feat/trusted media build env var

[matheusfillipe]

Fixes #131

Summary by CodeRabbit

• New Features

  • Added configuration support for specifying trusted media URLs, enabling fine-grained control over which external media sources are automatically displayed.
  • Enhanced media visibility logic for avatars and preview images based on trusted source status.

• Documentation

  • Updated architecture and build documentation with guidance on trusted media configuration and security handling.

• Chores

  • Version bump to 0.2.4.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a new VITE_TRUSTED_MEDIA_URLS environment variable for specifying globally trusted media sources. A new isUrlFromTrustedSource utility function validates URLs against server filehost or global trusted URLs, enabling components to conditionally display media based on trust status and user preferences.

Changes

Cohort / File(s)	Summary
Configuration & Build Setup .env.example, BUILD.md, ARCHITECTURE.md, Dockerfile, package.json	Added VITE_TRUSTED_MEDIA_URLS environment variable documentation and build configuration; version bumped to 0.2.4; Docker build arguments updated to propagate the new variable.
Type & Vite Definitions src/vite-env.d.ts, vite.config.ts	Added global ambient type __TRUSTED_MEDIA_URLS__ as string array; vite.config.ts parses comma-separated VITE_TRUSTED_MEDIA_URLS into string array with empty array fallback.
URL Trust Validation src/lib/ircUtils.tsx	Introduced new exported function isUrlFromTrustedSource that validates URLs against server filehost or globally configured trusted media URLs, returning boolean.
Message Components src/components/message/LinkPreview.tsx, src/components/message/MessageAvatar.tsx, src/components/message/MessageItem.tsx	Added serverId prop to LinkPreview and MessageItem for server context; updated LinkPreview and MessageAvatar to use isUrlFromTrustedSource for trust-based image visibility decisions; replaced isUrlFromFilehost with trust validation logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat: comprehensive image upload and link preview functionality #76: Overlapping changes to LinkPreview.tsx, MessageItem.tsx, server.filehost handling, and vite configuration for media/link management.

Poem

🐰 A leap through trusted URLs so fine,
Media sources now align,
With global configs neatly stored,
Each image checked before 'tis poured—
Safe browsing hops, both far and near! 🌐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat/trusted media build env var' accurately describes the main changeset—adding a new VITE_TRUSTED_MEDIA_URLS environment variable for configuring trusted media sources across build and deployment configurations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/trusted-media-build-env-var

Tip

🧪 Unit Test Generation v2 is now available!

We have significantly improved our unit test generation capabilities.

To enable: Add this to your .coderabbit.yaml configuration:

reviews:
  finishing_touches:
    unit_tests:
      enabled: true

Try it out by using the @coderabbitai generate unit tests command on your code files or under ✨ Finishing Touches on the walkthrough!

Have feedback? Share your thoughts on our Discord thread!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Preview URL: https://feat-trusted-media-build-env.obsidianirc.pages.dev

Automated deployment preview for the PR in the Cloudflare Pages.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.env.example:
- Around line 9-10: Remove the surrounding quotes from the example value for the
VITE_TRUSTED_MEDIA_URLS variable in .env.example (update
VITE_TRUSTED_MEDIA_URLS="https://matterbridge.example.com,https://matrix-media.example.com"
to
VITE_TRUSTED_MEDIA_URLS=https://matterbridge.example.com,https://matrix-media.example.com)
so it satisfies dotenv-linter and avoids copy/paste confusion while keeping the
same comma-separated trusted URLs.

In `@vite.config.ts`:
- Line 29: The '__TRUSTED_MEDIA_URLS__' env parsing currently splits and trims
but can leave empty strings (e.g., trailing commas), so update the expression
that constructs this array to remove any empty entries after trimming (for
example by adding a .filter(...) that keeps only non-empty strings) so
downstream prefix checks don't treat an empty string as matching everything;
locate the expression assigning '__TRUSTED_MEDIA_URLS__' in vite.config.ts and
add the filter step after .map(url => url.trim()).

🧹 Nitpick comments (1)

src/components/message/LinkPreview.tsx (1)

26-32: Consider using a reactive selector for server lookup.

The useStore.getState().servers.find(...) call retrieves server data outside React's reactivity system. If the server's filehost property changes after mount, this component won't re-render with the updated value.

This is consistent with the pattern in MessageAvatar.tsx, so it may be intentional for performance reasons (avoiding re-renders on unrelated server changes). If reactivity is needed, consider a selector:

const server = useStore((state) =>
  serverId ? state.servers.find((s) => s.id === serverId) : null
);

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid quoted value to satisfy dotenv-linter and reduce copy/paste confusion.
The example value works without quotes; dropping them removes the lint warning.

🛠️ Suggested tweak

-VITE_TRUSTED_MEDIA_URLS="https://matterbridge.example.com,https://matrix-media.example.com"
+VITE_TRUSTED_MEDIA_URLS=https://matterbridge.example.com,https://matrix-media.example.com

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Optional comma-separated list of trusted media URLs (for chat bridge image proxies like Matterbridge, Matrix bridges)
	VITE_TRUSTED_MEDIA_URLS="https://matterbridge.example.com,https://matrix-media.example.com"
	# Optional comma-separated list of trusted media URLs (for chat bridge image proxies like Matterbridge, Matrix bridges)
	VITE_TRUSTED_MEDIA_URLS=https://matterbridge.example.com,https://matrix-media.example.com

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 10-10: [QuoteCharacter] The value has quote characters (', ")

(QuoteCharacter)

🤖 Prompt for AI Agents

In @.env.example around lines 9 - 10, Remove the surrounding quotes from the
example value for the VITE_TRUSTED_MEDIA_URLS variable in .env.example (update
VITE_TRUSTED_MEDIA_URLS="https://matterbridge.example.com,https://matrix-media.example.com"
to
VITE_TRUSTED_MEDIA_URLS=https://matterbridge.example.com,https://matrix-media.example.com)
so it satisfies dotenv-linter and avoids copy/paste confusion while keeping the
same comma-separated trusted URLs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Filter empty entries to avoid accidentally trusting all URLs.
If the list contains a trailing comma or blank item, an empty string can sneak into the array. Downstream checks that use prefix matching could then treat every URL as trusted.

✅ Suggested fix

-      '__TRUSTED_MEDIA_URLS__': process.env.VITE_TRUSTED_MEDIA_URLS ? process.env.VITE_TRUSTED_MEDIA_URLS.replace(/^['"]|['"]$/g, '').split(',').map(url => url.trim()) : [],
+      '__TRUSTED_MEDIA_URLS__': process.env.VITE_TRUSTED_MEDIA_URLS
+        ? process.env.VITE_TRUSTED_MEDIA_URLS
+            .replace(/^['"]|['"]$/g, '')
+            .split(',')
+            .map((url) => url.trim())
+            .filter(Boolean)
+        : [],

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	'__TRUSTED_MEDIA_URLS__': process.env.VITE_TRUSTED_MEDIA_URLS ? process.env.VITE_TRUSTED_MEDIA_URLS.replace(/^['"]|['"]$/g, '').split(',').map(url => url.trim()) : [],
	'__TRUSTED_MEDIA_URLS__': process.env.VITE_TRUSTED_MEDIA_URLS
	? process.env.VITE_TRUSTED_MEDIA_URLS
	.replace(/^['"]|['"]$/g, '')
	.split(',')
	.map((url) => url.trim())
	.filter(Boolean)
	: [],

🤖 Prompt for AI Agents

In `@vite.config.ts` at line 29, The '__TRUSTED_MEDIA_URLS__' env parsing
currently splits and trims but can leave empty strings (e.g., trailing commas),
so update the expression that constructs this array to remove any empty entries
after trimming (for example by adding a .filter(...) that keeps only non-empty
strings) so downstream prefix checks don't treat an empty string as matching
everything; locate the expression assigning '__TRUSTED_MEDIA_URLS__' in
vite.config.ts and add the filter step after .map(url => url.trim()).

[ValwareIRC]

Lol what's with the "do not merge" label ;D needs review before can be merged

[matheusfillipe]

Lol what's with the "do not merge" label ;D needs review before can be merged

Yeah. Kinda forgot about draft PRs too. I just mean this is explicitely not ready and untested.

[ValwareIRC]

Is this ready for conflicts resolution and merge?