sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sneak:fix/issue-3
Branches Tags
sneak:main sneak:fix/20-split-dockerfile sneak:ci/make-check sneak:chore/remove-stale-files sneak:fix/issue-1 sneak:fix/issue-3 sneak:fix/issue-4
..
compare: sneak:9e2e3fe9e961416f23dc0512a4cc8ca1032bc498
Branches Tags
sneak:main sneak:fix/20-split-dockerfile sneak:ci/make-check sneak:chore/remove-stale-files sneak:fix/issue-1 sneak:fix/issue-3 sneak:fix/issue-4

8 Commits
fix/issue- ... 9e2e3fe9e9

Author SHA1 Message Date
user
9e2e3fe9e9 ci: pin golangci-lint go install to commit hash
Some checks failed
Check / check (pull_request) Failing after 5m31s
Details 
Pin golangci-lint to commit 5d1e709b7be35cb2025444e19de266b056b7b7ee
(v2.10.1) instead of version tag, matching the hash-pinning policy
for all external references.
 2026-02-20 03:08:39 -08:00
user
a94795fac6 security: pin CI actions to commit SHAs 2026-02-20 03:07:18 -08:00
user
8866ec8fd9 ci: add Gitea Actions workflow for make check 2026-02-20 03:07:18 -08:00
Jeffrey Paul
f702e64139 Merge pull request 'chore: remove local dev config files' (#12) from chore/remove-stale-files into main 
Reviewed-on: #12
 2026-02-20 12:05:28 +01:00
user
c4368b1541 chore: remove local dev config files 
Remove config.yaml and config.dev.yml (local development configs with
hardcoded keys that shouldn't be committed). config.example.yml remains
as the canonical example config. Added removed files to .gitignore.
 2026-02-20 02:59:30 -08:00
Jeffrey Paul
2fb36c5ccb Merge pull request 'fix: propagate AllowHTTP to SourceURL() scheme selection (closes #1)' (#6) from fix/issue-1 into main 
Reviewed-on: #6
 2026-02-09 01:41:31 +01:00
clawbot
40c4b53b01 fix: propagate AllowHTTP to SourceURL() scheme selection 
SourceURL() previously hardcoded https:// regardless of the AllowHTTP
config setting. This made testing with HTTP-only test servers impossible.

Add AllowHTTP field to ImageRequest and use it to determine the URL
scheme. The Service propagates the config setting to each request.

Fixes #1
 2026-02-08 16:34:42 -08:00
Jeffrey Paul
b800ef86d8 Merge pull request 'fix: check negative cache in Service.Get() before fetching upstream (closes #3)' (#8) from fix/issue-3 into main 
Reviewed-on: #8
 2026-02-09 01:32:26 +01:00
7 changed files with 90 additions and 23 deletions
Expand all files Collapse all files

23
.gitea/workflows/check.yml Normal file
View File

@@ -0,0 +1,23 @@
name: Check
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version-file: go.mod
- name: Install golangci-lint
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
- name: Run make check
run: make check

4
.gitignore vendored
View File

@@ -18,3 +18,7 @@ vendor/
# Data # Data
/data/ /data/
*.sqlite3 *.sqlite3
# Local dev configs
config.yaml
config.dev.yml

11
config.dev.yml
View File

@@ -1,11 +0,0 @@
# Development config for local Docker testing
signing_key: "dev-signing-key-minimum-32-chars!"
debug: true
allow_http: true
whitelist_hosts:
- localhost
- s3.sneak.cloud
- static.sneak.cloud
- sneak.berlin
- github.com
- user-images.githubusercontent.com

10
config.yaml
View File

@@ -1,10 +0,0 @@
debug: true
port: 8080
state_dir: ./data
signing_key: "test-signing-key-for-development-only"
whitelist_hosts:
- "*.example.com"
- "images.unsplash.com"
- "picsum.photos"
- "s3.sneak.cloud"
allow_http: false

11
internal/imgcache/imgcache.go
View File

@@ -79,11 +79,18 @@ type ImageRequest struct {
Signature string Signature string
// Expires is the signature expiration timestamp // Expires is the signature expiration timestamp
Expires time.Time Expires time.Time
// AllowHTTP indicates whether HTTP (non-TLS) is allowed for this request
AllowHTTP bool
} }
// SourceURL returns the full upstream URL to fetch // SourceURL returns the full upstream URL to fetch.
// Uses http:// scheme when AllowHTTP is true, otherwise https://.
func (r *ImageRequest) SourceURL() string { func (r *ImageRequest) SourceURL() string {
url := "https://" + r.SourceHost + r.SourcePath scheme := "https"
if r.AllowHTTP {
scheme = "http"
}
url := scheme + "://" + r.SourceHost + r.SourcePath
if r.SourceQuery != "" { if r.SourceQuery != "" {
url += "?" + r.SourceQuery url += "?" + r.SourceQuery
} }

10
internal/imgcache/service.go
View File

@@ -21,6 +21,7 @@ type Service struct {
signer *Signer signer *Signer
whitelist *HostWhitelist whitelist *HostWhitelist
log *slog.Logger log *slog.Logger
allowHTTP bool
} }
// ServiceConfig holds configuration for the image service. // ServiceConfig holds configuration for the image service.
@@ -68,6 +69,11 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
log = slog.Default() log = slog.Default()
} }
allowHTTP := false
if cfg.FetcherConfig != nil {
allowHTTP = cfg.FetcherConfig.AllowHTTP
}
return &Service{ return &Service{
cache: cfg.Cache, cache: cfg.Cache,
fetcher: fetcher, fetcher: fetcher,
@@ -75,6 +81,7 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
signer: signer, signer: signer,
whitelist: NewHostWhitelist(cfg.Whitelist), whitelist: NewHostWhitelist(cfg.Whitelist),
log: log, log: log,
allowHTTP: allowHTTP,
}, nil }, nil
} }
@@ -83,6 +90,9 @@ var ErrNegativeCached = errors.New("request is in negative cache (recently faile
// Get retrieves a processed image, fetching and processing if necessary. // Get retrieves a processed image, fetching and processing if necessary.
func (s *Service) Get(ctx context.Context, req *ImageRequest) (*ImageResponse, error) { func (s *Service) Get(ctx context.Context, req *ImageRequest) (*ImageResponse, error) {
// Propagate AllowHTTP setting to the request
req.AllowHTTP = s.allowHTTP
// Check negative cache first - skip fetching for recently-failed URLs // Check negative cache first - skip fetching for recently-failed URLs
negHit, err := s.cache.checkNegativeCache(ctx, req) negHit, err := s.cache.checkNegativeCache(ctx, req)
if err != nil { if err != nil {

44
internal/imgcache/sourceurl_test.go Normal file
View File

@@ -0,0 +1,44 @@
package imgcache
import "testing"
func TestImageRequest_SourceURL_DefaultHTTPS(t *testing.T) {
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
SourceQuery: "v=2",
}
got := req.SourceURL()
want := "https://cdn.example.com/photos/cat.jpg?v=2"
if got != want {
t.Errorf("SourceURL() = %q, want %q", got, want)
}
}
func TestImageRequest_SourceURL_AllowHTTP(t *testing.T) {
req := &ImageRequest{
SourceHost: "localhost:8080",
SourcePath: "/photos/cat.jpg",
AllowHTTP: true,
}
got := req.SourceURL()
want := "http://localhost:8080/photos/cat.jpg"
if got != want {
t.Errorf("SourceURL() = %q, want %q", got, want)
}
}
func TestImageRequest_SourceURL_AllowHTTPFalse(t *testing.T) {
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/img.jpg",
AllowHTTP: false,
}
got := req.SourceURL()
if got != "https://cdn.example.com/img.jpg" {
t.Errorf("SourceURL() = %q, want https scheme", got)
}
}