discourse/app/controllers/user_avatars_controller.rb

require_dependency 'letter_avatar'

class UserAvatarsController < ApplicationController

  skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :show_letter, :show_proxy_letter]

  def refresh_gravatar
    user = User.find_by(username_lower: params[:username].downcase)
    guardian.ensure_can_edit!(user)

    if user
      hijack do
        user.create_user_avatar(user_id: user.id) unless user.user_avatar
        user.user_avatar.update_gravatar!

        gravatar = if user.user_avatar.gravatar_upload_id
          {
            gravatar_upload_id: user.user_avatar.gravatar_upload_id,
            gravatar_avatar_template: User.avatar_template(user.username, user.user_avatar.gravatar_upload_id)
          }
        else
          {
            gravatar_upload_id: nil,
            gravatar_avatar_template: nil
          }
        end

        render json: gravatar
      end
    else
      raise Discourse::NotFound
    end
  end

  def show_proxy_letter
    is_asset_path

    if SiteSetting.external_system_avatars_url !~ /^\/letter(_avatar)?_proxy/
      raise Discourse::NotFound
    end

    params.require(:letter)
    params.require(:color)
    params.require(:version)
    params.require(:size)
    hijack do
      proxy_avatar("https://avatars.discourse.org/#{params[:version]}/letter/#{params[:letter]}/#{params[:color]}/#{params[:size]}.png", Time.new('1990-01-01'))
    end
  end

  def show_letter
    is_asset_path

    params.require(:username)
    params.require(:version)
    params.require(:size)

    no_cookies

    return render_blank if params[:version] != LetterAvatar.version

    hijack do
      image = LetterAvatar.generate(params[:username].to_s, params[:size].to_i)

      response.headers["Last-Modified"] = File.ctime(image).httpdate
      response.headers["Content-Length"] = File.size(image).to_s
      immutable_for(1.year)
      send_file image, disposition: nil
    end
  end

  def show
    is_asset_path

    # we need multisite support to keep a single origin pull for CDNs
    RailsMultisite::ConnectionManagement.with_hostname(params[:hostname]) do
      hijack do
        show_in_site(params[:hostname])
      end
    end
  end

  protected

  def show_in_site(hostname)

    username = params[:username].to_s
    return render_blank unless user = User.find_by(username_lower: username.downcase)

    upload_id, version = params[:version].split("_")

    version = (version || OptimizedImage::VERSION).to_i

    # old versions simply get new avatar
    if version > OptimizedImage::VERSION
      return render_blank
    end

    upload_id = upload_id.to_i
    return render_blank unless upload_id > 0

    size = params[:size].to_i
    return render_blank if size < 8 || size > 1000

    if !Discourse.avatar_sizes.include?(size) && Discourse.store.external?
      closest = Discourse.avatar_sizes.to_a.min { |a, b| (size - a).abs <=> (size - b).abs }
      avatar_url = UserAvatar.local_avatar_url(hostname, user.username_lower, upload_id, closest)
      return redirect_to cdn_path(avatar_url)
    end

    upload = Upload.find_by(id: upload_id) if user&.user_avatar&.contains_upload?(upload_id)
    upload ||= user.uploaded_avatar if user.uploaded_avatar_id == upload_id

    if user.uploaded_avatar && !upload
      avatar_url = UserAvatar.local_avatar_url(hostname, user.username_lower, user.uploaded_avatar_id, size)
      return redirect_to cdn_path(avatar_url)
    elsif upload && optimized = get_optimized_image(upload, size)
      if optimized.local?
        optimized_path = Discourse.store.path_for(optimized)
        image = optimized_path if File.exists?(optimized_path)
      else
        return proxy_avatar(Discourse.store.cdn_url(optimized.url), upload.created_at)
      end
    end

    if image
      response.headers["Last-Modified"] = File.ctime(image).httpdate
      response.headers["Content-Length"] = File.size(image).to_s
      immutable_for 1.year
      send_file image, disposition: nil
    else
      render_blank
    end
  rescue OpenURI::HTTPError
    render_blank
  end

  PROXY_PATH = Rails.root + "tmp/avatar_proxy"
  def proxy_avatar(url, last_modified)

    if url[0..1] == "//"
      url = (SiteSetting.force_https ? "https:" : "http:") + url
    end

    sha = Digest::SHA1.hexdigest(url)
    filename = "#{sha}#{File.extname(url)}"
    path = "#{PROXY_PATH}/#{filename}"

    unless File.exist? path
      FileUtils.mkdir_p PROXY_PATH
      tmp = FileHelper.download(
        url,
        max_file_size: 1.megabyte,
        tmp_file_name: filename,
        follow_redirect: true,
        read_timeout: 10
      )
      FileUtils.mv tmp.path, path
    end

    response.headers["Last-Modified"] = last_modified.httpdate
    response.headers["Content-Length"] = File.size(path).to_s
    immutable_for(1.year)
    send_file path, disposition: nil
  end

  # this protects us from a DoS
  def render_blank
    path = Rails.root + "public/images/avatar.png"
    expires_in 10.minutes, public: true
    response.headers["Last-Modified"] = Time.new('1990-01-01').httpdate
    response.headers["Content-Length"] = File.size(path).to_s
    send_file path, disposition: nil
  end

  protected

  # consider removal of hacks some time in 2019

  def get_optimized_image(upload, size)
    return if !upload
    return upload if upload.extension == "svg"

    upload.get_optimized_image(size, size, allow_animation: SiteSetting.allow_animated_avatars)
    # TODO decide if we want to detach here
  end

end
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`require_dependency 'letter_avatar'`

Fix specs for avatars Implement avatar picker Correct avatar related jobs 2014-05-26 05:46:43 -04:00			`class UserAvatarsController < ApplicationController`
Add DoS protection to action 2014-05-27 08:29:27 -04:00
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00			`skip_before_action :preload_json, :redirect_to_login_if_required, :check_xhr, :verify_authenticity_token, only: [:show, :show_letter, :show_proxy_letter]`
Fix specs for avatars Implement avatar picker Correct avatar related jobs 2014-05-26 05:46:43 -04:00
			`def refresh_gravatar`
			`user = User.find_by(username_lower: params[:username].downcase)`
			`guardian.ensure_can_edit!(user)`

			`if user`
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`hijack do`
			`user.create_user_avatar(user_id: user.id) unless user.user_avatar`
			`user.user_avatar.update_gravatar!`

UX: show error message when no gravatar is associated 2017-11-29 12:09:44 -05:00			`gravatar = if user.user_avatar.gravatar_upload_id`
			`{`
			`gravatar_upload_id: user.user_avatar.gravatar_upload_id,`
			`gravatar_avatar_template: User.avatar_template(user.username, user.user_avatar.gravatar_upload_id)`
			`}`
			`else`
			`{`
			`gravatar_upload_id: nil,`
			`gravatar_avatar_template: nil`
			`}`
			`end`

			`render json: gravatar`
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`end`
Fix specs for avatars Implement avatar picker Correct avatar related jobs 2014-05-26 05:46:43 -04:00			`else`
			`raise Discourse::NotFound`
			`end`
			`end`

FIX: show letter avatars even if NGINX is not running in Dev mode 2015-11-24 22:42:46 -05:00			`def show_proxy_letter`
FEATURE: limit assets less that non asset paths By default assets can be requested up to 200 times per 10 seconds from the app, this includes CSS and avatars 2018-03-05 23:20:39 -05:00			`is_asset_path`

REFACTOR: Proxy letter avatars in rails instead of nginx Co-authored-by: Sam Saffron <sam.saffron@gmail.com> Co-authored-by: David Taylor <david@taylorhq.com> This gives more control over the request. In particular we can easily lookup DNS dynamically, instead of only upon NGINX startup. Previously, NGINX was looking up IP for the letter avatar service and caching the CDN IP address, this caused issues if CDN changed IP, in which letter avatars would be broken till a container restarted. NGINX config has been updated to add caching. This change will require a container rebuild. The proxy will now function in development environments, so the patch for `letter_avatar_proxy` has been removed. 2019-02-15 12:45:09 -05:00			`if SiteSetting.external_system_avatars_url !~ /^\/letter(_avatar)?_proxy/`
SECURITY: limit route access when using external avatars 2016-07-27 18:59:58 -04:00			`raise Discourse::NotFound`
			`end`

FIX: show letter avatars even if NGINX is not running in Dev mode 2015-11-24 22:42:46 -05:00			`params.require(:letter)`
			`params.require(:color)`
			`params.require(:version)`
			`params.require(:size)`
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`hijack do`
REFACTOR: Proxy letter avatars in rails instead of nginx Co-authored-by: Sam Saffron <sam.saffron@gmail.com> Co-authored-by: David Taylor <david@taylorhq.com> This gives more control over the request. In particular we can easily lookup DNS dynamically, instead of only upon NGINX startup. Previously, NGINX was looking up IP for the letter avatar service and caching the CDN IP address, this caused issues if CDN changed IP, in which letter avatars would be broken till a container restarted. NGINX config has been updated to add caching. This change will require a container rebuild. The proxy will now function in development environments, so the patch for `letter_avatar_proxy` has been removed. 2019-02-15 12:45:09 -05:00			`proxy_avatar("https://avatars.discourse.org/#{params[:version]}/letter/#{params[:letter]}/#{params[:color]}/#{params[:size]}.png", Time.new('1990-01-01'))`
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`end`
FIX: show letter avatars even if NGINX is not running in Dev mode 2015-11-24 22:42:46 -05:00			`end`

Move letter avatars out of upload system FIX: S3 issues around system avatars FIX: reduced backup file size 2014-05-30 00:17:35 -04:00			`def show_letter`
FEATURE: limit assets less that non asset paths By default assets can be requested up to 200 times per 10 seconds from the app, this includes CSS and avatars 2018-03-05 23:20:39 -05:00			`is_asset_path`

Move letter avatars out of upload system FIX: S3 issues around system avatars FIX: reduced backup file size 2014-05-30 00:17:35 -04:00			`params.require(:username)`
			`params.require(:version)`
			`params.require(:size)`

PERF: avoid cookies for all static, public, cached forever assets 2015-05-22 02:15:46 -04:00			`no_cookies`

Use a real placeholder avatar for all bad avatar links 2015-12-15 22:02:09 -05:00			`return render_blank if params[:version] != LetterAvatar.version`
Move letter avatars out of upload system FIX: S3 issues around system avatars FIX: reduced backup file size 2014-05-30 00:17:35 -04:00
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`hijack do`
			`image = LetterAvatar.generate(params[:username].to_s, params[:size].to_i)`
FIX: add 'Content-Length' header for avatars 2014-10-22 09:39:51 -04:00
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`response.headers["Last-Modified"] = File.ctime(image).httpdate`
			`response.headers["Content-Length"] = File.size(image).to_s`
			`immutable_for(1.year)`
			`send_file image, disposition: nil`
			`end`
Move letter avatars out of upload system FIX: S3 issues around system avatars FIX: reduced backup file size 2014-05-30 00:17:35 -04:00			`end`

Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`def show`
FEATURE: limit assets less that non asset paths By default assets can be requested up to 200 times per 10 seconds from the app, this includes CSS and avatars 2018-03-05 23:20:39 -05:00			`is_asset_path`

BUGFIX: proper multisite support for origin pull CDNs 2014-05-27 09:13:42 -04:00			`# we need multisite support to keep a single origin pull for CDNs`
			`RailsMultisite::ConnectionManagement.with_hostname(params[:hostname]) do`
FEATURE: avatar proxy happens in background This ensures that even if it is slow to download avatars site will continue to work Also simplifies hijack pattern 2017-11-27 01:43:24 -05:00			`hijack do`
			`show_in_site(params[:hostname])`
			`end`
BUGFIX: proper multisite support for origin pull CDNs 2014-05-27 09:13:42 -04:00			`end`
			`end`

			`protected`

BUGFIX: fix redirect, correct multisite 2014-05-27 10:15:09 -04:00			`def show_in_site(hostname)`
PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`username = params[:username].to_s`
Use a real placeholder avatar for all bad avatar links 2015-12-15 22:02:09 -05:00			`return render_blank unless user = User.find_by(username_lower: username.downcase)`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00
FIX: don't break user avatars route 2015-05-29 13:19:41 -04:00			`upload_id, version = params[:version].split("_")`

			`version = (version \|\| OptimizedImage::VERSION).to_i`
FIX: always serve new avatar for previous version Previously we killed caching on old avatars cause we kept serving blank this meant we would front many more avatar requests after a version change This change ensures all old avatars do not cause a flood of requests on the server 2019-01-08 03:51:33 -05:00
			`# old versions simply get new avatar`
			`if version > OptimizedImage::VERSION`
			`return render_blank`
			`end`
FIX: don't break user avatars route 2015-05-29 13:19:41 -04:00
			`upload_id = upload_id.to_i`
UX: preloaded gravatar was appearing on the right instead of the left 2017-11-29 06:04:35 -05:00			`return render_blank unless upload_id > 0`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00
FIX: crop avatars on the server instead of the client FIX: support for dots in S3 bucket names 2015-05-26 09:54:25 -04:00			`size = params[:size].to_i`
allow avatars up to 1000px 2016-07-05 12:49:33 -04:00			`return render_blank if size < 8 \|\| size > 1000`
FIX: allow handling for avatars that are not in the set of "resized sizes" 2015-05-26 01:41:50 -04:00
			`if !Discourse.avatar_sizes.include?(size) && Discourse.store.external?`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`closest = Discourse.avatar_sizes.to_a.min { \|a, b\| (size - a).abs <=> (size - b).abs }`
FIX: don't break user avatars route 2015-05-29 13:19:41 -04:00			`avatar_url = UserAvatar.local_avatar_url(hostname, user.username_lower, upload_id, closest)`
user avatar urls/templates refactor 2015-05-29 12:51:17 -04:00			`return redirect_to cdn_path(avatar_url)`
FIX: allow handling for avatars that are not in the set of "resized sizes" 2015-05-26 01:41:50 -04:00			`end`

FIX: `User#user_avatar` may be nil. 2017-12-14 00:20:58 -05:00			`upload = Upload.find_by(id: upload_id) if user&.user_avatar&.contains_upload?(upload_id)`
FIX: don't break user avatars route 2015-05-29 13:19:41 -04:00			`upload \|\|= user.uploaded_avatar if user.uploaded_avatar_id == upload_id`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00
			`if user.uploaded_avatar && !upload`
user avatar urls/templates refactor 2015-05-29 12:51:17 -04:00			`avatar_url = UserAvatar.local_avatar_url(hostname, user.username_lower, user.uploaded_avatar_id, size)`
			`return redirect_to cdn_path(avatar_url)`
better support for mixed content 2015-06-01 11:49:58 -04:00			`elsif upload && optimized = get_optimized_image(upload, size)`
			`if optimized.local?`
			`optimized_path = Discourse.store.path_for(optimized)`
			`image = optimized_path if File.exists?(optimized_path)`
			`else`
FIX: improve last_modified date returned for avatars instead of hard coding a date: 1. For optimized images use the upload date when on s3 2. For not-found use 10 minutes ago to match the expiry 2018-08-23 19:36:11 -04:00			`return proxy_avatar(Discourse.store.cdn_url(optimized.url), upload.created_at)`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`end`
			`end`

			`if image`
FIX: missing last modified on avatars 2014-07-08 03:16:07 -04:00			`response.headers["Last-Modified"] = File.ctime(image).httpdate`
FIX: add 'Content-Length' header for avatars 2014-10-22 09:39:51 -04:00			`response.headers["Content-Length"] = File.size(image).to_s`
FEATURE: add immutable caching to rails site of things 2017-02-23 13:05:00 -05:00			`immutable_for 1.year`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`send_file image, disposition: nil`
			`else`
Use a real placeholder avatar for all bad avatar links 2015-12-15 22:02:09 -05:00			`render_blank`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`end`
FIX: If we can't proxy to a CDN due to HTTP error, render blank 2017-05-04 12:42:46 -04:00			`rescue OpenURI::HTTPError`
			`render_blank`
Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`end`
BUGFIX: support CDN for avatars Correct broken spec Implement S3 support 2014-05-27 00:40:46 -04:00
PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00			`PROXY_PATH = Rails.root + "tmp/avatar_proxy"`
FIX: improve last_modified date returned for avatars instead of hard coding a date: 1. For optimized images use the upload date when on s3 2. For not-found use 10 minutes ago to match the expiry 2018-08-23 19:36:11 -04:00			`def proxy_avatar(url, last_modified)`
FIX: not proxying protocol-less urls 2015-12-16 21:21:09 -05:00
			`if url[0..1] == "//"`
Rename `SiteSetting#use_https` to `force_https`. 2016-06-27 05:26:43 -04:00			`url = (SiteSetting.force_https ? "https:" : "http:") + url`
FIX: not proxying protocol-less urls 2015-12-16 21:21:09 -05:00			`end`

PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00			`sha = Digest::SHA1.hexdigest(url)`
			`filename = "#{sha}#{File.extname(url)}"`
			`path = "#{PROXY_PATH}/#{filename}"`

correct bad logic 2015-12-15 21:40:34 -05:00			`unless File.exist? path`
PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00			`FileUtils.mkdir_p PROXY_PATH`
Refactor `FileHelper` to use keyword arguments. 2017-05-24 13:42:52 -04:00			`tmp = FileHelper.download(`
			`url,`
			`max_file_size: 1.megabyte,`
			`tmp_file_name: filename,`
			`follow_redirect: true,`
			`read_timeout: 10`
			`)`
PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00			`FileUtils.mv tmp.path, path`
			`end`

FIX: improve last_modified date returned for avatars instead of hard coding a date: 1. For optimized images use the upload date when on s3 2. For not-found use 10 minutes ago to match the expiry 2018-08-23 19:36:11 -04:00			`response.headers["Last-Modified"] = last_modified.httpdate`
PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00			`response.headers["Content-Length"] = File.size(path).to_s`
FEATURE: add immutable caching to rails site of things 2017-02-23 13:05:00 -05:00			`immutable_for(1.year)`
PERF: proxy avatars locally when stored on s3 this avoids a nasty redirect 2015-12-15 21:18:12 -05:00			`send_file path, disposition: nil`
			`end`

Add DoS protection to action 2014-05-27 08:29:27 -04:00			`# this protects us from a DoS`
Use a real placeholder avatar for all bad avatar links 2015-12-15 22:02:09 -05:00			`def render_blank`
			`path = Rails.root + "public/images/avatar.png"`
Add DoS protection to action 2014-05-27 08:29:27 -04:00			`expires_in 10.minutes, public: true`
FIX: set old last modified date for invalid avatars In some cases Akami was holding tight to these invalid avatars, to avoid this happening we explain the avatar image is ancient then when a new upload is added it automatically is older than this. 2018-08-31 03:07:31 -04:00			`response.headers["Last-Modified"] = Time.new('1990-01-01').httpdate`
Use a real placeholder avatar for all bad avatar links 2015-12-15 22:02:09 -05:00			`response.headers["Content-Length"] = File.size(path).to_s`
			`send_file path, disposition: nil`
Add DoS protection to action 2014-05-27 08:29:27 -04:00			`end`

FIX: automatically correct bad avatars on access Also start relying on upload extension for optimized images 2018-08-16 02:32:36 -04:00			`protected`

			`# consider removal of hacks some time in 2019`

BUGFIX: support CDN for avatars Correct broken spec Implement S3 support 2014-05-27 00:40:46 -04:00			`def get_optimized_image(upload, size)`
FEATURE: automatically correct extension for bad uploads This fixes with post thumbnails on the fly 2018-08-17 00:00:27 -04:00			`return if !upload`
FIX: correct svg handling for images We regressed and optimized images no longer worked with svg The following adds the correct logic to simply copy file for svgs and bypasses resizing for svg avatars 2018-11-06 23:29:14 -05:00			`return upload if upload.extension == "svg"`
FIX: automatically correct bad avatars on access Also start relying on upload extension for optimized images 2018-08-16 02:32:36 -04:00
FEATURE: automatically correct extension for bad uploads This fixes with post thumbnails on the fly 2018-08-17 00:00:27 -04:00			`upload.get_optimized_image(size, size, allow_animation: SiteSetting.allow_animated_avatars)`
			`# TODO decide if we want to detach here`
BUGFIX: support CDN for avatars Correct broken spec Implement S3 support 2014-05-27 00:40:46 -04:00			`end`

Work in progress, keeping avatars locally This introduces a new model to store the avatars and 3 uploads per user (gravatar, system and custom) user can then pick which they want. 2014-05-22 03:37:02 -04:00			`end`