docs: update README and config to reflect exact-match-only whitelist

Remove suffix match documentation and config comments since whitelist now only supports exact host matches.
fix: remove suffix matching from host whitelist
2026-03-15 11:18:44 -07:00 · 2026-03-15 11:18:25 -07:00 · 2026-03-15 11:18:01 -07:00 · 2026-03-15 17:58:13 +01:00 · 2026-03-02 21:09:51 +01:00 · 2026-02-25 20:51:44 +01:00
7 changed files with 86 additions and 66 deletions
--- a/36
+++ b/36
@@ -1,7 +1,29 @@
 # Lint stage
 # golangci/golangci-lint:v2.10.1-alpine, 2026-02-17
 FROM golangci/golangci-lint:v2.10.1-alpine@sha256:33bc6b6156d4c7da87175f187090019769903d04dd408833b83083ed214b0ddf AS lint
 RUN apk add --no-cache make build-base vips-dev libheif-dev pkgconfig
 WORKDIR /src
 # Copy go mod files first for better layer caching
 COPY go.mod go.sum ./
 RUN go mod download
 # Copy source code
 COPY . .
 # Run formatting check and linter
 RUN make fmt-check
 RUN make lint
 # Build stage
 # golang:1.25.4-alpine, 2026-02-25
 FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
 # Depend on lint stage passing
 COPY --from=lint /src/go.sum /dev/null
 ARG VERSION=dev
 # Install build dependencies for CGO image libraries
@@ -9,15 +31,7 @@ RUN apk add --no-cache \
    build-base \
    vips-dev \
    libheif-dev \
-    pkgconfig \
+    pkgconfig
    curl
 # golangci-lint v2.10.1, 2026-02-25
 RUN curl -sSfL https://github.com/golangci/golangci-lint/releases/download/v2.10.1/golangci-lint-2.10.1-linux-amd64.tar.gz -o /tmp/golangci-lint.tar.gz && \
    echo "dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99  /tmp/golangci-lint.tar.gz" | sha256sum -c - && \
    tar -xzf /tmp/golangci-lint.tar.gz -C /tmp && \
    mv /tmp/golangci-lint-2.10.1-linux-amd64/golangci-lint /usr/local/bin/ && \
    rm -rf /tmp/golangci-lint*
 WORKDIR /src
@@ -28,8 +42,8 @@ RUN GOTOOLCHAIN=auto go mod download
 # Copy source code
 COPY . .
-# Run all checks (fmt-check, lint, test)
+# Run tests
-RUN make check
+RUN make test
 # Build with CGO enabled
 RUN CGO_ENABLED=1 GOTOOLCHAIN=auto go build -ldflags "-X main.Version=${VERSION}" -o /pixad ./cmd/pixad
--- a/README.md
+++ b/README.md
@@ -98,9 +98,7 @@ expiration 1704067200:
 **Whitelist patterns:**
- **Exact match**: `cdn.example.com` — matches only that host
+- **Exact match only**: `cdn.example.com` — matches only that host
 - **Suffix match**: `.example.com` — matches `cdn.example.com`,
  `images.example.com`, and `example.com`
 ### Configuration
--- a/TODO.md
+++ b/TODO.md
@@ -6,7 +6,7 @@ Remaining tasks sorted by priority for a working 1.0 release.
 ### Image Processing
 - [x] Add WebP encoding support (currently returns error)
- [ ] Add AVIF encoding support (currently returns error)
+- [x] Add AVIF encoding support (implemented via govips)
 ### Manual Testing (verify auth/encrypted URLs work)
 - [ ] Manual test: visit `/`, see login form
--- a/config.example.yml
+++ b/config.example.yml
@@ -13,8 +13,7 @@ state_dir: ./data
 # Generate with: openssl rand -base64 32
 signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
-# Hosts that don't require signatures
+# Hosts that don't require signatures (exact match only)
 # Use "." prefix for wildcard subdomain matching (e.g., ".example.com" matches "cdn.example.com")
 whitelist_hosts:
  - s3.sneak.cloud
  - static.sneak.cloud
--- a/internal/imgcache/whitelist.go
+++ b/internal/imgcache/whitelist.go
@@ -6,22 +6,19 @@ import (
 )
 // HostWhitelist implements the Whitelist interface for checking allowed source hosts.
 // Only exact host matches are supported. Leading dots in patterns are stripped
 // (e.g. ".example.com" becomes an exact match for "example.com").
 type HostWhitelist struct {
-	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
+	// hosts contains hosts that must match exactly (e.g., "cdn.example.com")
-	exactHosts map[string]struct{}
+	hosts map[string]struct{}
 	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
 	suffixHosts []string
 }
 // NewHostWhitelist creates a whitelist from a list of host patterns.
-// Patterns starting with "." are treated as suffix matches.
+// All patterns are treated as exact matches. Leading dots are stripped
-// Examples:
+// for backwards compatibility (e.g. ".example.com" matches "example.com" only).
 //   - "cdn.example.com" - exact match only
 //   - ".example.com" - matches cdn.example.com, images.example.com, etc.
 func NewHostWhitelist(patterns []string) *HostWhitelist {
 	w := &HostWhitelist{
-		exactHosts:  make(map[string]struct{}),
+		hosts: make(map[string]struct{}),
 		suffixHosts: make([]string, 0),
 	}
 	for _, pattern := range patterns {
@@ -30,17 +27,22 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 			continue
 		}
-		if strings.HasPrefix(pattern, ".") {
+		// Strip leading dot — suffix matching is not supported.
-			w.suffixHosts = append(w.suffixHosts, pattern)
+		// ".example.com" is treated as exact match for "example.com".
-		} else {
+		pattern = strings.TrimPrefix(pattern, ".")
-			w.exactHosts[pattern] = struct{}{}
+
 		if pattern == "" {
 			continue
 		}
 		w.hosts[pattern] = struct{}{}
 	}
 	return w
 }
 // IsWhitelisted checks if a URL's host is in the whitelist.
 // Only exact host matches are supported.
 func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
@@ -51,32 +53,17 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 		return false
 	}
-	// Check exact match
+	_, ok := w.hosts[host]
 	if _, ok := w.exactHosts[host]; ok {
 		return true
 	}
-	// Check suffix match
+	return ok
 	for _, suffix := range w.suffixHosts {
 		if strings.HasSuffix(host, suffix) {
 			return true
 		}
 		// Also match if host equals the suffix without the leading dot
 		// e.g., pattern ".example.com" should match "example.com"
 		if host == strings.TrimPrefix(suffix, ".") {
 			return true
 		}
 	}
 	return false
 }
 // IsEmpty returns true if the whitelist has no entries.
 func (w *HostWhitelist) IsEmpty() bool {
-	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
+	return len(w.hosts) == 0
 }
 // Count returns the total number of whitelist entries.
 func (w *HostWhitelist) Count() int {
-	return len(w.exactHosts) + len(w.suffixHosts)
+	return len(w.hosts)
 }
--- a/internal/imgcache/whitelist_test.go
+++ b/internal/imgcache/whitelist_test.go
@@ -31,41 +31,47 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			want:     false,
 		},
 		{
-			name:     "suffix match",
+			name:     "dot prefix does not enable suffix matching",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.example.com/image.jpg",
-			want:     true,
+			want:     false,
 		},
 		{
-			name:     "suffix match deep subdomain",
+			name:     "dot prefix does not match deep subdomain",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.images.example.com/image.jpg",
-			want:     true,
+			want:     false,
 		},
 		{
-			name:     "suffix match apex domain",
+			name:     "dot prefix stripped matches apex domain exactly",
 			patterns: []string{".example.com"},
 			testURL:  "https://example.com/image.jpg",
 			want:     true,
 		},
 		{
-			name:     "suffix match not found",
+			name:     "dot prefix does not match unrelated domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://notexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "suffix match partial not allowed",
+			name:     "dot prefix does not match partial domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://fakeexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "multiple patterns",
+			name:     "multiple patterns exact only",
-			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
+			patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
 			want:     true,
 		},
 		{
 			name:     "multiple patterns no suffix match",
 			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
 			want:     false,
 		},
 		{
 			name:     "empty whitelist",
 			patterns: []string{},
@@ -90,6 +96,12 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     true,
 		},
 		{
 			name:     "whitespace dot prefix stripped matches exactly",
 			patterns: []string{"  .other.com  "},
 			testURL:  "https://other.com/image.jpg",
 			want:     true,
 		},
 	}
 	for _, tt := range tests {
@@ -139,6 +151,11 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
 			patterns: []string{"example.com"},
 			want:     false,
 		},
 		{
 			name:     "dot prefix entry still counts",
 			patterns: []string{".example.com"},
 			want:     false,
 		},
 	}
 	for _, tt := range tests {
@@ -168,7 +185,7 @@ func TestHostWhitelist_Count(t *testing.T) {
 			want:     3,
 		},
 		{
-			name:     "suffix hosts only",
+			name:     "dot prefix hosts treated as exact",
 			patterns: []string{".a.com", ".b.com"},
 			want:     2,
 		},
@@ -177,6 +194,11 @@ func TestHostWhitelist_Count(t *testing.T) {
 			patterns: []string{"exact.com", ".suffix.com"},
 			want:     2,
 		},
 		{
 			name:     "dot prefix deduplicates with exact",
 			patterns: []string{"example.com", ".example.com"},
 			want:     1,
 		},
 	}
 	for _, tt := range tests {
--- a/scripts/manual-test.sh
+++ b/scripts/manual-test.sh
@@ -48,7 +48,7 @@ fi
 # Test 3: Wrong password shows error
 echo "--- Test 3: Login with wrong password ---"
-WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "password=wrong-key" -c "$COOKIE_JAR")
+WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "key=wrong-key" -c "$COOKIE_JAR")
 if echo "$WRONG_LOGIN" | grep -qi "invalid\|error\|incorrect\|wrong"; then
    pass "Wrong password shows error message"
 else
@@ -57,7 +57,7 @@ fi
 # Test 4: Correct password redirects to generator
 echo "--- Test 4: Login with correct signing key ---"
-curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 GENERATOR_PAGE=$(curl -sf "$BASE_URL/" -b "$COOKIE_JAR")
 if echo "$GENERATOR_PAGE" | grep -qi "generate\|url\|source\|logout"; then
    pass "Correct password shows generator page"
@@ -68,12 +68,12 @@ fi
 # Test 5: Generate encrypted URL
 echo "--- Test 5: Generate encrypted URL ---"
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "source_url=$TEST_IMAGE_URL" \
+    -d "url=$TEST_IMAGE_URL" \
    -d "width=800" \
    -d "height=600" \
    -d "format=jpeg" \
    -d "quality=85" \
-    -d "fit_mode=cover" \
+    -d "fit=cover" \
    -d "ttl=3600")
 if echo "$GEN_RESULT" | grep -q "/v1/e/"; then
    pass "Encrypted URL generated"
@@ -121,10 +121,10 @@ fi
 # Test 9: Generate short-TTL URL and verify expiration
 echo "--- Test 9: Expired URL returns 410 ---"
 # Login again
-curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 # Generate URL with 1 second TTL
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "source_url=$TEST_IMAGE_URL" \
+    -d "url=$TEST_IMAGE_URL" \
    -d "width=100" \
    -d "height=100" \
    -d "format=jpeg" \
Author	SHA1	Message	Date
user	55bb620de0	docs: update README and config to reflect exact-match-only whitelist All checks were successful check / check (push) Successful in 5s Details Remove suffix match documentation and config comments since whitelist now only supports exact host matches.	2026-03-15 11:18:44 -07:00
user	215ddb7f72	fix: remove suffix matching from host whitelist Whitelist entries now support exact host matches only. Leading dots in patterns are stripped for backwards compatibility (.example.com becomes an exact match for example.com). Suffix matching that would match arbitrary subdomains is no longer supported. Closes #27	2026-03-15 11:18:25 -07:00
user	27739da046	test: add failing tests for removing suffix matching from whitelist Suffix matching (.example.com matching subdomains) should not be supported. Whitelist entries should be exact host matches only. Leading dots should be stripped and treated as exact matches.	2026-03-15 11:18:01 -07:00
clawbot	2e934c8894	fix: QA audit fixes for 1.0/MVP readiness (#25 ) All checks were successful check / check (push) Successful in 5s Details closes #24 ## QA Audit Fixes This PR addresses issues found during the 1.0/MVP QA audit. ### Changes 1. TODO.md: Mark AVIF encoding as done — AVIF encoding is fully implemented via govips in `processor.go` but was still listed as a TODO item. 2. scripts/manual-test.sh: Fix form field names — The manual test script was using wrong field names: - Login form: was sending `password=...`, should be `key=...` (matching the HTML form's `name="key"`) - Generator form: was sending `source_url`, `fit_mode` — should be `url`, `fit` (matching the handler's `r.FormValue()` calls) - This means the manual test script never actually worked — login always failed silently because the `key` field was empty. ### Full QA Audit Results The comprehensive QA audit report has been posted as a comment on [issue #24](#24). Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #25 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-15 17:58:13 +01:00
clawbot	2f15340f26	Split Dockerfile: pre-built golangci-lint stage for faster CI (#23 ) All checks were successful check / check (push) Successful in 5s Details ## Summary Splits the Dockerfile into a dedicated lint stage using the pre-built `golangci/golangci-lint:v2.10.1-alpine` Docker image, replacing the manual binary download with curl/sha256 verification. ## Changes - Lint stage (`AS lint`): Uses `golangci/golangci-lint:v2.10.1-alpine` pinned by sha256. Runs `make fmt-check` + `make lint`. Includes CGO deps (`build-base`, `vips-dev`, `libheif-dev`, `pkgconfig`) needed for type-checking govips imports. - Build stage (`AS builder`): Depends on lint stage via `COPY --from=lint /src/go.sum /dev/null`. Runs `make test` + builds the binary. Removes `curl` (no longer needed) and the manual golangci-lint download block. - Runtime stage: Unchanged. ## Benefits - Eliminates slow multi-arch binary download + sha256 verification step - Lint and build stages can potentially run in parallel with BuildKit - Better Docker layer caching — lint deps cached separately from build deps - All images remain pinned by sha256 with version+date comments ## Verification - `docker build .` passes: fmt-check ✅, lint (0 issues) ✅, all tests pass ✅, binary builds ✅ Closes [#18](#18) <!-- session: agent:sdlc-manager:subagent:7aac9c54-81c8-4494-94ab-0843f97a1e62 --> Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #23 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-02 21:09:51 +01:00
Jeffrey Paul	811c210b09	Merge pull request 'fix: Docker build failures on arm64 (closes #15 )' (#16 ) from fix/docker-multiarch-lint into main All checks were successful check / check (push) Successful in 6s Details Reviewed-on: #16	2026-02-25 20:51:44 +01:00
clawbot	5ca64a37ce	fix: detect architecture for golangci-lint download in Docker build All checks were successful check / check (push) Successful in 1m34s Details The golangci-lint binary was hardcoded as linux-amd64, causing Docker builds to fail on arm64 hosts. The amd64 ELF binary cannot execute on aarch64, producing a misleading shell syntax error during make check. Use uname -m to detect the container architecture at build time and download the matching binary. Both amd64 and arm64 SHA-256 hashes are pinned. Closes #15	2026-02-25 06:12:47 -08:00