00643c778e
- SSRF: block private/internal URLs in image cache fetch - SSRF: block private/internal URLs in RSS feed fetch (scheme guard) - SSRF: block private/internal URLs in CalDAV URL setting - Auth: require login for GET /api/images/<id> (was unauthenticated) - Auth: restrict Ollama model pull/delete to admin users only - Info disclosure: remove email from /api/users/search response - OAuth: skip email-based account linking when email_verified is false - Config: raise hard error on default SECRET_KEY when SECURE_COOKIES=true - Rate limit: document proxy header requirement; add startup warning - XSS: remove src/alt from global DOMPurify ADD_ATTR allowlist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
33 lines
966 B
Python
33 lines
966 B
Python
"""Serve locally-cached images."""
|
|
|
|
import logging
|
|
|
|
from quart import Blueprint, jsonify, send_file
|
|
|
|
from fabledassistant.auth import login_required
|
|
from fabledassistant.services.images import get_image_path, get_image_record
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
images_bp = Blueprint("images", __name__, url_prefix="/api/images")
|
|
|
|
|
|
@images_bp.route("/<int:image_id>", methods=["GET"])
|
|
@login_required
|
|
async def serve_image(image_id: int):
|
|
"""Serve a locally-cached image by its DB ID."""
|
|
record = await get_image_record(image_id)
|
|
if record is None:
|
|
return jsonify({"error": "Image not found"}), 404
|
|
|
|
file_path = get_image_path(record)
|
|
if not file_path.exists():
|
|
logger.warning("Image file missing on disk for id=%d (%s)", image_id, file_path)
|
|
return jsonify({"error": "Image file not found"}), 404
|
|
|
|
return await send_file(
|
|
file_path,
|
|
mimetype=record.content_type,
|
|
cache_timeout=86400,
|
|
)
|