🔒 feat: Authenticated Image Requests (#2389)

* 🔒 feat: Authenticated Image Requests

* fix: reserved keyword `static`

api/server/middleware/index.js

@@ -14,6 +14,7 @@ const concurrentLimiter = require('./concurrentLimiter');
 const validateMessageReq = require('./validateMessageReq');
 const buildEndpointOption = require('./buildEndpointOption');
 const validateRegistration = require('./validateRegistration');
+const validateImageRequest = require('./validateImageRequest');
 const moderateText = require('./moderateText');
 const noIndex = require('./noIndex');
 
@@ -33,6 +34,7 @@ module.exports = {
   validateMessageReq,
   buildEndpointOption,
   validateRegistration,
+  validateImageRequest,
   validateModel,
   moderateText,
   noIndex,

api/server/middleware/validateImageRequest.js

@@ -0,0 +1,37 @@
+const cookies = require('cookie');
+const jwt = require('jsonwebtoken');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to validate image request
+ */
+function validateImageRequest(req, res, next) {
+  const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
+  if (!refreshToken) {
+    logger.warn('[validateImageRequest] Refresh token not provided');
+    return res.status(401).send('Unauthorized');
+  }
+
+  let payload;
+  try {
+    payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
+  } catch (err) {
+    logger.warn('[validateImageRequest]', err);
+    return res.status(403).send('Access Denied');
+  }
+
+  const currentTimeInSeconds = Math.floor(Date.now() / 1000);
+  if (payload.exp < currentTimeInSeconds) {
+    logger.warn('[validateImageRequest] Refresh token expired');
+    return res.status(403).send('Access Denied');
+  }
+
+  if (req.path.includes(payload.id)) {
+    logger.debug('[validateImageRequest] Image request validated');
+    next();
+  } else {
+    res.status(403).send('Access Denied');
+  }
+}
+
+module.exports = validateImageRequest;