feat: add form data and file upload support (#21)

* feat: add form urlencoded support and fix SSE/race issues

- Add application/x-www-form-urlencoded content type support
- Parse and display form data in table format (CLI and WebUI)
- Multiple values for same key shown comma-separated
- URL-encoded characters automatically decoded
- Fix data race in run.go (stopErr variable)
- Fix SSE connection initialization (send connected comment)
- Fix SSE event ordering in WebUI (load after connect)
- Update header padding alignment in WebUI
- Update tests for SSE changes (io.Pipe unbuffered reads)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: update linter config and pre-commit hooks

- Switch pre-commit-golang repo to TekWizely/pre-commit-golang
- Use golangci-lint-mod for full module linting
- Update golangci.yml errcheck exclusions for fmt.Fprint

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: add multipart/form-data support with image preview

- add multipart/form-data content type support for file uploads
- display file metadata (filename, size, content-type) in terminal
- show content for small text files (under 1KB)
- sanitize binary content in raw HTTP output ([binary data: X KB])
- add image preview in web dashboard for uploaded images
- store file attachments with base64-encoded data for WebUI
- add comprehensive tests for multipart handling

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: add more multipart tests for better coverage

- add tests for PNG, JPEG, GIF image uploads
- add test for mixed files and fields with binary detection
- improve coverage for image content type detection
- improve coverage for binary data sanitization

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: address codex review suggestions

- Load initial requests on page load instead of only on SSE open
- Add fallback to load requests on SSE error
- Cap image preview base64 encoding to 5MB max to prevent memory issues

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: clarify that URL path doesn't matter

Add a note explaining that the server captures all incoming requests
regardless of the URL path. The paths in examples are for illustration only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* ci: add workflow_dispatch trigger for manual runs

Allows manually triggering the test workflow from GitHub Actions UI
or via gh CLI.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* perf: stream multipart parts instead of reading all into memory

- Only buffer what's needed for preview (1KB for text, 5MB for images)
- Discard remaining bytes while counting total size
- Prevents OOM on large file uploads

Addresses Codex review feedback.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: prevent race condition between initial load and SSE

- Load initial requests BEFORE connecting SSE
- Remove redundant load from onopen to avoid overwriting SSE data
- Track initialLoadDone to only fallback-load once on SSE failure

Prevents requests arriving via SSE from being silently dropped
when loadInitialRequests() overwrites the array.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* security: sanitize image content-type to prevent XSS

Add whitelist of safe image MIME types (png, jpeg, gif, webp, bmp, x-icon).
Content-Type header is attacker-controlled and was interpolated directly
into data URL, allowing XSS via headers like:
  Content-Type: image/png" onerror="alert(1)

Now only whitelisted types are used; others fall back to application/octet-stream.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: preserve raw body when saving raw HTTP requests

Terminal output gets sanitized body (no binary garbage).
Raw file gets unsanitized body for faithful capture and replay with nc.

Previously both outputs received sanitized body, corrupting saved files
and breaking the documented `nc localhost 9002 < file.raw` workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: vigo

.github/workflows/test.yml

@@ -1,6 +1,7 @@
 name: Test go code
 
 on:
+  workflow_dispatch:
   pull_request:
     paths:
       - '**.go'

.golangci.yml

@@ -36,6 +36,7 @@ linters:
       exclude-functions:
         - fmt.Fprintln
         - fmt.Fprintf
+        - fmt.Fprint
     wrapcheck:
       ignore-package-globs:
         - encoding/*

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
-  - repo: https://github.com/dnephin/pre-commit-golang
-    rev: v0.5.1
+  - repo: https://github.com/TekWizely/pre-commit-golang
+    rev: v1.0.0-rc.1
     hooks:
-      - id: golangci-lint
+      - id: golangci-lint-mod
       - id: go-mod-tidy

README.md

@@ -60,6 +60,12 @@ Start the server;
 basichttpdebugger                   # listens at :9002
 ```
 
+> **Note:** The URL path doesn't matter. The server captures **all** incoming
+> requests regardless of the path. `http://localhost:9002/`,
+> `http://localhost:9002/webhook`, `http://localhost:9002/api/v1/users` - they
+> all work the same way. The paths used in examples below (`/login`, `/upload`,
+> etc.) are just for illustration purposes.
+
 Listen different port:
 
 ```bash
@@ -368,8 +374,8 @@ Here is how it looks, a GitHub webhook (trimmed, masked due to it’s huge/priva
     {"action":"created","issue":{"url": ...} ... }
     ----------------------------------------------------------------------------------------------------
 
-If you are checking secret token/secret token header (`test`, `X-Gitlab-Token`), 
-you’ll see something like this in Payload section:
+If you are checking secret token/secret token header (`test`, `X-Gitlab-Token`),
+you'll see something like this in Payload section:
 
     +-----------------------------------+-----------------------------+
     | Payload                                                         |                                                                                                                                    |
@@ -381,6 +387,133 @@ you’ll see something like this in Payload section:
 
 ---
 
+## Form Data Support
+
+The debugger supports `application/x-www-form-urlencoded` content type. Form
+data is parsed and displayed in a table format:
+
+```bash
+curl -X POST http://localhost:9002/login \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "username=john&password=secret123&remember=true"
+```
+
+Output:
+
+    +-----------------------------------------------------+
+    | Payload                                             |
+    +--------------+--------------------------------------+
+    | Incoming     | application/x-www-form-urlencoded    |
+    +--------------+--------------------------------------+
+    | Form Data                                           |
+    +--------------+--------------------------------------+
+    | password     | secret123                            |
+    | remember     | true                                 |
+    | username     | john                                 |
+    +--------------+--------------------------------------+
+
+Form fields are sorted alphabetically. Multiple values for the same key are
+displayed comma-separated:
+
+```bash
+curl -X POST http://localhost:9002/colors \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "color=red&color=green&color=blue"
+```
+
+Output:
+
+    +--------------+--------------------------------------+
+    | Form Data                                           |
+    +--------------+--------------------------------------+
+    | color        | red, green, blue                     |
+    +--------------+--------------------------------------+
+
+URL-encoded special characters are automatically decoded:
+
+```bash
+curl -X POST http://localhost:9002/search \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "email=user%40example.com&query=hello+world"
+```
+
+Output:
+
+    +--------------+--------------------------------------+
+    | Form Data                                           |
+    +--------------+--------------------------------------+
+    | email        | user@example.com                     |
+    | query        | hello world                          |
+    +--------------+--------------------------------------+
+
+---
+
+## File Upload Support
+
+The debugger supports `multipart/form-data` content type for file uploads.
+Both form fields and files are parsed and displayed:
+
+```bash
+curl -X POST http://localhost:9002/upload \
+  -F "username=vigo" \
+  -F "description=Test upload" \
+  -F "config=@config.json"
+```
+
+Output:
+
+    +-----------------------------------------------------+
+    | Payload                                             |
+    +--------------+--------------------------------------+
+    | Incoming     | multipart/form-data; boundary=...    |
+    +--------------+--------------------------------------+
+    | Form Data                                           |
+    +--------------+--------------------------------------+
+    | description  | Test upload                          |
+    | username     | vigo                                 |
+    +--------------+--------------------------------------+
+    | Files                                               |
+    +--------------+--------------------------------------+
+    | config.json | 18 B | application/json               |
+    | {"theme": "dark"}                                   |
+    +-----------------------------------------------------+
+
+File metadata is displayed for all uploaded files:
+
+```bash
+curl -X POST http://localhost:9002/upload \
+  -F "avatar=@photo.png"
+```
+
+Output:
+
+    +-----------------------------------------------------+
+    | Files                                               |
+    +-----------------------------------------------------+
+    | photo.png | 2.5 KB | application/octet-stream       |
+    +-----------------------------------------------------+
+
+For small text files (under 1KB), the content is displayed. For larger files
+or binary files, only metadata (filename, size, content-type) is shown.
+
+**Image Preview in Web Dashboard:** When you upload image files (JPEG, PNG, GIF,
+etc.), the web dashboard displays a preview of the image alongside the file
+metadata.
+
+Multiple files can be uploaded at once:
+
+```bash
+curl -X POST http://localhost:9002/upload \
+  -F "file1=@readme.txt" \
+  -F "file2=@data.json" \
+  -F "image=@logo.png"
+```
+
+Form fields and files are displayed in separate sections, both in the terminal
+and in the web dashboard.
+
+---
+
 ## Docker
 
 For local docker usage, default expose port is: `9002` (debug) and `9003` (web dashboard).
@@ -450,6 +583,19 @@ rake test               # run test
 
 ## Change Log
 
+**2026-01-23**
+
+- add `application/x-www-form-urlencoded` content type support
+- add `multipart/form-data` content type support for file uploads
+- form data is parsed and displayed in table format
+- file uploads show metadata (filename, size, content-type)
+- small text files (under 1KB) display content inline
+- multiple values for the same key are comma-separated
+- URL-encoded characters are automatically decoded
+- web dashboard supports form data and file upload display
+- web dashboard shows image preview for uploaded images (JPEG, PNG, GIF, etc.)
+- binary file content is sanitized in terminal output (`[binary data: X KB]`)
+
 **2025-01-23**
 
 - add web dashboard for real-time request monitoring (similar to ngrok)
@@ -489,8 +635,7 @@ rake test               # run test
 
 ## TODO
 
-- Add http form requests support
-- Add http file upload requests support
+- Add brew tap installation support
 
 ---