diff --git a/package-lock.json b/package-lock.json index 875aba1b..32582d06 100644 Binary files a/package-lock.json and b/package-lock.json differ diff --git a/package.json b/package.json index ac42c767..7f466e44 100644 --- a/package.json +++ b/package.json @@ -117,6 +117,7 @@ }, "optionalDependencies": { "erlpack": "^0.1.4", + "jimp": "^0.22.12", "mysql": "^2.18.1", "nodemailer-mailgun-transport": "^2.1.5", "nodemailer-mailjet-transport": "github:n0script22/nodemailer-mailjet-transport", diff --git a/src/api/Server.ts b/src/api/Server.ts index 472ab1d6..0f5df490 100644 --- a/src/api/Server.ts +++ b/src/api/Server.ts @@ -34,7 +34,7 @@ import "missing-native-js-functions"; import morgan from "morgan"; import path from "path"; import { red } from "picocolors"; -import { Authentication, CORS } from "./middlewares/"; +import { Authentication, CORS, ImageProxy } from "./middlewares/"; import { BodyParser } from "./middlewares/BodyParser"; import { ErrorHandler } from "./middlewares/ErrorHandler"; import { initRateLimits } from "./middlewares/RateLimit"; @@ -137,6 +137,8 @@ export class SpacebarServer extends Server { app.use("/api/v9", api); app.use("/api", api); // allow unversioned requests + app.use("/imageproxy/:hash/:size/:url", ImageProxy); + app.get("/", (req, res) => res.sendFile(path.join(PUBLIC_ASSETS_FOLDER, "index.html")), ); diff --git a/src/api/middlewares/ImageProxy.ts b/src/api/middlewares/ImageProxy.ts new file mode 100644 index 00000000..2fa97660 --- /dev/null +++ b/src/api/middlewares/ImageProxy.ts @@ -0,0 +1,143 @@ +/* + Spacebar: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Spacebar and Spacebar Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +import { Config } from "@spacebar/util"; +import { Request, Response } from "express"; +import { yellow } from "picocolors"; +import crypto from "crypto"; +import fetch from "node-fetch"; + +let sharp: undefined | false | { default: typeof import("sharp") } = undefined; +let Jimp: undefined | false | typeof import("jimp") = undefined; + +const sharpSupported = new Set([ + "image/jpeg", + "image/png", + "image/bmp", + "image/tiff", + "image/gif", + "image/webp", + "image/avif", + "image/svg+xml", +]); +const jimpSupported = new Set([ + "image/jpeg", + "image/png", + "image/bmp", + "image/tiff", + "image/gif", +]); +const resizeSupported = new Set([...sharpSupported, ...jimpSupported]); + +export async function ImageProxy(req: Request, res: Response) { + const path = req.originalUrl.split("/").slice(2); + + const secret = Config.get().security.requestSignature; + + // src/api/util/utility/EmbedHandlers.ts getProxyUrl + const hash = crypto + .createHmac("sha1", secret) + .update(path.slice(1).join("/")) + .digest("base64") + .replace(/\+/g, "-") + .replace(/\//g, "_"); + + try { + if (!crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(path[0]))) throw new Error("Invalid signature"); + } catch { + console.log("Invalid signature, expected " + hash + " got " + path[0]); + res.status(403).send("Invalid signature"); + return; + } + + const abort = new AbortController(); + setTimeout(() => abort.abort(), 5000); + + const request = await fetch(path.slice(2).join("/"), { + headers: { + "User-Agent": "SpacebarImageProxy/1.0.0 (https://spacebar.chat)", + }, + signal: abort.signal, + }).catch((e) => { + if (e.name === "AbortError") res.status(504).send("Request timed out"); + else res.status(500).send("Unable to proxy origin: " + e.message); + }); + if (!request) return; + + if (request.status !== 200) { + res.status(request.status).send("Origin failed to respond: " + request.status + " " + request.statusText); + return; + } + + if (!request.headers.get("Content-Type") || !request.headers.get("Content-Length")) { + res.status(500).send("Origin did not provide a Content-Type or Content-Length header"); + return; + } + + // @ts-expect-error TS doesn't believe that the header cannot be null (it's checked for falsiness above) + if (parseInt(request.headers.get("Content-Length")) > 1024 * 1024 * 10) { + res.status(500).send("Origin provided a Content-Length header that is too large"); + return; + } + + // @ts-expect-error TS doesn't believe that the header cannot be null (it's checked for falsiness above) + let contentType: string = request.headers.get("Content-Type"); + + const arrayBuffer = await request.arrayBuffer(); + let resultBuffer = Buffer.from(arrayBuffer); + + if (/^\d+x\d+$/.test(path[1]) && resizeSupported.has(contentType)) { + if (sharp !== false) { + try { + sharp = await import("sharp"); + } catch (e) { + sharp = false; + } + } + if (sharp === false && Jimp !== false) { + try { + // @ts-expect-error Typings don't fit + Jimp = await import("jimp"); + } catch { + Jimp = false; + console.log(`[ImageProxy] ${yellow("Neither \"sharp\" or \"jimp\" NPM packages are installed, image resizing will be disabled")}`); + } + } + + const [width, height] = path[1].split("x").map((x) => parseInt(x)); + + const buffer = Buffer.from(arrayBuffer); + if (sharp && sharpSupported.has(contentType)) { + resultBuffer = await sharp.default(buffer) + // Sharp doesn't support "scaleToFit" + .resize(width) + .toBuffer(); + } else if (Jimp && jimpSupported.has(contentType)) { + resultBuffer = await Jimp.read(buffer).then((image) => { + contentType = image.getMIME(); + // @ts-expect-error Jimp is defined at this point + return image.scaleToFit(width, height).getBufferAsync(Jimp.AUTO); + }); + } + } + + res.header("Content-Type", contentType); + res.setHeader("Cache-Control", "public, max-age=" + (1000 * 60 * 60 * 24)); + + res.send(resultBuffer); +} diff --git a/src/api/middlewares/index.ts b/src/api/middlewares/index.ts index 6384e1aa..9fd617f6 100644 --- a/src/api/middlewares/index.ts +++ b/src/api/middlewares/index.ts @@ -21,3 +21,4 @@ export * from "./BodyParser"; export * from "./CORS"; export * from "./ErrorHandler"; export * from "./RateLimit"; +export * from "./ImageProxy";