feat(api): 🔒 Make all media be proxied through an internal proxy

2026-03-13 05:49:16 +01:00 · 2024-05-04 19:13:23 -10:00 · 2024-05-04 19:13:23 -10:00 · ead34b818f
commit ead34b818f
parent 9547cd097a
8 changed files with 54 additions and 18 deletions
--- a/packages/database-interface/note.ts
+++ b/packages/database-interface/note.ts
@ -1,3 +1,4 @@
+import { sanitizedHtmlStrip } from "@sanitization";
 import {
    type InferInsertModel,
    type SQL,
@ -45,7 +46,6 @@ import { config } from "~packages/config-manager";
 import type { Attachment as APIAttachment } from "~types/mastodon/attachment";
 import type { Status as APIStatus } from "~types/mastodon/status";
 import { User } from "./user";
-import { sanitizedHtmlStrip } from "@sanitization";

 /**
 * Gives helpers to fetch notes from database in a nice format
@ -494,12 +494,7 @@ export class Note {
            sensitive: data.sensitive,
            spoiler_text: data.spoilerText,
            tags: [],
-            uri:
-                data.uri ||
-                new URL(
-                    `/@${data.author.username}/${data.id}`,
-                    config.http.base_url,
-                ).toString(),
+            uri: data.uri || this.getMastoURI(),
            visibility: data.visibility as APIStatus["visibility"],
            url: data.uri || this.getMastoURI(),
            bookmarked: false,
--- a/packages/database-interface/user.ts
+++ b/packages/database-interface/user.ts
@ -1,6 +1,7 @@
 import { idValidator } from "@api";
 import { getBestContentType, urlToContentFormat } from "@content_types";
 import { addUserToMeilisearch } from "@meilisearch";
+import { proxyUrl } from "@response";
 import { type SQL, and, desc, eq, inArray } from "drizzle-orm";
 import { htmlToText } from "html-to-text";
 import type * as Lysand from "lysand-types";
@ -367,8 +368,8 @@ export class User {
            url:
                user.uri ||
                new URL(`/@${user.username}`, config.http.base_url).toString(),
-            avatar: this.getAvatarUrl(config),
-            header: this.getHeaderUrl(config),
+            avatar: proxyUrl(this.getAvatarUrl(config)) ?? "",
+            header: proxyUrl(this.getHeaderUrl(config)) ?? "",
            locked: user.isLocked,
            created_at: new Date(user.createdAt).toISOString(),
            followers_count: user.followerCount,
@ -382,8 +383,8 @@ export class User {
            bot: user.isBot,
            source: isOwnAccount ? user.source : undefined,
            // TODO: Add static avatar and header
-            avatar_static: this.getAvatarUrl(config),
-            header_static: this.getHeaderUrl(config),
+            avatar_static: proxyUrl(this.getAvatarUrl(config)) ?? "",
+            header_static: proxyUrl(this.getHeaderUrl(config)) ?? "",
            acct: this.getAcct(),
            // TODO: Add these fields
            limited: false,