fix(media): 🐛 Don't proxy media from trusted origins, use new ProxiedUrl class

2026-03-13 05:49:16 +01:00 · 2025-03-30 23:44:50 +02:00 · 2025-03-30 23:44:50 +02:00 · dc1ddb758d
commit dc1ddb758d
parent 411fcd8af5
14 changed files with 114 additions and 140 deletions
--- a/plugins/openid/index.ts
+++ b/plugins/openid/index.ts
@ -5,7 +5,7 @@ import { getCookie } from "hono/cookie";
 import { jwtVerify } from "jose";
 import { JOSEError, JWTExpired } from "jose/errors";
 import { z } from "zod";
-import { keyPair, sensitiveString } from "~/classes/config/schema.ts";
+import { url, keyPair, sensitiveString } from "~/classes/config/schema.ts";
 import { ApiError } from "~/classes/errors/api-error.ts";
 import authorizeRoute from "./routes/authorize.ts";
 import jwksRoute from "./routes/jwks.ts";
@ -27,7 +27,7 @@ const configSchema = z.object({
                url: z.string().min(1),
                client_id: z.string().min(1),
                client_secret: sensitiveString,
-                icon: z.string().min(1).optional(),
+                icon: url.optional(),
            }),
        )
        .default([]),
--- a/plugins/openid/routes/sso/:id/index.ts
+++ b/plugins/openid/routes/sso/:id/index.ts
@ -1,5 +1,4 @@
 import { auth, handleZodError } from "@/api";
-import { proxyUrl } from "@/response";
 import { RolePermission } from "@versia/client/schemas";
 import { db } from "@versia/kit/db";
 import { type SQL, eq } from "@versia/kit/drizzle";
@ -77,9 +76,7 @@ export default (plugin: PluginType): void => {
                    {
                        id: issuer.id,
                        name: issuer.name,
-                        icon: issuer.icon
-                            ? proxyUrl(new URL(issuer.icon))
-                            : undefined,
+                        icon: issuer.icon?.proxied,
                    },
                    200,
                );