:39:18 -08:00
1f0ec59eb5
Wire up auth routes and encrypted URL endpoint
...
Add session manager and encurl generator to handlers.
Register /, /logout, /generate, /v1/e/{token}, /static/* routes.
2026-01-08 07:38:44 -08:00
08d6e264ed
Add auth and encrypted image handlers
...
Login page, logout, URL generator form, and /v1/e/{token}
endpoint for serving images from encrypted URLs.
2026-01-08 07:38:15 -08:00
aad5e59d23
Add static files and HTML templates for web UI
...
Embedded Tailwind CSS and login/generator templates.
Self-contained with no external dependencies.
2026-01-08 07:38:09 -08:00
c033e918f0
Add encurl package for encrypted URL tokens
...
CBOR-encoded payloads with NaCl secretbox encryption.
Supports expiration, image parameters with omitempty defaults.
2026-01-08 07:38:05 -08:00
041b18f651
Add session package for encrypted cookie management
...
Uses gorilla/securecookie with keys derived via HKDF.
30-day TTL, HttpOnly, Secure, SameSiteStrict cookies.
2026-01-08 07:37:58 -08:00
3f4f345d1c
Add seal package for authenticated encryption
...
Provides HKDF-SHA256 key derivation and NaCl secretbox
(XSalsa20-Poly1305) encryption/decryption utilities.
2026-01-08 07:37:53 -08:00
1e890ffbcc
Fix spelling, punctuation, and capitalization in CLAUDE.md
2026-01-08 05:29:08 -08:00
f244d9c7e0
Add per-host connection limits for upstream fetching
...
- Add upstream_connections_per_host config option (default: 20)
- Implement per-host semaphores to limit concurrent connections
- Semaphore released when response body is closed
- Prevents overwhelming origin servers with parallel requests
2026-01-08 05:19:20 -08:00
49ff72dfa8
Add bin/ to gitignore
2026-01-08 05:14:11 -08:00
6304556837
Refactor to serve all responses from cached files on disk
...
- StoreOutput now returns output hash for immediate retrieval
- Cache misses now serve from disk file after storing (same as hits)
- Log served_bytes from actual io.Copy result (avoids stat calls)
- Remove ContentLength field usage for cache hits (stream from file)
- Fix tests to properly check all return values
2026-01-08 05:11:55 -08:00
1a97f42cd8
Add detailed logging for image requests with cache status and timing
2026-01-08 05:04:08 -08:00
6a20406b0f
Add -config flag using cobra to specify config file path
2026-01-08 04:58:05 -08:00
271527679e
Add example config file with whitelisted hosts
2026-01-08 04:09:06 -08:00
9647829ac9
Support YAML list format for whitelist_hosts config
2026-01-08 04:08:51 -08:00
3fcf9d9146
Add failing test for YAML list format in whitelist_hosts config
2026-01-08 04:08:11 -08:00
cc0fd29954
Update TODO.md with completed image processing items
2026-01-08 04:02:53 -08:00
fd2d108f9c
Wire up image handler endpoint with service orchestration
...
- Add image proxy config options (signing_key, whitelist_hosts, allow_http)
- Create Service to orchestrate cache, fetcher, and processor
- Initialize image service in handlers OnStart hook
- Implement HandleImage with URL parsing, signature validation, cache
- Implement HandleRobotsTxt for search engine prevention
- Parse query params for signature, quality, and fit mode
2026-01-08 04:01:53 -08:00
5462c9222c
Add pure Go image processor with resize and format conversion
...
Implements the Processor interface using disintegration/imaging library.
Supports JPEG, PNG, GIF, WebP decoding and JPEG, PNG, GIF encoding.
Includes all fit modes: cover, contain, fill, inside, outside.
2026-01-08 03:54:50 -08:00
9629139989
Add tests for cache service
...
Tests cover: lookup miss/hit, store source/output, negative caching,
negative cache expiry, hot cache, output retrieval, stats, and cleanup.
2026-01-08 03:39:23 -08:00
11295db68a
Exclude vendor directory from format checks
2026-01-08 03:37:58 -08:00
d9e57de108
Add TDD and commit workflow rules to CLAUDE.md
2026-01-08 03:36:22 -08:00
b14c897408
Update TODO.md with completed caching layer items
2026-01-08 03:36:05 -08:00
6d32b7ee23
Fix formatting in fetcher and signature tests
2026-01-08 03:36:00 -08:00
30c5c077e5
Add cache service with hot cache and negative caching
...
Implements cache lookup with in-memory hot path, source/output storage,
negative caching for failed fetches, TTL expiration, and statistics tracking.
2026-01-08 03:35:55 -08:00
2f20c71da0
Add content-addressable storage and cache key generation
...
ContentStorage stores blobs at <dir>/<ab>/<cd>/<sha256> paths.
MetadataStorage stores JSON at <dir>/<host>/<path_hash>.json.
CacheKey generates unique keys from request parameters.
2026-01-08 03:35:50 -08:00
4595929275
Add embedded SQL migrations system
...
Migrations are stored in schema/*.sql and embedded via go:embed.
Applied migrations are tracked in schema_migrations table.
Initial schema includes source_content, source_metadata, output_content,
request_cache, negative_cache, and cache_stats tables.
2026-01-08 03:35:43 -08:00
27eb9fb513
Add HMAC signature specification to README
...
Documents the signature scheme: HMAC-SHA256 over host:path:query:width:height:format:expiration
with base64url encoding and Unix timestamp expiration.
2026-01-08 03:35:36 -08:00
