feat!: add signed URLs, rename package Service Provider and Facade

Author: ace-of-aces

composer.json

@@ -83,7 +83,7 @@
     "extra": {
         "laravel": {
             "providers": [
-                "AceOfAces\\LaravelImageTransformUrl\\LaravelImageTransformUrlServiceProvider"
+                "AceOfAces\\LaravelImageTransformUrl\\ImageTransformUrlServiceProvider"
             ]
         }
     },

config/image-transform-url.php

@@ -108,6 +108,24 @@
         'decay_seconds' => env('IMAGE_TRANSFORM_RATE_LIMIT_DECAY_SECONDS', 60),
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Signed URLs
+    |--------------------------------------------------------------------------
+    |
+    | Below you may configure signed URLs, which can be used to protect image
+    | transformations from unauthorized access. Signature verification is
+    | only applied to images from the for_source_directories array.
+    |
+    */
+
+    'signed_urls' => [
+        'enabled' => env('IMAGE_TRANSFORM_SIGNED_URLS_ENABLED', false),
+        'for_source_directories' => env('IMAGE_TRANSFORM_SIGNED_URLS_FOR_SOURCE_DIRECTORIES', [
+            //
+        ]),
+    ],
+
     /*
     |--------------------------------------------------------------------------
     | Response Headers

routes/image.php

@@ -3,6 +3,7 @@
 declare(strict_types=1);
 
 use AceOfAces\LaravelImageTransformUrl\Http\Controllers\ImageTransformerController;
+use AceOfAces\LaravelImageTransformUrl\Http\Middleware\SignedImageTransformMiddleware;
 use Illuminate\Support\Facades\Route;
 
 Route::prefix(config()->string('image-transform-url.route_prefix'))->group(function () {
@@ -11,11 +12,13 @@
         ->where('pathPrefix', '[a-zA-Z][a-zA-Z0-9_-]*')
         ->where('options', '([a-zA-Z]+=-?[a-zA-Z0-9]+,?)+')
         ->where('path', '.*\..*')
-        ->name('image.transform');
+        ->name('image.transform')
+        ->middleware(SignedImageTransformMiddleware::class);
 
     // Default path prefix route
     Route::get('{options}/{path}', [ImageTransformerController::class, 'transformDefault'])
         ->where('options', '([a-zA-Z]+=-?[a-zA-Z0-9]+,?)+')
         ->where('path', '.*\..*')
-        ->name('image.transform.default');
+        ->name('image.transform.default')
+        ->middleware(SignedImageTransformMiddleware::class);
 });

src/Exceptions/InvalidConfigurationException.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AceOfAces\LaravelImageTransformUrl\Exceptions;
+
+use RuntimeException;
+use Throwable;
+
+class InvalidConfigurationException extends RuntimeException
+{
+    public function __construct(string $message, $code = 0, ?Throwable $previous = null)
+    {
+        parent::__construct($message, $code, $previous);
+    }
+}

src/Facades/ImageTransformUrl.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AceOfAces\LaravelImageTransformUrl\Facades;
+
+use Illuminate\Support\Facades\Facade;
+
+/**
+ * @see \AceOfAces\LaravelImageTransformUrl\LaravelImageTransformUrl;
+ *
+ * @method string signedUrl(string $path, array|string $options = [], ?string $pathPrefix = null, \DateTimeInterface|\DateInterval|int|null $expiration = null, ?bool $absolute = true)
+ * @method string temporarySignedUrl(string $path, array|string $options = [], \DateTimeInterface|\DateInterval|int $expiration, ?string $pathPrefix = null, ?bool $absolute = true)
+ */
+class ImageTransformUrl extends Facade
+{
+    protected static function getFacadeAccessor(): string
+    {
+        return \AceOfAces\LaravelImageTransformUrl\ImageTransformUrl::class;
+    }
+}

src/Http/Middleware/SignedImageTransformMiddleware.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AceOfAces\LaravelImageTransformUrl\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Exceptions\InvalidSignatureException;
+use Illuminate\Routing\Middleware\ValidateSignature;
+use Symfony\Component\HttpFoundation\Response;
+
+class SignedImageTransformMiddleware
+{
+    /**
+     * Handle an incoming request and conditionally apply signature verification.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $pathPrefix = $request->route('pathPrefix');
+
+        if (is_null($pathPrefix)) {
+            $pathPrefix = config()->string('image-transform-url.default_source_directory');
+        }
+
+        if ($this->requiresSignatureVerification($pathPrefix)) {
+            return $this->validateSignature($request, $next);
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * Determine if signature verification is required for the given path prefix.
+     */
+    protected function requiresSignatureVerification(string $pathPrefix): bool
+    {
+        if (! config()->boolean('image-transform-url.signed_urls.enabled')) {
+            return false;
+        }
+
+        $protectedDirectories = config()->array('image-transform-url.signed_urls.for_source_directories');
+
+        return in_array($pathPrefix, $protectedDirectories, true);
+    }
+
+    /**
+     * Validate the signature of the request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    protected function validateSignature(Request $request, Closure $next): Response
+    {
+        $validator = new ValidateSignature;
+
+        try {
+            return $validator->handle($request, $next);
+        } catch (InvalidSignatureException $e) {
+            throw $e;
+        }
+    }
+}

src/ImageTransformUrl.php

@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AceOfAces\LaravelImageTransformUrl;
+
+use AceOfAces\LaravelImageTransformUrl\Exceptions\InvalidConfigurationException;
+use DateInterval;
+use DateTimeInterface;
+use Illuminate\Support\Facades\URL;
+
+class ImageTransformUrl
+{
+    /**
+     * Generate a signed URL for the image transformation.
+     *
+     * @param  string  $path  The path to the image.
+     * @param  array  $options  The transformation options.
+     * @param  string|null  $pathPrefix  The path prefix to use. Defaults to the default path prefix.
+     * @param  DateTimeInterface|\DateInterval|int|null  $expiration  The expiration time for the signed URL.
+     * @return string The signed URL.
+     *
+     * @throws InvalidConfigurationException If signed URLs are not enabled in the configuration.
+     */
+    public function signedUrl(string $path, array|string $options = [], ?string $pathPrefix = null, DateTimeInterface|DateInterval|int|null $expiration = null, ?bool $absolute = true): string
+    {
+        if (! config()->boolean('image-transform-url.signed_urls.enabled')) {
+            throw new InvalidConfigurationException('Signed URLs are not enabled. Please check your configuration.');
+        }
+
+        if (is_array($options)) {
+            $options = collect($options)
+                ->map(fn ($value, $key) => "$key=$value")
+                ->implode(',');
+        }
+
+        if (empty($pathPrefix)) {
+            return URL::signedRoute(
+                'image.transform.default',
+                ['options' => $options, 'path' => $path],
+                $expiration,
+                $absolute
+            );
+        }
+
+        return URL::signedRoute(
+            'image.transform',
+            ['pathPrefix' => $pathPrefix, 'options' => $options, 'path' => $path],
+            $expiration,
+            $absolute
+        );
+    }
+
+    /**
+     * Create a temporary signed URL for the image transformation.
+     *
+     * @param  string  $path  The path to the image.
+     * @param  array|string  $options  The transformation options.
+     * @param  DateTimeInterface|DateInterval|int  $expiration  The expiration time for the signed URL.
+     * @param  string|null  $pathPrefix  The path prefix to use. Defaults to the default path prefix.
+     * @param  bool|null  $absolute  Whether the URL should be absolute. Defaults to true.
+     * @return string The temporary signed URL.
+     *
+     * @throws InvalidConfigurationException If signed URLs are not enabled in the configuration.
+     */
+    public function temporarySignedUrl(string $path, array|string $options, DateTimeInterface|DateInterval|int $expiration, ?string $pathPrefix, ?bool $absolute = true): string
+    {
+        return $this->signedUrl($path, $options, $pathPrefix, $expiration, $absolute);
+    }
+}

src/ImageTransformUrlServiceProvider.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AceOfAces\LaravelImageTransformUrl;
+
+use AceOfAces\LaravelImageTransformUrl\Http\Middleware\SignedImageTransformMiddleware;
+use Illuminate\Routing\Router;
+use Spatie\LaravelPackageTools\Package;
+use Spatie\LaravelPackageTools\PackageServiceProvider;
+
+class ImageTransformUrlServiceProvider extends PackageServiceProvider
+{
+    public function configurePackage(Package $package): void
+    {
+        /*
+         * This class is a Package Service Provider
+         *
+         * More info: https://github.com/spatie/laravel-package-tools
+         */
+        $package
+            ->name('laravel-image-transform-url')
+            ->hasConfigFile()
+            ->hasRoute('image');
+    }
+
+    public function packageBooted(): void
+    {
+        $this->registerMiddleware();
+    }
+
+    /**
+     * Register the custom middleware.
+     */
+    protected function registerMiddleware(): void
+    {
+        $router = $this->app->make(Router::class);
+
+        $router->aliasMiddleware('signed-image-transform', SignedImageTransformMiddleware::class);
+    }
+}