fix: replace resolvePeerAvatarUrl with localPeerAvatarUrl for avatar URL handling and add avatar proxy endpoint

Author: benjinus

packages/node/src/api/routes/contacts.ts

@@ -4,7 +4,7 @@ import { Router } from '../router.js';
 import { handleError } from '../route-utils.js';
 import { ok, created, noContent } from '../response.js';
 import type { RuntimeContext } from '../types.js';
-import { resolvePeerAvatarUrl } from '../../utils/avatar-url.js';
+import { localPeerAvatarUrl } from '../../utils/avatar-url.js';
 
 export function contactRoutes(ctx: RuntimeContext): Router {
   const router = new Router();
@@ -13,9 +13,10 @@ export function contactRoutes(ctx: RuntimeContext): Router {
     try {
       const contacts = ctx.contactService.listContacts().map((contact) => {
         const peer = ctx.peerProfileRepository.get(contact.did);
+        const rawAvatarUrl = peer?.avatarUrl ?? contact.avatarUrl;
         return {
           ...contact,
-          avatarUrl: resolvePeerAvatarUrl(contact.avatarUrl, peer?.nodeUrl),
+          avatarUrl: localPeerAvatarUrl(contact.did, rawAvatarUrl),
         };
       });
       ok(res, contacts, { self: '/api/v1/contacts' });
@@ -31,11 +32,12 @@ export function contactRoutes(ctx: RuntimeContext): Router {
         throw new TelagentError(ErrorCodes.NOT_FOUND, `Contact not found: ${params.did}`);
       }
       const peer = ctx.peerProfileRepository.get(params.did);
+      const rawAvatarUrl = peer?.avatarUrl ?? contact.avatarUrl;
       ok(
         res,
         {
           ...contact,
-          avatarUrl: resolvePeerAvatarUrl(contact.avatarUrl, peer?.nodeUrl),
+          avatarUrl: localPeerAvatarUrl(params.did, rawAvatarUrl),
         },
         { self: `/api/v1/contacts/${encodeURIComponent(params.did)}` },
       );

packages/node/src/api/routes/profile.ts

@@ -7,7 +7,7 @@ import { Router } from '../router.js';
 import { handleError } from '../route-utils.js';
 import { ok } from '../response.js';
 import type { RuntimeContext } from '../types.js';
-import { resolvePeerAvatarUrl } from '../../utils/avatar-url.js';
+import { resolvePeerAvatarUrl, localPeerAvatarUrl } from '../../utils/avatar-url.js';
 
 const ALLOWED_MIME_TYPES = new Set([
   'image/jpeg',
@@ -144,6 +144,35 @@ export function profileRoutes(ctx: RuntimeContext): Router {
     }
   });
 
+  // ── GET /:did/avatar  (public — proxies peer avatar via local node) ────────
+  // The frontend should never fetch images directly from remote nodes (cross-origin
+  // / firewall issues). This endpoint proxies the avatar from the peer's node URL.
+  router.get('/:did/avatar', async ({ res, params, url }) => {
+    try {
+      const { did } = params;
+      if (!did) {
+        throw new TelagentError(ErrorCodes.VALIDATION, 'did is required');
+      }
+      const profile = ctx.peerProfileRepository.get(did);
+      if (!profile?.avatarUrl) {
+        throw new TelagentError(ErrorCodes.NOT_FOUND, `No avatar for did: ${did}`);
+      }
+      const remoteUrl = resolvePeerAvatarUrl(profile.avatarUrl, profile.nodeUrl);
+      if (!remoteUrl || remoteUrl.startsWith('/')) {
+        throw new TelagentError(ErrorCodes.NOT_FOUND, `Cannot resolve avatar URL for did: ${did}`);
+      }
+      const response = await fetch(remoteUrl, { signal: AbortSignal.timeout(8000) });
+      if (!response.ok) {
+        throw new TelagentError(ErrorCodes.NOT_FOUND, `Remote avatar fetch failed: ${response.status}`);
+      }
+      const contentType = response.headers.get('content-type') ?? 'image/jpeg';
+      const data = Buffer.from(await response.arrayBuffer());
+      sendBinary(res, 200, data, contentType);
+    } catch (error) {
+      handleError(res, error, url.pathname);
+    }
+  });
+
   // ── GET /:did  (public — no auth, returns cached peer profile) ────────────
   // On cache miss, fires a profile-card request via P2P so the next query will
   // hit the cache once the peer replies.
@@ -179,7 +208,7 @@ export function profileRoutes(ctx: RuntimeContext): Router {
       }
       const normalizedProfile = {
         ...profile,
-        avatarUrl: resolvePeerAvatarUrl(profile.avatarUrl, profile.nodeUrl),
+        avatarUrl: localPeerAvatarUrl(did, profile.avatarUrl),
       };
       ok(res, normalizedProfile, { self: `/api/v1/profile/${encodeURIComponent(did)}` });
     } catch (error) {

packages/node/src/services/message-service.ts

@@ -14,7 +14,7 @@ import type { ContactService } from './contact-service.js';
 import type { GroupService } from './group-service.js';
 import type { PeerProfileRepository } from '../storage/peer-profile-repository.js';
 import type { KeyLifecycleService, KeySuite } from './key-lifecycle-service.js';
-import { resolvePeerAvatarUrl } from '../utils/avatar-url.js';
+import { localPeerAvatarUrl } from '../utils/avatar-url.js';
 import { SequenceAllocator } from './sequence-allocator.js';
 import type {
   MailboxStore,
@@ -475,10 +475,8 @@ export class MessageService {
     const peer = this.peerProfileRepository?.get(item.peerDid as Parameters<PeerProfileRepository['get']>[0]);
     const contact = this.contactService?.getContact(item.peerDid);
     const displayName = peer?.nickname || contact?.displayName || item.displayName;
-    const avatarUrl = resolvePeerAvatarUrl(
-      peer?.avatarUrl ?? contact?.avatarUrl ?? item.avatarUrl ?? undefined,
-      peer?.nodeUrl,
-    ) ?? null;
+    const rawAvatarUrl = peer?.avatarUrl ?? contact?.avatarUrl ?? item.avatarUrl ?? undefined;
+    const avatarUrl = (item.peerDid ? localPeerAvatarUrl(item.peerDid, rawAvatarUrl) : undefined) ?? null;
     if (displayName === item.displayName && avatarUrl === item.avatarUrl) return item;
     return { ...item, displayName, avatarUrl };
   }

packages/node/src/utils/avatar-url.ts

@@ -16,3 +16,13 @@ export function resolvePeerAvatarUrl(
 
   return `${peerNodeUrl.replace(/\/$/, '')}${avatarUrl}`;
 }
+
+/**
+ * Returns the local proxy path the frontend should use to load a peer avatar.
+ * The local node will proxy the request to the remote peer node, avoiding
+ * cross-origin / firewall issues in the browser.
+ */
+export function localPeerAvatarUrl(did: string, avatarUrl: string | undefined): string | undefined {
+  if (!avatarUrl) return undefined;
+  return `/api/v1/profile/${encodeURIComponent(did)}/avatar`;
+}