consolidate appname to internal/globals as a constant

The appname was redundantly defined in both cmd/pixad/main.go and
internal/globals/globals.go. Since it is always "pixad" and is not
actually set via ldflags (only Version is), define it once as an
unexported constant in globals.go and remove it from main.go.

README.md

@@ -98,7 +98,9 @@ expiration 1704067200:
 
 **Whitelist patterns:**
 
-- **Exact match only**: `cdn.example.com` — matches only that host
+- **Exact match**: `cdn.example.com` — matches only that host
+- **Suffix match**: `.example.com` — matches `cdn.example.com`,
+  `images.example.com`, and `example.com`
 
 ### Configuration
 

cmd/pixad/main.go

@@ -17,10 +17,7 @@ import (
 	"sneak.berlin/go/pixa/internal/server"
 )
 
-var (
+var Version string //nolint:gochecknoglobals // set by ldflags
-	Appname = "pixad" //nolint:gochecknoglobals // set by ldflags
-	Version string    //nolint:gochecknoglobals // set by ldflags
-)
 
 var configPath string //nolint:gochecknoglobals // cobra flag
 
@@ -40,7 +37,6 @@ func main() {
 }
 
 func run(_ *cobra.Command, _ []string) {
-	globals.Appname = Appname
 	globals.Version = Version
 
 	// Set config path in environment if specified via flag

config.example.yml

@@ -13,7 +13,8 @@ state_dir: ./data
 # Generate with: openssl rand -base64 32
 signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
 
-# Hosts that don't require signatures (exact match only)
+# Hosts that don't require signatures
+# Use "." prefix for wildcard subdomain matching (e.g., ".example.com" matches "cdn.example.com")
 whitelist_hosts:
   - s3.sneak.cloud
   - static.sneak.cloud

internal/globals/globals.go

@@ -5,11 +5,10 @@ import (
 	"go.uber.org/fx"
 )
 
-// Build-time variables populated from main() via ldflags.
+const appname = "pixad"
-var (
+
-	Appname string //nolint:gochecknoglobals // set from main
+// Version is populated from main() via ldflags.
-	Version string //nolint:gochecknoglobals // set from main
+var Version string //nolint:gochecknoglobals // set from main
-)
 
 // Globals holds application-wide constants.
 type Globals struct {
@@ -20,7 +19,7 @@ type Globals struct {
 // New creates a new Globals instance from build-time variables.
 func New(_ fx.Lifecycle) (*Globals, error) {
 	return &Globals{
-		Appname: Appname,
+		Appname: appname,
 		Version: Version,
 	}, nil
 }

internal/imgcache/whitelist.go

@@ -6,19 +6,22 @@ import (
 )
 
 // HostWhitelist implements the Whitelist interface for checking allowed source hosts.
-// Only exact host matches are supported. Leading dots in patterns are stripped
-// (e.g. ".example.com" becomes an exact match for "example.com").
 type HostWhitelist struct {
-	// hosts contains hosts that must match exactly (e.g., "cdn.example.com")
+	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
-	hosts map[string]struct{}
+	exactHosts map[string]struct{}
+	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
+	suffixHosts []string
 }
 
 // NewHostWhitelist creates a whitelist from a list of host patterns.
-// All patterns are treated as exact matches. Leading dots are stripped
+// Patterns starting with "." are treated as suffix matches.
-// for backwards compatibility (e.g. ".example.com" matches "example.com" only).
+// Examples:
+//   - "cdn.example.com" - exact match only
+//   - ".example.com" - matches cdn.example.com, images.example.com, etc.
 func NewHostWhitelist(patterns []string) *HostWhitelist {
 	w := &HostWhitelist{
-		hosts: make(map[string]struct{}),
+		exactHosts:  make(map[string]struct{}),
+		suffixHosts: make([]string, 0),
 	}
 
 	for _, pattern := range patterns {
@@ -27,22 +30,17 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 			continue
 		}
 
-		// Strip leading dot — suffix matching is not supported.
+		if strings.HasPrefix(pattern, ".") {
-		// ".example.com" is treated as exact match for "example.com".
+			w.suffixHosts = append(w.suffixHosts, pattern)
-		pattern = strings.TrimPrefix(pattern, ".")
+		} else {
-
+			w.exactHosts[pattern] = struct{}{}
-		if pattern == "" {
-			continue
 		}
-
-		w.hosts[pattern] = struct{}{}
 	}
 
 	return w
 }
 
 // IsWhitelisted checks if a URL's host is in the whitelist.
-// Only exact host matches are supported.
 func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
@@ -53,17 +51,32 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 		return false
 	}
 
-	_, ok := w.hosts[host]
+	// Check exact match
+	if _, ok := w.exactHosts[host]; ok {
+		return true
+	}
 
-	return ok
+	// Check suffix match
+	for _, suffix := range w.suffixHosts {
+		if strings.HasSuffix(host, suffix) {
+			return true
+		}
+		// Also match if host equals the suffix without the leading dot
+		// e.g., pattern ".example.com" should match "example.com"
+		if host == strings.TrimPrefix(suffix, ".") {
+			return true
+		}
+	}
+
+	return false
 }
 
 // IsEmpty returns true if the whitelist has no entries.
 func (w *HostWhitelist) IsEmpty() bool {
-	return len(w.hosts) == 0
+	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
 }
 
 // Count returns the total number of whitelist entries.
 func (w *HostWhitelist) Count() int {
-	return len(w.hosts)
+	return len(w.exactHosts) + len(w.suffixHosts)
 }

internal/imgcache/whitelist_test.go

@@ -31,46 +31,40 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			want:     false,
 		},
 		{
-			name:     "dot prefix does not enable suffix matching",
+			name:     "suffix match",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.example.com/image.jpg",
-			want:     false,
+			want:     true,
 		},
 		{
-			name:     "dot prefix does not match deep subdomain",
+			name:     "suffix match deep subdomain",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.images.example.com/image.jpg",
-			want:     false,
+			want:     true,
 		},
 		{
-			name:     "dot prefix stripped matches apex domain exactly",
+			name:     "suffix match apex domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://example.com/image.jpg",
 			want:     true,
 		},
 		{
-			name:     "dot prefix does not match unrelated domain",
+			name:     "suffix match not found",
 			patterns: []string{".example.com"},
 			testURL:  "https://notexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "dot prefix does not match partial domain",
+			name:     "suffix match partial not allowed",
 			patterns: []string{".example.com"},
 			testURL:  "https://fakeexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "multiple patterns exact only",
+			name:     "multiple patterns",
-			patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
-			testURL:  "https://photos.images.org/image.jpg",
-			want:     true,
-		},
-		{
-			name:     "multiple patterns no suffix match",
 			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
-			want:     false,
+			want:     true,
 		},
 		{
 			name:     "empty whitelist",
@@ -96,12 +90,6 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     true,
 		},
-		{
-			name:     "whitespace dot prefix stripped matches exactly",
-			patterns: []string{"  .other.com  "},
-			testURL:  "https://other.com/image.jpg",
-			want:     true,
-		},
 	}
 
 	for _, tt := range tests {
@@ -151,11 +139,6 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
 			patterns: []string{"example.com"},
 			want:     false,
 		},
-		{
-			name:     "dot prefix entry still counts",
-			patterns: []string{".example.com"},
-			want:     false,
-		},
 	}
 
 	for _, tt := range tests {
@@ -185,7 +168,7 @@ func TestHostWhitelist_Count(t *testing.T) {
 			want:     3,
 		},
 		{
-			name:     "dot prefix hosts treated as exact",
+			name:     "suffix hosts only",
 			patterns: []string{".a.com", ".b.com"},
 			want:     2,
 		},
@@ -194,11 +177,6 @@ func TestHostWhitelist_Count(t *testing.T) {
 			patterns: []string{"exact.com", ".suffix.com"},
 			want:     2,
 		},
-		{
-			name:     "dot prefix deduplicates with exact",
-			patterns: []string{"example.com", ".example.com"},
-			want:     1,
-		},
 	}
 
 	for _, tt := range tests {