Merge branch 'dev'

Author: AbandonedCart

.github/workflows/convert_images.yml

@@ -31,7 +31,6 @@ jobs:
           else
             IMAGEMAGICK_CMD="convert"
           fi
-
           while IFS= read -r -d '' png_file; do
             relative_path="${png_file#images/}"
             relative_base="${relative_path%.png}"
@@ -40,7 +39,15 @@ jobs:
             mkdir -p "$(dirname "${webp_file}")"
 
             if [ "${{ github.event_name }}" = "workflow_dispatch" ] || [ ! -f "${webp_file}" ]; then
-              "${IMAGEMAGICK_CMD}" "${png_file}" "${webp_file}"
+              "${IMAGEMAGICK_CMD}" "${png_file}" \
+                -strip \
+                -quality 90 \
+                -define webp:lossless=false \
+                -define webp:method=6 \
+                -define webp:auto-filter=true \
+                -define webp:alpha-quality=100 \
+                -define webp:use-sharp-yuv=true \
+                "${webp_file}"
               echo "${webp_file}" >> /tmp/converted_webp_files.txt
             fi
           done < <(find images -type f -name '*.png' -print0)
@@ -63,6 +70,6 @@ jobs:
 
           git config --local user.name 'AmiiboAPI (Automated)'
           git config --local user.email '41898282+github-actions[bot]@users.noreply.github.com'
-          if git commit -m "[Automated] Add missing WebP images"; then
+          if git commit -m "[Automated] Convert PNG to WebP images"; then
             git push
           fi

Dockerfile

@@ -11,6 +11,10 @@ WORKDIR /usr/src/app
 
 COPY --from=0 /amiiboapi .
 RUN [ "find", "." ]
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends certbot cron curl ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
 RUN pip install --no-cache-dir -r requirements.txt
+RUN chmod +x /usr/src/app/deploy/certbot/bootstrap.sh /usr/src/app/deploy/certbot/renew.sh /usr/src/app/deploy/start.sh
 
-CMD [ "python", "./app.py" ]
+CMD [ "/usr/src/app/deploy/start.sh" ]

README.md

@@ -44,6 +44,35 @@ More APIs examples can be found here: [https://www.amiiboapi.org/docs/](https://
 Click on the `Deploy to Heroku` button and you are good to go!
 *Heroku is a paid service and requires an account to use*
 
+### SSL / Certbot auto-renewal
+Certbot is included for container/self-hosted deployments with automatic renewal.
+
+- Default certificate domain: `amiiboapi.org`
+- Default webroot for ACME challenges: `/var/www/certbot`
+- Renewal schedule: twice daily at `03:00` and `15:00` server time via cron
+
+#### Environment variables
+- `ENABLE_CERTBOT_AUTO_SSL` (default: `1`) enable/disable Certbot bootstrap and renewal setup on container startup
+- `CERTBOT_DOMAIN` (default: `amiiboapi.org`) domain to issue/renew certificates for
+- `CERTBOT_EMAIL` (default: `ssl-admin@amiiboapi.org`) email used for Let's Encrypt registration
+- `CERTBOT_WEBROOT` (default: `/var/www/certbot`) ACME challenge webroot
+- `CERTBOT_STAGING` (default: `0`) set to `1` to use Let's Encrypt staging
+- `CERTBOT_FORCE_BOOTSTRAP` (default: `0`) set to `1` to force re-running initial certificate issuance
+- `CERTBOT_RELOAD_COMMAND` optional command run after successful renewals (for reverse proxies/web servers)
+
+#### Hosting-location behavior
+- **AWS EC2 / container hosts**: startup scripts detect AWS environments and request certificates with Certbot automatically.
+- **Heroku**: startup scripts detect Heroku and skip Certbot because SSL is managed by Heroku ACM.
+
+At startup, the bootstrap script checks for an existing certificate at `/etc/letsencrypt/live/<domain>/fullchain.pem`.  
+If it is missing, initial Certbot setup runs automatically; otherwise it skips issuance and keeps renewal-only behavior.
+
+#### Manual commands
+- Initial setup: `sh deploy/certbot/bootstrap.sh`
+- Renewal run: `sh deploy/certbot/renew.sh`
+
+> Renewal scheduling writes to `/etc/cron.d/certbot-renew` and uses root because Certbot certificate files are stored under `/etc/letsencrypt`; renewal output is sent to syslog with the `certbot-renew` tag.
+
 ### Credit
 - [Brickleberry19 - Amiibo IDs](https://github.com/Brickleberry19)
 - [JSON script source](https://script.google.com/d/143u0RLuppsmYJ0B3wzo6i0jZYSfIFV2NLJMHPM-Sqczpr9bLwdffc-Wx/edit?usp=sharing)

app.py

@@ -5,13 +5,16 @@
 @copyright: Copyright 2017, AmiiboAPI
 @license: MIT License
 """
+import os
+import re
 import colors
 
 from rfc3339 import rfc3339
 
-from flask import Flask, jsonify, make_response, render_template, request
+from flask import Flask, abort, jsonify, make_response, render_template, request, send_from_directory
 from flask_compress import Compress
 from flask_cors import CORS
+from werkzeug.exceptions import NotFound
 
 from commons.amiibo_json_encounter import AmiiboJSONEncoder
 from amiibo.manager import AmiiboManager
@@ -58,6 +61,18 @@ def documentation():
 def faqPage():
     return render_template('faq.html')
 
+
+@app.route('/.well-known/acme-challenge/<path:filename>')
+def certbot_challenge(filename):
+    if not re.fullmatch(r"[A-Za-z0-9_-]+", filename):
+        abort(404)
+    webroot = os.getenv("CERTBOT_WEBROOT", "/var/www/certbot")
+    challenge_dir = os.path.join(webroot, ".well-known", "acme-challenge")
+    try:
+        return send_from_directory(challenge_dir, filename)
+    except (FileNotFoundError, NotFound):
+        abort(404)
+
 # Handle 400 as json or else Flask will use html as default.
 @app.errorhandler(400)
 def bad_request(e):