feat(shortener): link + collection API — tenant-scoped, secure codes, SSRF-safe validation (B1-B2)#63
Open
PenguinzTech wants to merge 1 commit into
Open
Conversation
…des, SSRF-safe URL validation (B1-B2) Foundation of the open-source URL shortener: - Schema (models.py + DDL for postgres/mysql/sqlite, defined at startup): urls (short_code UNIQUE, tenant/team/collection FKs, expiry, click_count), collections (folders via parent_id, unique per tenant+parent), link_clicks (ip_hash only, for the redirect task). - app/urls.py + app/collections.py blueprints under /api/v1, all @auth_required + @require_scope + tenant-scoped (tenant derived from token, never body; no cross-tenant access; creator-or-tenant-admin for edits). - Short-code generation via secrets (not random); DB UNIQUE + bounded retry. - app/urlvalidation.py: scheme allowlist (blocks javascript:/data:/file:), rejects literal + resolved private/loopback/link-local/reserved/multicast/metadata IPs (IPv4 incl. decimal/hex/octal, IPv6); unresolvable public hostnames allowed (the server 301-redirects, never fetches). Reserved-path list for aliases. - rbac.py: collections:read/write/delete scopes added to role bundles. - Redirect, click-tracking, analytics, QR, and tier-gating are follow-up tasks (TODO hooks left). Tests: 595 passed, 90.92% coverage — incl. SSRF bypass payloads rejected, alias collision, tenant isolation, collection nesting/cycle prevention. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Sorry @PenguinzTech, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
This was referenced Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feature (Track B, part 1) — shortener foundation
Stacked on #62 (base =
fix/backend-hygiene, the fully hardened backend). Targetsrelease/v0.1.x.First slice of the open-source bit.ly/short.io alternative: the data model + link & collection management API. Redirect, click-tracking, analytics, QR, and tier-gating are follow-up PRs.
urls(uniqueshort_code, tenant/team/collection FKs, expiry, click_count),collections(folders viaparent_id),link_clicks(storesip_hashonly — never raw IP).app/urls.py+app/collections.pyunder/api/v1, all@auth_required+@require_scope, tenant-scoped (tenant from token, never body; no cross-tenant access; creator-or-tenant-admin for edits).secrets-based generation (notrandom), DB UNIQUE + bounded retry on collision; reserved-path list for custom aliases.app/urlvalidation.py) — scheme allowlist; rejects literal + resolved private/loopback/link-local/reserved/metadata IPs (IPv4 incl. decimal/hex/octal, IPv6). Unresolvable public hostnames are allowed by design (the server 301-redirects, it never fetches the target).collections:read/write/deletescopes added to role bundles (urls:*/analytics:readalready existed).Tests
595 passed, 90.92% coverage — SSRF bypass payloads (169.254.169.254, 127.0.0.1, 10.x, ::1, decimal-IP, javascript:/data:/file:) rejected; alias collision; tenant isolation; collection nesting + cycle prevention.
🤖 Generated with Claude Code