Skip to content

Add OpenGraph card previews for Mattermost link unfurling#19

Closed
raheelkhan wants to merge 2 commits intomainfrom
devops/fizzy-819-card-preview
Closed

Add OpenGraph card previews for Mattermost link unfurling#19
raheelkhan wants to merge 2 commits intomainfrom
devops/fizzy-819-card-preview

Conversation

@raheelkhan
Copy link

@raheelkhan raheelkhan commented Mar 16, 2026

Summary

Enables Mattermost to show rich link previews when someone posts a Fizzy card URL. Since Fizzy requires authentication, Mattermost's server-side link fetcher was hitting the login page and getting no OG meta tags.

Solution: For unauthenticated requests from trusted VPC IPs, CardsController#show serves a minimal HTML page with just OpenGraph meta tags (title, description, image). Authenticated users and requests from outside the VPC get the normal behavior.

Changes

  • app/controllers/concerns/opengraph_preview.rb — Concern that checks request.remote_ip against CIDRs in OPENGRAPH_TRUSTED_CIDRS env var
  • app/controllers/cards_controller.rbshow action skips auth for trusted IPs, serves OG-only HTML response
  • app/views/cards/opengraph.html.erb — Minimal HTML with og:title, og:description, og:image, og:url meta tags (reuses existing card_social_tags helper)
  • infra/lib/constructs/service.ts — Injects OPENGRAPH_TRUSTED_CIDRS from vpc.vpcCidrBlock (resolves to 10.1.0.0/16)
  • infra/cdk.context.json — Added Production VPC context cache
  • justfile + infra/scripts/ — CDK wrapper scripts and justfile matching nexus infra patterns

How it works

  1. Someone posts a Fizzy card URL in Mattermost (e.g. https://fizzy.zarhq.dev/0000001/cards/316)
  2. Mattermost server (same VPC) fetches the URL to extract link preview metadata
  3. Fizzy checks request.remote_ip against OPENGRAPH_TRUSTED_CIDRS
  4. Trusted IP + unauthenticated = serve minimal HTML with OG meta tags
  5. Mattermost renders the card preview with title, description, and image

Security

  • Only IPs within the VPC CIDR can access OG tags without authentication
  • External/untrusted requests still get the normal login redirect
  • No sensitive card data exposed — only title, description excerpt (200 chars), and image URL

Test plan

  • Deploy to DevOps and verify OPENGRAPH_TRUSTED_CIDRS is set to 10.1.0.0/16 in task definition
  • From within the VPC, curl a card URL without auth and confirm OG meta tags are returned
  • From outside the VPC, confirm the same URL redirects to login
  • Post a Fizzy card URL in Mattermost and verify the link preview renders
  • Confirm authenticated users still see the full card view normally

🤖 Generated with Claude Code

raheelkhan and others added 2 commits March 17, 2026 02:31
@raheelkhan @claude
Add OpenGraph preview for card URLs from trusted VPC IPs
02a372d 
Mattermost link previews need OG meta tags, but card pages require auth.
This serves minimal OG HTML to unauthenticated requests from the VPC CIDR,
enabling Mattermost to unfurl card links with title/description/image.

Also adds justfile and infra scripts matching nexus patterns.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@raheelkhan @claude
Add Production VPC context for CDK
6fa72e9 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@raheelkhan
Copy link
Author

raheelkhan commented Mar 16, 2026

Unnecessary complex. Closing this. Better to have the plugin talks to Fizzy with Bearer Token.

@raheelkhan raheelkhan closed this Mar 16, 2026
@raheelkhan raheelkhan deleted the devops/fizzy-819-card-preview branch March 16, 2026 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raheelkhan