fix: use MD5 hashing used for image cache keys

MD5 hashing used for image cache keys
Disable SSL in production because SSL is enforced at the Traefik layer

Author: Bulletdev

app/controllers/api/v1/images_controller.rb

@@ -21,81 +21,98 @@ class ImagesController < BaseController
       # @return [Binary] The image data with appropriate content-type
       def proxy
         url = params[:url]
+        return render_invalid_url unless valid_image_url?(url)
 
-        # Validate URL
-        unless valid_image_url?(url)
-          render json: { error: 'Invalid or unauthorized URL' }, status: :bad_request
-          return
-        end
-
-        # Try to get from cache first
-        cache_key = "image_proxy:#{Digest::MD5.hexdigest(url)}"
-        cached_data = Rails.cache.fetch(cache_key, expires_in: 7.days) do
-          fetch_external_image(url)
-        end
-
-        if cached_data[:error]
-          render json: { error: cached_data[:error] }, status: :bad_gateway
-          return
-        end
+        cached_data = fetch_cached_image(url)
+        return render_fetch_error(cached_data[:error]) if cached_data[:error]
 
-        # Send the cached image
-        send_data cached_data[:body],
-                  type: cached_data[:content_type],
-                  disposition: 'inline',
-                  filename: File.basename(URI.parse(url).path)
+        send_image_data(cached_data, url)
       rescue StandardError => e
-        Rails.logger.error("Image proxy error: #{e.message}")
-        render json: { error: 'Failed to fetch image' }, status: :internal_server_error
+        handle_proxy_error(e)
       end
 
       private
 
+      ALLOWED_DOMAINS = [
+        'upload.wikimedia.org',
+        'ddragon.leagueoflegends.com',
+        'raw.communitydragon.org',
+        'static.wikia.nocookie.net',
+        'commons.wikimedia.org'
+      ].freeze
+
+      HTTP_TIMEOUT_OPTIONS = { open_timeout: 5, read_timeout: 10 }.freeze
+
       # Validates if the URL is from an allowed domain
       def valid_image_url?(url)
         return false if url.blank?
 
         uri = URI.parse(url)
-        allowed_domains = [
-          'upload.wikimedia.org',
-          'ddragon.leagueoflegends.com',
-          'raw.communitydragon.org',
-          'static.wikia.nocookie.net',
-          'commons.wikimedia.org'
-        ]
-
-        allowed_domains.any? { |domain| uri.host&.include?(domain) }
+        ALLOWED_DOMAINS.any? { |domain| uri.host&.include?(domain) }
       rescue URI::InvalidURIError
         false
       end
 
+      # Fetches image from cache or external source
+      def fetch_cached_image(url)
+        cache_key = "image_proxy:#{Digest::SHA256.hexdigest(url)}"
+        Rails.cache.fetch(cache_key, expires_in: 7.days) do
+          fetch_external_image(url)
+        end
+      end
+
       # Fetches image from external URL
       def fetch_external_image(url)
         uri = URI.parse(url)
+        response = perform_http_request(uri)
+        process_http_response(response)
+      rescue StandardError => e
+        Rails.logger.error("Failed to fetch image from #{url}: #{e.message}")
+        { error: e.message }
+      end
 
-        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https',
-                        open_timeout: 5, read_timeout: 10) do |http|
+      # Performs HTTP request to fetch image
+      def perform_http_request(uri)
+        Net::HTTP.start(uri.host, uri.port,
+                        use_ssl: uri.scheme == 'https',
+                        **HTTP_TIMEOUT_OPTIONS) do |http|
           request = Net::HTTP::Get.new(uri.request_uri)
           request['User-Agent'] = 'ProStaff-API/1.0 (Image Proxy)'
+          http.request(request)
+        end
+      end
 
-          response = http.request(request)
-
-          if response.is_a?(Net::HTTPSuccess)
-            {
-              body: response.body,
-              content_type: response['content-type'] || 'image/png'
-            }
-          else
-            {
-              error: "External service returned #{response.code}",
-              content_type: 'text/plain',
-              body: ''
-            }
-          end
+      # Processes HTTP response
+      def process_http_response(response)
+        if response.is_a?(Net::HTTPSuccess)
+          { body: response.body, content_type: response['content-type'] || 'image/png' }
+        else
+          { error: "External service returned #{response.code}", content_type: 'text/plain', body: '' }
         end
-      rescue StandardError => e
-        Rails.logger.error("Failed to fetch image from #{url}: #{e.message}")
-        { error: e.message }
+      end
+
+      # Renders invalid URL error
+      def render_invalid_url
+        render json: { error: 'Invalid or unauthorized URL' }, status: :bad_request
+      end
+
+      # Renders fetch error
+      def render_fetch_error(error)
+        render json: { error: error }, status: :bad_gateway
+      end
+
+      # Sends image data to client
+      def send_image_data(cached_data, url)
+        send_data cached_data[:body],
+                  type: cached_data[:content_type],
+                  disposition: 'inline',
+                  filename: File.basename(URI.parse(url).path)
+      end
+
+      # Handles proxy errors
+      def handle_proxy_error(error)
+        Rails.logger.error("Image proxy error: #{error.message}")
+        render json: { error: 'Failed to fetch image' }, status: :internal_server_error
       end
     end
   end

config/environments/production.rb

@@ -27,6 +27,10 @@
   config.active_storage.variant_processor = :mini_magick
 
   # SSL Configuration - Traefik terminates SSL, Rails receives HTTP
+  # Note: SSL is enforced at the Traefik layer (reverse proxy), not at the Rails layer.
+  # This is secure because: (1) Traefik handles HTTPS/TLS termination, (2) internal
+  # communication between Traefik and Rails is over a private Docker network.
+  # Setting force_ssl = true would cause redirect loops.
   config.force_ssl = false