feat!: support mutliple source directories, remove public_path config, refactor controller

ace-of-aces · ace-of-aces · commit ea1907b752b4 · 2025-06-20T16:36:48.000+02:00
BREAKING CHANGE: The `public_path` config has been replaced by `source_directories` and `default_source_directory`.
diff --git a/config/image-transform-url.php b/config/image-transform-url.php
@@ -3,16 +3,35 @@
 return [
     /*
     |--------------------------------------------------------------------------
-    | Public Path
+    | Source Directories
     |--------------------------------------------------------------------------
     |
-    | Here you may configure the public path/prefix where the images are stored.
-    | If you are storing the images in 'storage/app/public', the typically
-    | linked public path would be 'storage'.
+    | Here you may configure the directories from which the image transformer
+    | is allowed to serve images. For security reasons, it is recommended
+    | to only allow directories which are already publicly accessible.
+    |
+    | Important: The public storage directory should be addressed directly via
+    | storage('app/public') instead of the public_path('storage') link.
+    |
+    */
+
+    'source_directories' => [
+        'images' => public_path('images'),
+        'storage' => storage_path('app/public/images'),
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Default Source Directory
+    |--------------------------------------------------------------------------
+    |
+    | Below you may configure the default source directory which is used when
+    | no specific path prefix is provided in the URL. This should be one of
+    | the keys from the source_directories array.
     |
     */
 
-    'public_path' => env('IMAGE_TRANSFORM_PUBLIC_PATH', 'images'),
+    'default_source_directory' => env('IMAGE_TRANSFORM_DEFAULT_SOURCE_DIRECTORY', 'images'),
 
     /*
     |--------------------------------------------------------------------------
diff --git a/routes/image.php b/routes/image.php
@@ -6,8 +6,16 @@
 use Illuminate\Support\Facades\Route;
 
 Route::prefix(config()->string('image-transform-url.route_prefix'))->group(function () {
-    Route::get('{options}/{path}', ImageTransformerController::class)
+    // Explicit path prefix route
+    Route::get('{pathPrefix}/{options}/{path}', [ImageTransformerController::class, 'transformWithPrefix'])
+        ->where('pathPrefix', '[a-zA-Z][a-zA-Z0-9_-]*')
         ->where('options', '([a-zA-Z]+=-?[a-zA-Z0-9]+,?)+')
         ->where('path', '.*\..*')
         ->name('image.transform');
+
+    // Default path prefix route
+    Route::get('{options}/{path}', [ImageTransformerController::class, 'transformDefault'])
+        ->where('options', '([a-zA-Z]+=-?[a-zA-Z0-9]+,?)+')
+        ->where('path', '.*\..*')
+        ->name('image.transform.default');
 });
diff --git a/src/Http/Controllers/ImageTransformerController.php b/src/Http/Controllers/ImageTransformerController.php
@@ -27,23 +27,25 @@ class ImageTransformerController extends \Illuminate\Routing\Controller
 {
     use ResolvesOptions;
 
-    public function __invoke(Request $request, string $options, string $path)
+    public function transformWithPrefix(Request $request, string $pathPrefix, string $options, string $path)
     {
-        $pathPrefix = config()->string('image-transform-url.public_path');
-
-        $publicPath = realpath(public_path($pathPrefix.'/'.$path));
-
-        abort_unless($publicPath, 404);
+        return $this->handleTransform($request, $pathPrefix, $options, $path);
+    }
 
-        abort_unless(Str::startsWith($publicPath, public_path($pathPrefix)), 404);
+    public function transformDefault(Request $request, string $options, string $path)
+    {
+        return $this->handleTransform($request, null, $options, $path);
+    }
 
-        abort_unless(in_array(File::mimeType($publicPath), AllowedMimeTypes::all(), true), 404);
+    protected function handleTransform(Request $request, ?string $pathPrefix, string $options, ?string $path = null)
+    {
+        $realPath = $this->handlePath($pathPrefix, $path);
 
         $options = $this->parseOptions($options);
 
         // Check cache
         if (config()->boolean('image-transform-url.cache.enabled')) {
-            $cachePath = $this->getCachePath($path, $options);
+            $cachePath = $this->getCachePath($pathPrefix, $path, $options);
 
             if (File::exists($cachePath)) {
                 if (Cache::has('image-transform-url:'.$cachePath)) {
@@ -66,7 +68,7 @@ public function __invoke(Request $request, string $options, string $path)
             $this->rateLimit($request, $path);
         }
 
-        $image = Image::read($publicPath);
+        $image = Image::read($realPath);
 
         if (Arr::hasAny($options, ['width', 'height'])) {
             $image->scale(
@@ -108,7 +110,7 @@ public function __invoke(Request $request, string $options, string $path)
         }
 
         // We use the mime type instead of the extension to determine the format, because this is more reliable.
-        $originalMimetype = File::mimeType($publicPath);
+        $originalMimetype = File::mimeType($realPath);
 
         $format = $this->getStringOptionValue($options, 'format', $originalMimetype);
         $quality = $this->getPositiveIntOptionValue($options, 'quality', 100, 100);
@@ -124,9 +126,9 @@ public function __invoke(Request $request, string $options, string $path)
         $encoded = $image->encode($encoder);
 
         if (config()->boolean('image-transform-url.cache.enabled')) {
-            defer(function () use ($path, $options, $encoded) {
+            defer(function () use ($pathPrefix, $path, $options, $encoded) {
 
-                $cachePath = $this->getCachePath($path, $options);
+                $cachePath = $this->getCachePath($pathPrefix, $path, $options);
 
                 $cacheDir = dirname($cachePath);
 
@@ -149,6 +151,40 @@ public function __invoke(Request $request, string $options, string $path)
 
     }
 
+    /**
+     * Handle the path and ensure it is valid.
+     */
+    protected function handlePath(?string &$pathPrefix, ?string &$path): string
+    {
+        if ($path === null) {
+            $path = $pathPrefix;
+            $pathPrefix = null;
+        }
+
+        $allowedSourceDirectories = config('image-transform-url.source_directories', []);
+
+        if (! $pathPrefix) {
+            $pathPrefix = config('image-transform-url.default_source_directory') ?? array_key_first($allowedSourceDirectories);
+        }
+
+        abort_unless(array_key_exists($pathPrefix, $allowedSourceDirectories), 404);
+
+        $basePath = $allowedSourceDirectories[$pathPrefix];
+        $requestedPath = $basePath.'/'.$path;
+        $realPath = realpath($requestedPath);
+
+        abort_unless($realPath, 404);
+
+        $allowedBasePath = realpath($basePath);
+        abort_unless($allowedBasePath, 404);
+
+        abort_unless(Str::startsWith($realPath, $allowedBasePath), 404);
+
+        abort_unless(in_array(File::mimeType($realPath), AllowedMimeTypes::all(), true), 404);
+
+        return $realPath;
+    }
+
     /**
      * Rate limit the request.
      */
@@ -202,10 +238,8 @@ protected static function parseOptions(string $options): array
     /**
      * Get the cache path for the given path and options.
      */
-    protected static function getCachePath(string $path, array $options): string
+    protected static function getCachePath(string $pathPrefix, string $path, array $options): string
     {
-        $pathPrefix = config()->string('image-transform-url.public_path');
-
         $optionsHash = md5(json_encode($options));
 
         return Storage::disk(config()->string('image-transform-url.cache.disk'))->path('_cache/image-transform-url/'.$pathPrefix.'/'.$optionsHash.'_'.$path);
