youtube shorts in readability

Prior to this commit, `MediaLinks` were always returned as `nil`.
Peeking a bit I figured that's becuase the argument to `MediaLinks.Scan`
is in fact a string, and not a `[]byte` as the code expects. I guess
that might be because `media_links` is a `json` (not `jsonb`) column in
sqlite. I have no idea which of the two is best to use for the DB side,
but it's easy to make the code support both.

.gitignore

@@ -6,3 +6,4 @@
 *.db-wal
 *.syso
 versioninfo.rc
+.DS_Store

doc/changelog.md

@@ -1,7 +1,12 @@
 # upcoming
 
 - (new) serve on unix socket (thanks to @rvighne)
+- (new) more auto-refresh options: 12h & 24h (thanks to @aswerkljh for suggestion)
 - (fix) smooth scrolling on iOS (thanks to gatheraled)
+- (fix) displaying youtube shorts in "Read Here" (thanks to @Dean-Corso for the report)
+- (etc) theme-color support (thanks to @asimpson)
+- (etc) cookie security measures (thanks to Tom Fitzhenry)
+- (etc) restrict access to internal IPs for page crawler (thanks to Omar Kurt)
 
 # v2.5 (2025-03-26)
 

makefile

@@ -5,6 +5,7 @@ GO_TAGS    = sqlite_foreign_keys sqlite_json
 GO_LDFLAGS = -s -w -X 'main.Version=$(VERSION)' -X 'main.GitHash=$(GITHASH)'
 
 GO_FLAGS         = -tags "$(GO_TAGS)"     -ldflags="$(GO_LDFLAGS)"
+GO_FLAGS_DEBUG   = -tags "$(GO_TAGS) debug"
 GO_FLAGS_GUI     = -tags "$(GO_TAGS) gui" -ldflags="$(GO_LDFLAGS)"
 GO_FLAGS_GUI_WIN = -tags "$(GO_TAGS) gui" -ldflags="$(GO_LDFLAGS) -H windowsgui"
 
@@ -75,7 +76,7 @@ windows_arm64_gui: src/platform/versioninfo.rc
 	GOOS=windows GOARCH=arm64 go build $(GO_FLAGS_GUI_WIN) -o out/$@/yarr.exe ./cmd/yarr
 
 serve:
-	go run $(GO_FLAGS) ./cmd/yarr -db local.db
+	go run $(GO_FLAGS_DEBUG) ./cmd/yarr -db local.db
 
 test:
 	go test $(GO_FLAGS) ./...

src/assets/assetsfs.go

@@ -1,3 +1,5 @@
+//go:build !debug
+
 package assets
 
 import "embed"

src/assets/graphicarts/chevron-down.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-chevron-down"><polyline points="6 9 12 15 18 9"></polyline></svg>

src/assets/graphicarts/chevron-up.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-chevron-up"><polyline points="18 15 12 9 6 15"></polyline></svg>

src/assets/index.html

@@ -8,6 +8,7 @@
     <link rel="icon" href="./static/graphicarts/favicon.svg" type="image/svg+xml">
     <link rel="alternate icon" href="./static/graphicarts/favicon.png" type="image/png">
     <link rel="manifest" href="./manifest.json" />
+    <meta name="theme-color" content="" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <script>
         window.app = window.app || {}
@@ -23,21 +24,21 @@
             <div class="p-2 toolbar d-flex align-items-center">
                 <div class="icon mx-2">{% inline "anchor.svg" %}</div>
                 <div class="flex-grow-1"></div>
-                <button class="toolbar-item"
+                <button class="toolbar-item ml-1"
                         :class="{active: filterSelected == 'unread'}"
                         :aria-pressed="filterSelected == 'unread'"
                         title="Unread"
                         @click="filterSelected = 'unread'">
                     <span class="icon">{% inline "circle-full.svg" %}</span>
                 </button>
-                <button class="toolbar-item"
+                <button class="toolbar-item mx-1"
                         :class="{active: filterSelected == 'starred'}"
                         :aria-pressed="filterSelected == 'starred'"
                         title="Starred"
                         @click="filterSelected = 'starred'">
                     <span class="icon">{% inline "star-full.svg" %}</span>
                 </button>
-                <button class="toolbar-item"
+                <button class="toolbar-item mr-1"
                         :class="{active: filterSelected == ''}"
                         :aria-pressed="filterSelected == ''"
                         title="All"
@@ -78,12 +79,20 @@
 
                     <header class="dropdown-header" role="heading" aria-level="2">Auto Refresh</header>
                     <div class="row text-center m-0">
-                        <button class="dropdown-item col-4 px-0" :aria-pressed="!refreshRate"       :class="{active: !refreshRate}"       @click.stop="refreshRate = 0">0</button>
+                        <button class="dropdown-item col-4 px-0"
-                        <button class="dropdown-item col-4 px-0" :aria-pressed="refreshRate == 10"  :class="{active: refreshRate == 10}"  @click.stop="refreshRate = 10">10m</button>
+                                @click.stop="changeRefreshRate(-1)"
-                        <button class="dropdown-item col-4 px-0" :aria-pressed="refreshRate == 30"  :class="{active: refreshRate == 30}"  @click.stop="refreshRate = 30">30m</button>
+                                :disabled="!refreshRate">
-                        <button class="dropdown-item col-4 px-0" :aria-pressed="refreshRate == 60"  :class="{active: refreshRate == 60}"  @click.stop="refreshRate = 60">1h</button>
+                            <span class="icon">
-                        <button class="dropdown-item col-4 px-0" :aria-pressed="refreshRate == 120" :class="{active: refreshRate == 120}" @click.stop="refreshRate = 120">2h</button>
+                                {% inline "chevron-down.svg" %}
-                        <button class="dropdown-item col-4 px-0" :aria-pressed="refreshRate == 240" :class="{active: refreshRate == 240}" @click.stop="refreshRate = 240">4h</button>
+                            </span>
+                        </button>
+                        <div class="col-4 d-flex align-items-center justify-content-center">{{ refreshRateTitle }}</div>
+                        <button class="dropdown-item col-4 px-0"
+                                @click.stop="changeRefreshRate(1)" :disabled="refreshRate === refreshRateOptions.at(-1).value">
+                            <span class="icon">
+                                {% inline "chevron-up.svg" %}
+                            </span>
+                        </button>
                     </div>
 
                     <div class="dropdown-divider"></div>
@@ -135,10 +144,8 @@
                 </label>
                 <div v-for="folder in foldersWithFeeds">
                     <label class="selectgroup mt-1"
-                           :class="{'d-none': filterSelected
+                           :class="{'d-none': mustHideFolder(folder)}"
-                                              && !(current.folder.id == folder.id || current.feed.folder_id == folder.id)
+                           v-if="folder.id">
-                                              && !filteredFolderStats[folder.id]
-                                              && (!itemSelectedDetails || (feedsById[itemSelectedDetails.feed_id] || {}).folder_id != folder.id)}">
                         <input type="radio" name="feed" :value="'folder:'+folder.id" v-model="feedSelected" v-if="folder.id">
                         <div class="selectgroup-label d-flex align-items-center w-100" v-if="folder.id">
                             <span class="icon mr-2"
@@ -152,10 +159,7 @@
                     </label>
                     <div v-show="!folder.id || folder.is_expanded" class="mt-1" :class="{'pl-3': folder.id}">
                         <label class="selectgroup"
-                              :class="{'d-none': filterSelected
+                              :class="{'d-none': mustHideFeed(feed)}"
-                                                 && !(current.feed.id == feed.id)
-                                                 && !filteredFeedStats[feed.id]
-                                                 && (!itemSelectedDetails || itemSelectedDetails.feed_id != feed.id)}"
                                v-for="feed in folder.feeds">
                             <input type="radio" name="feed" :value="'feed:'+feed.id" v-model="feedSelected">
                             <div class="selectgroup-label d-flex align-items-center w-100">
@@ -419,6 +423,7 @@
                     <tr><td colspan=2>&nbsp;</td></tr>
                     <tr><td><kbd>j</kbd> <kbd>k</kbd></td>  <td>next / prev article</td></tr>
                     <tr><td><kbd>l</kbd> <kbd>h</kbd></td>  <td>next / prev feed</td></tr>
+                    <tr><td><kbd>q</kbd></td>               <td>close article</td></tr>
 
                     <tr><td colspan=2>&nbsp;</td></tr>
                     <tr><td><kbd>R</kbd></td>               <td>mark all read</td></tr>

src/assets/javascripts/app.js

@@ -211,6 +211,7 @@ var vm = new Vue({
     api.feeds.list_errors().then(function(errors) {
       vm.feed_errors = errors
     })
+    this.updateMetaTheme(app.settings.theme_name)
   },
   data: function() {
     var s = app.settings
@@ -249,9 +250,25 @@ var vm = new Vue({
         'font': s.theme_font,
         'size': s.theme_size,
       },
+      'themeColors': {
+        'night': '#0e0e0e',
+        'sepia': '#f4f0e5',
+        'light': '#fff',
+      },
       'refreshRate': s.refresh_rate,
       'authenticated': app.authenticated,
       'feed_errors': {},
+
+      'refreshRateOptions': [
+        { title: "0", value: 0 },
+        { title: "10m", value: 10 },
+        { title: "30m", value: 30 },
+        { title: "1h", value: 60 },
+        { title: "2h", value: 120 },
+        { title: "4h", value: 240 },
+        { title: "12h", value: 720 },
+        { title: "24h", value: 1440 },
+      ],
     }
   },
   computed: {
@@ -309,12 +326,17 @@ var vm = new Vue({
     contentVideos: function() {
       if (!this.itemSelectedDetails) return []
       return (this.itemSelectedDetails.media_links || []).filter(l => l.type === 'video')
-    }
+    },
+    refreshRateTitle: function () {
+      const entry = this.refreshRateOptions.find(o => o.value === this.refreshRate)
+      return entry ? entry.title : '0'
+    },
   },
   watch: {
     'theme': {
       deep: true,
       handler: function(theme) {
+        this.updateMetaTheme(theme.name)
         document.body.classList.value = 'theme-' + theme.name
         api.settings.update({
           theme_name: theme.name,
@@ -390,6 +412,9 @@ var vm = new Vue({
     },
   },
   methods: {
+    updateMetaTheme: function(theme) {
+      document.querySelector("meta[name='theme-color']").content = this.themeColors[theme]
+    },
     refreshStats: function(loopMode) {
       return api.status().then(function(data) {
         if (loopMode && !vm.itemSelected) vm.refreshItems()
@@ -753,9 +778,16 @@ var vm = new Vue({
     // navigation helper, navigate relative to selected feed
     navigateToFeed: function(relativePosition) {
       let vm = this
-      var navigationList = Array.from(document.querySelectorAll('#col-feed-list input[name=feed]'))
+      const navigationList = this.foldersWithFeeds
-        .filter(function(r) { return r.offsetParent !== null && r.value !== 'folder:null' })
+        .filter(folder => !folder.id || !vm.mustHideFolder(folder))
-        .map(function(r) { return r.value })
+        .map((folder) => {
+          if (this.mustHideFolder(folder)) return []
+          const folds = folder.id ? [`folder:${folder.id}`] : []
+          const feeds = (folder.is_expanded || !folder.id) ? folder.feeds.filter(f => !vm.mustHideFeed(f)).map(f => `feed:${f.id}`) : []
+          return folds.concat(feeds)
+        })
+        .flat()
+      navigationList.unshift('')
 
       var currentFeedPosition = navigationList.indexOf(vm.feedSelected)
 
@@ -778,6 +810,24 @@ var vm = new Vue({
         if (target && scroll) scrollto(target, scroll)
       })
     },
+    changeRefreshRate: function(offset) {
+      const curIdx = this.refreshRateOptions.findIndex(o => o.value === this.refreshRate)
+      if (curIdx <= 0 && offset < 0) return
+      if (curIdx >= (this.refreshRateOptions.length - 1) && offset > 0) return
+      this.refreshRate = this.refreshRateOptions[curIdx + offset].value
+    },
+    mustHideFolder: function (folder) {
+      return this.filterSelected
+        && !(this.current.folder.id == folder.id || this.current.feed.folder_id == folder.id)
+        && !this.filteredFolderStats[folder.id]
+        && (!this.itemSelectedDetails || (this.feedsById[this.itemSelectedDetails.feed_id] || {}).folder_id != folder.id)
+    },
+    mustHideFeed: function (feed) {
+      return this.filterSelected
+        && !(this.current.feed.id == feed.id)
+        && !this.filteredFeedStats[feed.id]
+        && (!this.itemSelectedDetails || this.itemSelectedDetails.feed_id != feed.id)
+    },
   }
 })
 

src/assets/javascripts/key.js

@@ -60,6 +60,9 @@ var shortcutFunctions = {
   scrollBackward: function() {
     helperFunctions.scrollContent(-1)
   },
+  closeItem: function () {
+    vm.itemSelected = null
+  },
   showAll() {
     vm.filterSelected = ''
   },
@@ -85,6 +88,7 @@ var keybindings = {
   "h": shortcutFunctions.previousFeed,
   "f": shortcutFunctions.scrollForward,
   "b": shortcutFunctions.scrollBackward,
+  "q": shortcutFunctions.closeItem,
   "1": shortcutFunctions.showUnread,
   "2": shortcutFunctions.showStarred,
   "3": shortcutFunctions.showAll,
@@ -103,6 +107,7 @@ var codebindings = {
   "KeyH": shortcutFunctions.previousFeed,
   "KeyF": shortcutFunctions.scrollForward,
   "KeyB": shortcutFunctions.scrollBackward,
+  "KeyQ": shortcutFunctions.closeItem,
   "Digit1": shortcutFunctions.showUnread,
   "Digit2": shortcutFunctions.showStarred,
   "Digit3": shortcutFunctions.showAll,

src/content/silo/iframe.go

@@ -22,6 +22,8 @@ func VideoIFrame(link string) string {
 	youtubeID := ""
 	if l.Host == "www.youtube.com" && l.Path == "/watch" {
 		youtubeID = l.Query().Get("v")
+	} else if l.Host == "www.youtube.com" && strings.HasPrefix(l.Path, "/shorts/") {
+		youtubeID = strings.TrimPrefix(l.Path, "/shorts/")
 	} else if l.Host == "youtu.be" {
 		youtubeID = strings.TrimLeft(l.Path, "/")
 	}

src/platform/open_etc.go

@@ -1,4 +1,4 @@
-//go:build linux || freebsd
+//go:build linux || freebsd || openbsd
 
 package platform
 

src/server/auth/auth.go

@@ -7,7 +7,6 @@ import (
 	"encoding/hex"
 	"net/http"
 	"strings"
-	"time"
 )
 
 func IsAuthenticated(req *http.Request, username, password string) bool {
@@ -26,8 +25,10 @@ func Authenticate(rw http.ResponseWriter, username, password, basepath string) {
 	http.SetCookie(rw, &http.Cookie{
 		Name:     "auth",
 		Value:    username + ":" + secret(username, password),
-		Expires: time.Now().Add(time.Hour * 24 * 7), // 1 week,
+		MaxAge:   604800, // 1 week
 		Path:     basepath,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
 	})
 }
 

src/server/routes.go

@@ -34,7 +34,7 @@ func (s *Server) handler() http.Handler {
 			BasePath: s.BasePath,
 			Username: s.Username,
 			Password: s.Password,
-			Public:   []string{"/static", "/fever"},
+			Public:   []string{"/static", "/fever", "/manifest.json"},
 			DB:       s.db,
 		}
 		r.Use(a.Handler)
@@ -513,6 +513,10 @@ func (s *Server) handlePageCrawl(c *router.Context) {
 		})
 		return
 	}
+	if isInternalFromURL(url) {
+		log.Printf("attempt to access internal IP %s from %s", url, c.Req.RemoteAddr)
+		return
+	}
 
 	body, err := worker.GetBody(url)
 	if err != nil {

src/server/util.go

@@ -0,0 +1,35 @@
+package server
+
+import (
+	"net"
+	"net/url"
+	"strings"
+)
+
+func isInternalFromURL(urlStr string) bool {
+	parsedURL, err := url.Parse(urlStr)
+	if err != nil {
+		return false
+	}
+
+	host := parsedURL.Host
+
+	// Handle "host:port" format
+	if strings.Contains(host, ":") {
+		host, _, err = net.SplitHostPort(host)
+		if err != nil {
+			return false
+		}
+	}
+
+	if host == "localhost" {
+		return true
+	}
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return false
+	}
+
+	return ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast()
+}

src/server/util_test.go

@@ -0,0 +1,31 @@
+package server
+
+import "testing"
+
+func TestIsInternalFromURL(t *testing.T) {
+	tests := []struct {
+		url      string
+		expected bool
+	}{
+		{"http://192.168.1.1:8080", true},
+		{"http://10.0.0.5", true},
+		{"http://172.16.0.1", true},
+		{"http://172.31.255.255", true},
+		{"http://172.32.0.1", false}, // outside private range
+		{"http://127.0.0.1", true},
+		{"http://127.0.0.1:7000", true},
+		{"http://127.0.0.1:7000/secret", true},
+		{"http://169.254.0.5", true},
+		{"http://localhost", true}, // resolves to 127.0.0.1
+		{"http://8.8.8.8", false},
+		{"http://google.com", false}, // resolves to public IPs
+		{"invalid-url", false},       // invalid format
+		{"", false},                  // empty string
+	}
+	for _, test := range tests {
+		result := isInternalFromURL(test.url)
+		if result != test.expected {
+			t.Errorf("isInternalFromURL(%q) = %v; want %v", test.url, result, test.expected)
+		}
+	}
+}

src/storage/item.go

@@ -54,10 +54,14 @@ type MediaLink struct {
 type MediaLinks []MediaLink
 
 func (m *MediaLinks) Scan(src any) error {
-	if data, ok := src.([]byte); ok {
+	switch data := src.(type) {
+	case []byte:
 		return json.Unmarshal(data, m)
-	}
+	case string:
+		return json.Unmarshal([]byte(data), m)
+	default:
 		return nil
+	}
 }
 
 func (m MediaLinks) Value() (driver.Value, error) {
@@ -419,7 +423,6 @@ func (s *Storage) DeleteOldItems() {
 		where status != ?
 		group by i.feed_id
 	`, itemsKeepSize, STARRED)
-
 	if err != nil {
 		log.Print(err)
 		return