[enhancement]: remote_api_tokens should use URL Patterns instead of regular expressions

[keturn]

Is there an existing issue for this?

• I have searched the existing issues

What should this feature add?

API tokens should be registered as URL patterns instead of by regular expression.

At the moment, the obvious way (and explicitly endorsed by example configuration) to set up a token for the host private.example is:

remote_api_tokens:
  - url_regex: 'private.example'
    token: 'secret'

however, that will leak the secret when given a URL like https://malicious.example/private.example/theft.safetensors or https://private.example.malicious.example/theft.safetensors.

It's possible to write a secure regular expression, but highly unlikely. It requires something like ^https://private\.example/, or if you want to allow subdomains, maybe ^https://([^\[@/:]+\.)?private\.example/

In contrast, URL Patterns do not allow a hostname to accidentally match a path component, or a subdomain to be mistaken for a full host component.

Alternatives

forget patterns; strict string equality matching on hostname only.

Additional Content

A Python interface to URL Patterns is available at https://github.com/urlpattern/python-urlpattern