-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(assets): support remote images #7778
Conversation
🦋 Changeset detectedLatest commit: 9665ed5 The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
feat: remote pattern image config feat: block non allowed remote urls sq
Hi @y-nk , thank you for your contribution. Considering that there isn't an RFC for this feature, could you please describe the feature you're implementing in detail? The code seems to do much more (remote patterns? domain? etc.) compared the description. This will help me (and other people) to review your code. |
@ematipico sure can do. if you want the full discussion, you can refer to this discord thread. Let me know if the following is clear enough ; if not i'll be glad to explain further. Original problemThe current state of First implementationThe original scope of the PR (thanks to @Princesseuh's guidances and contributions) only proposed to add the processing of remote images as well. Basically, when writing: import { Image } from 'astro:assets'
<Image src="https://placehold.co/640x480.png /> the result will be an Wrapping upAfter I've done this, I discussed it with @Princesseuh who suggested that for security reasons we should add a level of filtering for remote images, in the same way that The Basically, So I asked Erika which of the 2 levels she would like, and she answered " What's in the PRThe final result is adding remote image processing to Side notesAs for the algorithm behind |
Hi, just wanted to ask if there is any progress with remote images? As y-nk has mostly finished this feature |
I'm hoping to get to it this week, it seems like the current implementation break some things looking at the test and there's also some docs work needed for it. |
@Princesseuh sorry for not updating earlier as i've been away for a long weekend afk ; i'm back and will take some time later this week to address this. |
@y-nk Thanks for working on this, I've been hoping something like this would happen eventually. |
Really pleased this work is (hopefully) about to drop, thank you for looking into this 🙏 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @y-nk and @Princesseuh for this cool feature! I've left some suggestions below for your consideration re: docs! 🙌
Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>
Co-authored-by: Sarah Rainsberger <sarah@rainsberger.ca>
I'm noticing now that there's no mention in the description as to whether this is exclusively for the It doesn't have to affect this PR, but for the v3 docs I'm writing, I'd like to know so I can be explicit! Can someone mention me here and let me know one way or the other? Thanks! 🙌 |
This is only for image processing, so only when using The technical reasons for all the fluff of domains and remote patterns regarding processing remote images is that the server (not the user's browser) has to fetch the images to process them, so you don't want users to be able to make your server fetch any random URLs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for addressing my comments! Let's 🚢 it!
const JSONData = JSON.parse(readFileSync(cachedFileURL, 'utf-8')) as RemoteCacheEntry; | ||
|
||
// If the cache entry is not expired, use it | ||
if (JSONData.expires < Date.now()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@y-nk sorry to comment on a closed PR, but is this logic correct? I think it should be >
, but I may be missing something obvious.
(but big ❤️❤️❤️ for this PR overall - it's super helpful to have remote images optimised locally!)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@notjosh i'll be honest i don't remember writing that line. maybe @Princesseuh have more clue about it. from reading the if it seems you're right, but i'm not so sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was fixed in a PR after this one!
Changes
This enable the processing of remote images with the
astro:assets
. It will download the images into a cache folder and process them as if it was any other image.EDIT: after discussing with @Princesseuh on the subject, I've added a round of security measures through the
domains
andremotePatterns
configuration options, which works similarly tonext/image
's one (described here: https://nextjs.org/docs/app/api-reference/components/image#remotepatterns)Testing
I've forked astro locally, iterated and tested manually both for
dev
andbuild
mode with a sample route such as:In my config:
Docs
/cc @withastro/maintainers-docs for feedback!
I didn't add docs yet because at this point I'm not sure the PR will be approved. I'd rather wait for round of feedbacks and approval of code, settle on API and then add docs before merging 🙏