Bind feed strategy in tokens

Author: gildesmarais

app/api/v1/feeds.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'time'
+require 'json'
 require 'html2rss/url'
 
 require_relative '../../account_manager'
@@ -28,14 +29,15 @@ def show(request, token)
               account = account_for(feed_token)
               ensure_access!(account, feed_token.url)
 
-              render_generated_feed(request, feed_token.url)
+              strategy = resolve_token_strategy(feed_token)
+              render_generated_feed(request, feed_token.url, strategy)
             end
 
             def create(request)
               ensure_auto_source_enabled!
 
               account = require_account(request)
-              params = build_create_params(request, account)
+              params = build_create_params(request_params(request), account)
 
               feed_data = AutoSource.create_stable_feed(params[:name], params[:url], account, params[:strategy])
               raise InternalServerError, 'Failed to create feed' unless feed_data
@@ -55,16 +57,16 @@ def json_response(request, payload, status: 200)
               payload
             end
 
-            def build_create_params(request, account)
-              url = request.params['url'].to_s.strip
+            def build_create_params(params, account)
+              url = params['url'].to_s.strip
               raise BadRequestError, 'URL parameter is required' if url.empty?
               raise BadRequestError, 'Invalid URL format' unless UrlValidator.valid_url?(url)
               raise ForbiddenError, 'URL not allowed for this account' unless UrlValidator.url_allowed?(account, url)
 
               {
                 url: url,
                 name: extract_site_title(url),
-                strategy: normalize_strategy(request.params['strategy'])
+                strategy: normalize_strategy(params['strategy'])
               }
             end
 
@@ -95,8 +97,7 @@ def ensure_access!(account, url)
               raise ForbiddenError, 'Access Denied' unless UrlValidator.url_allowed?(account, url)
             end
 
-            def render_generated_feed(request, url)
-              strategy = normalize_strategy(request.params['strategy'])
+            def render_generated_feed(request, url, strategy)
               feed_object = AutoSource.generate_feed_object(url, strategy)
               rendered_feed = FeedGenerator.process_feed_content(url, strategy, feed_object)
 
@@ -158,6 +159,35 @@ def extract_ttl_from_feed_object(feed_object)
 
               ttl_minutes * 60
             end
+
+            def resolve_token_strategy(feed_token)
+              strategy = feed_token.strategy.to_s.strip
+              strategy = default_strategy if strategy.empty?
+
+              raise BadRequestError, 'Unsupported strategy' unless supported_strategies.include?(strategy)
+
+              strategy
+            end
+
+            def request_params(request)
+              return request.params unless json_request?(request)
+
+              raw_body = request.body.read
+              request.body.rewind
+              return request.params if raw_body.strip.empty?
+
+              parsed = JSON.parse(raw_body)
+              raise BadRequestError, 'Invalid JSON payload' unless parsed.is_a?(Hash)
+
+              request.params.merge(parsed)
+            rescue JSON::ParserError
+              raise BadRequestError, 'Invalid JSON payload'
+            end
+
+            def json_request?(request)
+              content_type = request.env['CONTENT_TYPE'].to_s
+              content_type.include?('application/json')
+            end
           end
         end
       end

app/auth.rb

@@ -27,10 +27,11 @@ def authenticate(request)
         # @param url [String]
         # @param expires_in [Integer] seconds (default: 10 years)
         # @return [String] HMAC-signed compressed feed token
-        def generate_feed_token(username, url, expires_in: Html2rss::Web::DEFAULT_EXPIRY)
+        def generate_feed_token(username, url, strategy:, expires_in: Html2rss::Web::DEFAULT_EXPIRY)
           token = FeedToken.create_with_validation(
             username: username,
             url: url,
+            strategy: strategy,
             expires_in: expires_in,
             secret_key: secret_key
           )

app/auto_source.rb

@@ -25,7 +25,7 @@ def create_stable_feed(name, url, token_data, strategy = 'ssrf_filter')
           return nil unless url_allowed_for_token?(token_data, url)
 
           feed_id = generate_feed_id(token_data[:username], url, token_data[:token])
-          feed_token = Auth.generate_feed_token(token_data[:username], url)
+          feed_token = Auth.generate_feed_token(token_data[:username], url, strategy: strategy)
           return nil unless feed_token
 
           identifiers = { feed_id: feed_id, feed_token: feed_token }

app/feed_token.rb

@@ -13,15 +13,15 @@ module Web
     REQUIRED_TOKEN_KEYS = %i[p s].freeze
     COMPRESSED_PAYLOAD_KEYS = %i[u l e].freeze
 
-    FeedToken = Data.define(:username, :url, :expires_at, :signature) do
-      def self.create_with_validation(username:, url:, secret_key:, expires_in: DEFAULT_EXPIRY)
-        return unless valid_inputs?(username, url, secret_key)
+    FeedToken = Data.define(:username, :url, :expires_at, :signature, :strategy) do
+      def self.create_with_validation(username:, url:, secret_key:, strategy:, expires_in: DEFAULT_EXPIRY)
+        return unless valid_inputs?(username, url, secret_key, strategy)
 
         expires_at = Time.now.to_i + expires_in.to_i
-        payload = build_payload(username, url, expires_at)
+        payload = build_payload(username, url, expires_at, strategy)
         signature = generate_signature(secret_key, payload)
 
-        new(username: username, url: url, expires_at: expires_at, signature: signature)
+        new(username: username, url: url, expires_at: expires_at, signature: signature, strategy: strategy)
       end
 
       def self.decode(encoded_token) # rubocop:disable Metrics/MethodLength
@@ -35,7 +35,8 @@ def self.decode(encoded_token) # rubocop:disable Metrics/MethodLength
           username: payload[:u],
           url: payload[:l],
           expires_at: payload[:e],
-          signature: token_data[:s]
+          signature: token_data[:s],
+          strategy: payload[:t]
         )
       rescue JSON::ParserError, ArgumentError, Zlib::DataError, Zlib::BufError
         nil
@@ -74,11 +75,15 @@ def valid_signature?(secret_key)
       private
 
       def payload_for_signature
-        { username: username, url: url, expires_at: expires_at }
+        payload = { username: username, url: url, expires_at: expires_at }
+        payload[:strategy] = strategy if strategy
+        payload
       end
 
       def build_token_data
-        { p: { u: username, l: url, e: expires_at }, s: signature }
+        payload = { u: username, l: url, e: expires_at }
+        payload[:t] = strategy if strategy
+        { p: payload, s: signature }
       end
 
       def secure_compare(first, second) # rubocop:disable Naming/PredicateMethod
@@ -88,8 +93,8 @@ def secure_compare(first, second) # rubocop:disable Naming/PredicateMethod
       end
 
       class << self
-        def build_payload(username, url, expires_at)
-          { username: username, url: url, expires_at: expires_at }
+        def build_payload(username, url, expires_at, strategy)
+          { username: username, url: url, expires_at: expires_at, strategy: strategy }
         end
 
         def generate_signature(secret_key, payload)
@@ -112,8 +117,9 @@ def valid_token_data?(token_data)
             COMPRESSED_PAYLOAD_KEYS.all? { |key| payload[key] }
         end
 
-        def valid_inputs?(username, url, secret_key)
-          valid_username?(username) && UrlValidator.valid_url?(url) && valid_secret_key?(secret_key)
+        def valid_inputs?(username, url, secret_key, strategy)
+          valid_username?(username) && UrlValidator.valid_url?(url) && valid_secret_key?(secret_key) &&
+            valid_strategy?(strategy)
         end
 
         def valid_username?(username)
@@ -123,6 +129,10 @@ def valid_username?(username)
         def valid_secret_key?(secret_key)
           secret_key.is_a?(String) && !secret_key.empty?
         end
+
+        def valid_strategy?(strategy)
+          strategy.is_a?(String) && !strategy.empty? && strategy.length <= 50 && strategy.match?(/\A[a-z0-9_]+\z/)
+        end
       end
     end
   end

spec/html2rss/web/api/v1_spec.rb

@@ -69,6 +69,7 @@ def app = Html2rss::Web::App.freeze.app
                     .create_with_validation(
                       username: 'ghost',
                       url: feed_url,
+                      strategy: 'ssrf_filter',
                       secret_key: ENV.fetch('HTML2RSS_SECRET_KEY')
                     )
                     .encode
@@ -82,15 +83,18 @@ def app = Html2rss::Web::App.freeze.app
       expect(response_data.dig('error', 'message')).to eq('Account not found')
     end
 
-    it 'returns bad request when strategy is unsupported', :aggregate_failures do # rubocop:disable RSpec/ExampleLength
-      token = Html2rss::Web::Auth.generate_feed_token('admin', feed_url)
+    it 'ignores query param strategy overrides', :aggregate_failures do # rubocop:disable RSpec/ExampleLength
+      token = Html2rss::Web::Auth.generate_feed_token('admin', feed_url, strategy: 'ssrf_filter')
+
+      allow(Html2rss::Web::AutoSource).to receive(:generate_feed_object)
+        .and_return(instance_double('Html2rss::Feed', channel: instance_double('Html2rss::FeedChannel', ttl: 10)))
+      allow(Html2rss::Web::FeedGenerator).to receive(:process_feed_content)
+        .and_return('<rss version="2.0"></rss>')
 
       get "/api/v1/feeds/#{token}", strategy: 'bad'
 
-      expect(last_response.status).to eq(400)
-      response_data = JSON.parse(last_response.body)
-      expect(response_data['success']).to be false
-      expect(response_data.dig('error', 'message')).to eq('Unsupported strategy')
+      expect(last_response.status).to eq(200)
+      expect(last_response.content_type).to include('application/xml')
     end
   end
 

spec/html2rss/web/app_integration_spec.rb

@@ -35,7 +35,8 @@
 
   before do
     allow(Html2rss::Web::LocalConfig).to receive(:yaml).and_return(accounts_config)
-    token_payload = instance_double(Html2rss::Web::FeedToken, url: feed_url, username: account[:username])
+    token_payload = instance_double(Html2rss::Web::FeedToken, url: feed_url, username: account[:username],
+                                                           strategy: 'ssrf_filter')
     allow(Html2rss::Web::FeedToken).to receive_messages(
       decode: token_payload,
       validate_and_decode: token_payload
@@ -73,12 +74,11 @@
       expect(last_response.body).to eq('<rss version="2.0"></rss>')
     end
 
-    it 'returns bad request for unsupported strategy', :aggregate_failures do
+    it 'ignores query param strategy overrides', :aggregate_failures do
       get "/api/v1/feeds/#{feed_token}", { 'strategy' => 'invalid' }
 
-      expect(last_response.status).to eq(400)
-      expect(last_response.content_type).to include('application/json')
-      expect(json_body).to include('error' => include('message' => 'Unsupported strategy'))
+      expect(last_response.status).to eq(200)
+      expect(last_response.content_type).to include('application/xml')
     end
   end
 
@@ -124,7 +124,8 @@
         post '/api/v1/feeds', '{ invalid', json_headers
 
         expect(last_response.status).to eq(400)
-        expect(last_response.body).to be_empty
+        expect(last_response.content_type).to include('application/json')
+        expect(json_body).to include('error' => include('message' => 'Invalid JSON payload'))
       end
 
       it 'returns bad request when URL is missing', :aggregate_failures do # rubocop:disable RSpec/ExampleLength