Merge pull request #11686 from nanaya/proxy-media-controller

Clean up proxy media controller
ppy · Nov 28, 2024 · b24f634 · b24f634
2 parents 10c5346 + eaf1709
commit b24f634
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 14 deletions.
diff --git a/app/Http/Controllers/BeatmapDiscussionsController.php b/app/Http/Controllers/BeatmapDiscussionsController.php
@@ -117,18 +117,6 @@ public function index()
         return ext_view('beatmap_discussions.index', compact('json', 'search', 'paginator'));
     }
 
-    public function mediaUrl()
-    {
-        $url = presence(get_string(request('url')));
-
-        if (!isset($url)) {
-            return response('Missing url parameter', 422);
-        }
-
-        // Tell browser not to request url for a while.
-        return redirect(proxy_media($url))->header('Cache-Control', 'max-age=600');
-    }
-
     public function restore($id)
     {
         $discussion = BeatmapDiscussion::whereNotNull('deleted_at')->findOrFail($id);

diff --git a/app/Http/Controllers/ProxyMediaController.php b/app/Http/Controllers/ProxyMediaController.php
@@ -0,0 +1,36 @@
+<?php
+
+// Copyright (c) ppy Pty Ltd <[email protected]>. Licensed under the GNU Affero General Public License v3.0.
+// See the LICENCE file in the repository root for full licence text.
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers;
+
+class ProxyMediaController extends Controller
+{
+    private static function fromNonBrowser(): bool
+    {
+        $headers = \Request::instance()->headers;
+
+        return $headers->get('origin') === null
+            && $headers->get('referer') === null
+            && $headers->get('sec-fetch-site') === null;
+    }
+
+    public function __invoke()
+    {
+        if (!static::fromNonBrowser() && !from_app_url()) {
+            return response('Forbidden', 403);
+        }
+
+        $url = presence(get_string(\Request::input('url')));
+
+        if (!isset($url)) {
+            return response('Missing url parameter', 422);
+        }
+
+        // Tell browser to cache redirect url for a while.
+        return redirect(proxy_media($url))->header('Cache-Control', 'max-age=86400');
+    }
+}
diff --git a/resources/js/beatmap-discussions/image-link.tsx b/resources/js/beatmap-discussions/image-link.tsx
@@ -24,7 +24,7 @@ export default class ImageLink extends React.Component<Props> {
   render() {
     if (this.props.src == null) return null;
 
-    const src = route('beatmapsets.discussions.media-url', { url: this.props.src });
+    const src = route('media-url', { url: this.props.src });
     const content = (
       <>
         {!this.loaded && this.renderSpinner()}

diff --git a/routes/web.php b/routes/web.php
@@ -6,7 +6,7 @@
 use App\Http\Middleware\ThrottleRequests;
 
 Route::get('wiki/images/{path}', 'WikiController@image')->name('wiki.image')->where('path', '.+');
-Route::get('beatmapsets/discussions/media-url', 'BeatmapDiscussionsController@mediaUrl')->name('beatmapsets.discussions.media-url');
+Route::get('media-url', 'ProxyMediaController')->name('media-url');
 
 Route::group(['middleware' => ['web']], function () {
     Route::group(['as' => 'admin.', 'prefix' => 'admin', 'namespace' => 'Admin'], function () {