Change schema_migrations version from TEXT to INTEGER

Per review: the SQL file should be self-contained. 000.sql now
includes both the CREATE TABLE and the INSERT OR IGNORE for recording
its own version. Removed the separate INSERT from Go code in
bootstrapMigrationsTable().

README.md

@@ -67,10 +67,7 @@ hosts require an HMAC-SHA256 signature.
 #### Signature Specification
 
 Signatures use HMAC-SHA256 and include an expiration timestamp to
-prevent replay attacks. Signatures are **exact match only**: every
-component (host, path, query, dimensions, format, expiration) must
-match exactly what was signed. No suffix matching, wildcard matching,
-or partial matching is supported.
+prevent replay attacks.
 
 **Signed data format** (colon-separated):
 

internal/imgcache/magic.go

@@ -1,6 +1,4 @@
-// Package magic detects image formats from magic bytes and validates
-// content against declared MIME types.
-package magic
+package imgcache
 
 import (
 	"bytes"
@@ -29,20 +27,6 @@ const (
 	MIMETypeSVG  = MIMEType("image/svg+xml")
 )
 
-// ImageFormat represents supported output image formats.
-// This mirrors the type in imgcache to avoid circular imports.
-type ImageFormat string
-
-// Supported image output formats.
-const (
-	FormatOriginal ImageFormat = "orig"
-	FormatJPEG     ImageFormat = "jpeg"
-	FormatPNG      ImageFormat = "png"
-	FormatWebP     ImageFormat = "webp"
-	FormatAVIF     ImageFormat = "avif"
-	FormatGIF      ImageFormat = "gif"
-)
-
 // MinMagicBytes is the minimum number of bytes needed to detect format.
 const MinMagicBytes = 12
 
@@ -205,7 +189,7 @@ func PeekAndValidate(r io.Reader, declaredType string) (io.Reader, error) {
 	return io.MultiReader(bytes.NewReader(buf), r), nil
 }
 
-// MIMEToImageFormat converts a MIME type to an ImageFormat.
+// MIMEToImageFormat converts a MIME type to our ImageFormat type.
 func MIMEToImageFormat(mimeType string) (ImageFormat, bool) {
 	normalized := normalizeMIMEType(mimeType)
 	switch MIMEType(normalized) {
@@ -224,7 +208,7 @@ func MIMEToImageFormat(mimeType string) (ImageFormat, bool) {
 	}
 }
 
-// ImageFormatToMIME converts an ImageFormat to a MIME type string.
+// ImageFormatToMIME converts our ImageFormat to a MIME type string.
 func ImageFormatToMIME(format ImageFormat) string {
 	switch format {
 	case FormatJPEG:

internal/imgcache/magic_test.go

@@ -1,4 +1,4 @@
-package magic
+package imgcache
 
 import (
 	"bytes"

internal/imgcache/service.go

@@ -11,9 +11,7 @@ import (
 	"time"
 
 	"github.com/dustin/go-humanize"
-	"sneak.berlin/go/pixa/internal/allowlist"
 	"sneak.berlin/go/pixa/internal/imageprocessor"
-	"sneak.berlin/go/pixa/internal/magic"
 )
 
 // Service implements the ImageCache interface, orchestrating cache, fetcher, and processor.
@@ -22,7 +20,7 @@ type Service struct {
 	fetcher         Fetcher
 	processor       *imageprocessor.ImageProcessor
 	signer          *Signer
-	allowlist       *allowlist.HostAllowList
+	whitelist       *HostWhitelist
 	log             *slog.Logger
 	allowHTTP       bool
 	maxResponseSize int64
@@ -87,7 +85,7 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		fetcher:         fetcher,
 		processor:       imageprocessor.New(imageprocessor.Params{MaxInputBytes: maxResponseSize}),
 		signer:          signer,
-		allowlist:       allowlist.New(cfg.Whitelist),
+		whitelist:       NewHostWhitelist(cfg.Whitelist),
 		log:             log,
 		allowHTTP:       allowHTTP,
 		maxResponseSize: maxResponseSize,
@@ -278,7 +276,7 @@ func (s *Service) fetchAndProcess(
 	)
 
 	// Validate magic bytes match content type
-	if err := magic.ValidateMagicBytes(sourceData, fetchResult.ContentType); err != nil {
+	if err := ValidateMagicBytes(sourceData, fetchResult.ContentType); err != nil {
 		return nil, fmt.Errorf("content validation failed: %w", err)
 	}
 
@@ -383,7 +381,7 @@ func (s *Service) Stats(ctx context.Context) (*CacheStats, error) {
 
 // ValidateRequest validates the request signature if required.
 func (s *Service) ValidateRequest(req *ImageRequest) error {
-	// Check if host is allowed (no signature required)
+	// Check if host is whitelisted (no signature required)
 	sourceURL := req.SourceURL()
 
 	parsedURL, err := url.Parse(sourceURL)
@@ -391,11 +389,11 @@ func (s *Service) ValidateRequest(req *ImageRequest) error {
 		return fmt.Errorf("invalid source URL: %w", err)
 	}
 
-	if s.allowlist.IsAllowed(parsedURL) {
+	if s.whitelist.IsWhitelisted(parsedURL) {
 		return nil
 	}
 
-	// Signature required for non-allowed hosts
+	// Signature required for non-whitelisted hosts
 	return s.signer.Verify(req)
 }
 

internal/imgcache/service_test.go

@@ -5,8 +5,6 @@ import (
 	"io"
 	"testing"
 	"time"
-
-	"sneak.berlin/go/pixa/internal/magic"
 )
 
 func TestService_Get_WhitelistedHost(t *testing.T) {
@@ -153,74 +151,6 @@ func TestService_Get_NonWhitelistedHost_InvalidSignature(t *testing.T) {
 	}
 }
 
-// TestService_ValidateRequest_SignatureExactHostMatch verifies that
-// ValidateRequest enforces exact host matching for signatures. A
-// signature for one host must not verify for a different host, even
-// if they share a domain suffix.
-func TestService_ValidateRequest_SignatureExactHostMatch(t *testing.T) {
-	signingKey := "test-signing-key-must-be-32-chars"
-	svc, _ := SetupTestService(t,
-		WithSigningKey(signingKey),
-		WithNoWhitelist(),
-	)
-
-	signer := NewSigner(signingKey)
-
-	// Sign a request for "cdn.example.com"
-	signedReq := &ImageRequest{
-		SourceHost: "cdn.example.com",
-		SourcePath: "/photos/cat.jpg",
-		Size:       Size{Width: 50, Height: 50},
-		Format:     FormatJPEG,
-		Quality:    85,
-		FitMode:    FitCover,
-		Expires:    time.Now().Add(time.Hour),
-	}
-	signedReq.Signature = signer.Sign(signedReq)
-
-	// The original request should pass validation
-	t.Run("exact host passes", func(t *testing.T) {
-		err := svc.ValidateRequest(signedReq)
-		if err != nil {
-			t.Errorf("ValidateRequest() exact host failed: %v", err)
-		}
-	})
-
-	// Try to reuse the signature with different hosts
-	tests := []struct {
-		name string
-		host string
-	}{
-		{"parent domain", "example.com"},
-		{"sibling subdomain", "images.example.com"},
-		{"deeper subdomain", "a.cdn.example.com"},
-		{"evil suffix domain", "cdn.example.com.evil.com"},
-		{"prefixed host", "evilcdn.example.com"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name+" rejected", func(t *testing.T) {
-			req := &ImageRequest{
-				SourceHost:  tt.host,
-				SourcePath:  signedReq.SourcePath,
-				SourceQuery: signedReq.SourceQuery,
-				Size:        signedReq.Size,
-				Format:      signedReq.Format,
-				Quality:     signedReq.Quality,
-				FitMode:     signedReq.FitMode,
-				Expires:     signedReq.Expires,
-				Signature:   signedReq.Signature,
-			}
-
-			err := svc.ValidateRequest(req)
-			if err == nil {
-				t.Errorf("ValidateRequest() should reject signature for host %q (signed for %q)",
-					tt.host, signedReq.SourceHost)
-			}
-		})
-	}
-}
-
 func TestService_Get_InvalidFile(t *testing.T) {
 	svc, fixtures := SetupTestService(t)
 	ctx := context.Background()
@@ -317,17 +247,17 @@ func TestService_Get_FormatConversion(t *testing.T) {
 				t.Fatalf("failed to read response: %v", err)
 			}
 
-			detectedMIME, err := magic.DetectFormat(data)
+			detectedMIME, err := DetectFormat(data)
 			if err != nil {
 				t.Fatalf("failed to detect format: %v", err)
 			}
 
-			expectedFormat, ok := magic.MIMEToImageFormat(tt.wantMIME)
+			expectedFormat, ok := MIMEToImageFormat(tt.wantMIME)
 			if !ok {
 				t.Fatalf("unknown format for MIME type: %s", tt.wantMIME)
 			}
 
-			detectedFormat, ok := magic.MIMEToImageFormat(string(detectedMIME))
+			detectedFormat, ok := MIMEToImageFormat(string(detectedMIME))
 			if !ok {
 				t.Fatalf("unknown format for detected MIME type: %s", detectedMIME)
 			}

internal/imgcache/signature.go

@@ -43,11 +43,6 @@ func (s *Signer) Sign(req *ImageRequest) string {
 }
 
 // Verify checks if the signature on the request is valid and not expired.
-// Signatures are exact-match only: every component of the signed data
-// (host, path, query, dimensions, format, expiration) must match exactly.
-// No suffix matching, wildcard matching, or partial matching is supported.
-// A signature for "cdn.example.com" will NOT verify for "example.com" or
-// "other.cdn.example.com", and vice versa.
 func (s *Signer) Verify(req *ImageRequest) error {
 	// Check expiration first
 	if req.Expires.IsZero() {
@@ -71,8 +66,6 @@ func (s *Signer) Verify(req *ImageRequest) error {
 
 // buildSignatureData creates the string to be signed.
 // Format: "host:path:query:width:height:format:expiration"
-// All components are used verbatim (exact match). No normalization,
-// suffix matching, or wildcard expansion is performed.
 func (s *Signer) buildSignatureData(req *ImageRequest) string {
 	return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
 		req.SourceHost,

internal/imgcache/signature_test.go

@@ -152,178 +152,6 @@ func TestSigner_Verify(t *testing.T) {
 	}
 }
 
-// TestSigner_Verify_ExactMatchOnly verifies that signatures enforce exact
-// matching on every URL component. No suffix matching, wildcard matching,
-// or partial matching is supported.
-func TestSigner_Verify_ExactMatchOnly(t *testing.T) {
-	signer := NewSigner("test-secret-key")
-
-	// Base request that we'll sign, then tamper with individual fields.
-	baseReq := func() *ImageRequest {
-		req := &ImageRequest{
-			SourceHost:  "cdn.example.com",
-			SourcePath:  "/photos/cat.jpg",
-			SourceQuery: "token=abc",
-			Size:        Size{Width: 800, Height: 600},
-			Format:      FormatWebP,
-			Expires:     time.Now().Add(1 * time.Hour),
-		}
-		req.Signature = signer.Sign(req)
-
-		return req
-	}
-
-	tests := []struct {
-		name   string
-		tamper func(req *ImageRequest)
-	}{
-		{
-			name: "parent domain does not match subdomain",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try example.com
-				req.SourceHost = "example.com"
-			},
-		},
-		{
-			name: "subdomain does not match parent domain",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try images.cdn.example.com
-				req.SourceHost = "images.cdn.example.com"
-			},
-		},
-		{
-			name: "sibling subdomain does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try images.example.com
-				req.SourceHost = "images.example.com"
-			},
-		},
-		{
-			name: "host with suffix appended does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try cdn.example.com.evil.com
-				req.SourceHost = "cdn.example.com.evil.com"
-			},
-		},
-		{
-			name: "host with prefix does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try evilcdn.example.com
-				req.SourceHost = "evilcdn.example.com"
-			},
-		},
-		{
-			name: "different path does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/photos/dog.jpg"
-			},
-		},
-		{
-			name: "path suffix does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/photos/cat.jpg/extra"
-			},
-		},
-		{
-			name: "path prefix does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/other/photos/cat.jpg"
-			},
-		},
-		{
-			name: "different query does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = "token=xyz"
-			},
-		},
-		{
-			name: "added query does not match empty query",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = "extra=1"
-			},
-		},
-		{
-			name: "removed query does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = ""
-			},
-		},
-		{
-			name: "different width does not match",
-			tamper: func(req *ImageRequest) {
-				req.Size.Width = 801
-			},
-		},
-		{
-			name: "different height does not match",
-			tamper: func(req *ImageRequest) {
-				req.Size.Height = 601
-			},
-		},
-		{
-			name: "different format does not match",
-			tamper: func(req *ImageRequest) {
-				req.Format = FormatPNG
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := baseReq()
-			tt.tamper(req)
-
-			err := signer.Verify(req)
-			if err != ErrSignatureInvalid {
-				t.Errorf("Verify() = %v, want %v", err, ErrSignatureInvalid)
-			}
-		})
-	}
-
-	// Verify the unmodified base request still passes
-	t.Run("unmodified request passes", func(t *testing.T) {
-		req := baseReq()
-		if err := signer.Verify(req); err != nil {
-			t.Errorf("Verify() unmodified request failed: %v", err)
-		}
-	})
-}
-
-// TestSigner_Sign_ExactHostInData verifies that Sign uses the exact host
-// string in the signature data, producing different signatures for
-// suffix-related hosts.
-func TestSigner_Sign_ExactHostInData(t *testing.T) {
-	signer := NewSigner("test-secret-key")
-
-	hosts := []string{
-		"cdn.example.com",
-		"example.com",
-		"images.example.com",
-		"images.cdn.example.com",
-		"cdn.example.com.evil.com",
-	}
-
-	sigs := make(map[string]string)
-
-	for _, host := range hosts {
-		req := &ImageRequest{
-			SourceHost:  host,
-			SourcePath:  "/photos/cat.jpg",
-			SourceQuery: "",
-			Size:        Size{Width: 800, Height: 600},
-			Format:      FormatWebP,
-			Expires:     time.Unix(1704067200, 0),
-		}
-
-		sig := signer.Sign(req)
-		if existing, ok := sigs[sig]; ok {
-			t.Errorf("hosts %q and %q produced the same signature", existing, host)
-		}
-
-		sigs[sig] = host
-	}
-}
-
 func TestSigner_DifferentKeys(t *testing.T) {
 	signer1 := NewSigner("secret-key-1")
 	signer2 := NewSigner("secret-key-2")

internal/imgcache/whitelist.go

@@ -1,26 +1,25 @@
-// Package allowlist provides host-based URL allow-listing for the image proxy.
-package allowlist
+package imgcache
 
 import (
 	"net/url"
 	"strings"
 )
 
-// HostAllowList checks whether source hosts are permitted.
-type HostAllowList struct {
+// HostWhitelist implements the Whitelist interface for checking allowed source hosts.
+type HostWhitelist struct {
 	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
 	exactHosts map[string]struct{}
 	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
 	suffixHosts []string
 }
 
-// New creates a HostAllowList from a list of host patterns.
+// NewHostWhitelist creates a whitelist from a list of host patterns.
 // Patterns starting with "." are treated as suffix matches.
 // Examples:
 //   - "cdn.example.com" - exact match only
 //   - ".example.com" - matches cdn.example.com, images.example.com, etc.
-func New(patterns []string) *HostAllowList {
-	w := &HostAllowList{
+func NewHostWhitelist(patterns []string) *HostWhitelist {
+	w := &HostWhitelist{
 		exactHosts:  make(map[string]struct{}),
 		suffixHosts: make([]string, 0),
 	}
@@ -41,8 +40,8 @@ func New(patterns []string) *HostAllowList {
 	return w
 }
 
-// IsAllowed checks if a URL's host is in the allow list.
-func (w *HostAllowList) IsAllowed(u *url.URL) bool {
+// IsWhitelisted checks if a URL's host is in the whitelist.
+func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
 	}
@@ -72,12 +71,12 @@ func (w *HostAllowList) IsAllowed(u *url.URL) bool {
 	return false
 }
 
-// IsEmpty returns true if the allow list has no entries.
-func (w *HostAllowList) IsEmpty() bool {
+// IsEmpty returns true if the whitelist has no entries.
+func (w *HostWhitelist) IsEmpty() bool {
 	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
 }
 
-// Count returns the total number of allow list entries.
-func (w *HostAllowList) Count() int {
+// Count returns the total number of whitelist entries.
+func (w *HostWhitelist) Count() int {
 	return len(w.exactHosts) + len(w.suffixHosts)
 }

internal/imgcache/whitelist_test.go

@@ -1,13 +1,11 @@
-package allowlist_test
+package imgcache
 
 import (
 	"net/url"
 	"testing"
-
-	"sneak.berlin/go/pixa/internal/allowlist"
 )
 
-func TestHostAllowList_IsAllowed(t *testing.T) {
+func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 	tests := []struct {
 		name     string
 		patterns []string
@@ -69,7 +67,7 @@ func TestHostAllowList_IsAllowed(t *testing.T) {
 			want:     true,
 		},
 		{
-			name:     "empty allow list",
+			name:     "empty whitelist",
 			patterns: []string{},
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     false,
@@ -96,7 +94,7 @@ func TestHostAllowList_IsAllowed(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			w := allowlist.New(tt.patterns)
+			w := NewHostWhitelist(tt.patterns)
 
 			var u *url.URL
 			if tt.testURL != "" {
@@ -107,15 +105,15 @@ func TestHostAllowList_IsAllowed(t *testing.T) {
 				}
 			}
 
-			got := w.IsAllowed(u)
+			got := w.IsWhitelisted(u)
 			if got != tt.want {
-				t.Errorf("IsAllowed() = %v, want %v", got, tt.want)
+				t.Errorf("IsWhitelisted() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 
-func TestHostAllowList_IsEmpty(t *testing.T) {
+func TestHostWhitelist_IsEmpty(t *testing.T) {
 	tests := []struct {
 		name     string
 		patterns []string
@@ -145,7 +143,7 @@ func TestHostAllowList_IsEmpty(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			w := allowlist.New(tt.patterns)
+			w := NewHostWhitelist(tt.patterns)
 			if got := w.IsEmpty(); got != tt.want {
 				t.Errorf("IsEmpty() = %v, want %v", got, tt.want)
 			}
@@ -153,7 +151,7 @@ func TestHostAllowList_IsEmpty(t *testing.T) {
 	}
 }
 
-func TestHostAllowList_Count(t *testing.T) {
+func TestHostWhitelist_Count(t *testing.T) {
 	tests := []struct {
 		name     string
 		patterns []string
@@ -183,7 +181,7 @@ func TestHostAllowList_Count(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			w := allowlist.New(tt.patterns)
+			w := NewHostWhitelist(tt.patterns)
 			if got := w.Count(); got != tt.want {
 				t.Errorf("Count() = %v, want %v", got, tt.want)
 			}