Remove size from public image ID JWT

server/public/public_endpoints.go

@@ -8,13 +8,11 @@ import (
 	"time"
 
 	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/navidrome/navidrome/core/artwork"
-	"github.com/navidrome/navidrome/core/auth"
 	"github.com/navidrome/navidrome/log"
 	"github.com/navidrome/navidrome/model"
 	"github.com/navidrome/navidrome/server"
+	"github.com/navidrome/navidrome/utils"
 )
 
 type Router struct {
@@ -34,9 +32,7 @@ func (p *Router) routes() http.Handler {
 
 	r.Group(func(r chi.Router) {
 		r.Use(server.URLParamsMiddleware)
-		r.Use(jwtVerifier)
-		r.Use(validator)
-		r.Get("/img/{jwt}", p.handleImages)
+		r.Get("/img/{id}", p.handleImages)
 	})
 	return r
 }
@@ -44,22 +40,20 @@ func (p *Router) routes() http.Handler {
 func (p *Router) handleImages(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
-
-	_, claims, _ := jwtauth.FromContext(ctx)
-	id, ok := claims["id"].(string)
-	if !ok {
-		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-		return
-	}
-	size, ok := claims["size"].(float64)
-	if !ok {
-		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+	id := r.URL.Query().Get(":id")
+	if id == "" {
+		http.Error(w, "invalid id", http.StatusBadRequest)
 		return
 	}
 
-	imgReader, lastUpdate, err := p.artwork.Get(ctx, id, int(size))
-	w.Header().Set("cache-control", "public, max-age=315360000")
-	w.Header().Set("last-modified", lastUpdate.Format(time.RFC1123))
+	artId, err := artwork.DecodeArtworkID(id)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	size := utils.ParamInt(r, "size", 0)
+	imgReader, lastUpdate, err := p.artwork.Get(ctx, artId.String(), size)
 
 	switch {
 	case errors.Is(err, context.Canceled):
@@ -75,32 +69,10 @@ func (p *Router) handleImages(w http.ResponseWriter, r *http.Request) {
 	}
 
 	defer imgReader.Close()
+	w.Header().Set("Cache-Control", "public, max-age=315360000")
+	w.Header().Set("Last-Modified", lastUpdate.Format(time.RFC1123))
 	cnt, err := io.Copy(w, imgReader)
 	if err != nil {
 		log.Warn(ctx, "Error sending image", "count", cnt, err)
 	}
 }
-
-func jwtVerifier(next http.Handler) http.Handler {
-	return jwtauth.Verify(auth.TokenAuth, func(r *http.Request) string {
-		return r.URL.Query().Get(":jwt")
-	})(next)
-}
-
-func validator(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		token, _, err := jwtauth.FromContext(r.Context())
-
-		validErr := jwt.Validate(token,
-			jwt.WithRequiredClaim("id"),
-			jwt.WithRequiredClaim("size"),
-		)
-		if err != nil || token == nil || validErr != nil {
-			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
-			return
-		}
-
-		// Token is authenticated, pass it through
-		next.ServeHTTP(w, r)
-	})
-}