feat: 添加图像 API 中间件，优化 CORS 和缓存控制；更新响应头处理和测试用例

Author: CharyeahOwO

src/index.js

@@ -10,6 +10,7 @@ import { attachAdminPath } from './middleware/auth.js';
 import { csrfProtection } from './middleware/csrf.js';
 import { createPublicRouter } from './routes/publicRoutes.js';
 import { createAdminRouter } from './routes/adminRoutes.js';
+import { imageApiMiddleware, staticImageHeaders } from './utils/response.js';
 
 const app = express();
 const store = new ImageStore();
@@ -38,6 +39,8 @@ app.use(
   })
 );
 
+app.use(`${appBasePath}/api`, imageApiMiddleware);
+
 app.use(
   cors({
     origin: config.corsOrigin === '*' ? '*' : config.corsOrigin.split(',').map((item) => item.trim()),
@@ -60,9 +63,7 @@ app.use(
   express.static(config.imageRoot, {
     index: false,
     dotfiles: 'ignore',
-    setHeaders(res) {
-      res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
-    }
+    setHeaders: staticImageHeaders
   })
 );
 

src/routes/publicRoutes.js

@@ -1,7 +1,7 @@
 import express from 'express';
 import { config, deviceNames } from '../config.js';
 import { publicImageJson } from '../imageStore.js';
-import { jsonError, noStore, renderView, escapeHtml } from '../utils/response.js';
+import { absoluteUrl, imageApiMiddleware, jsonError, renderView, escapeHtml, requestBaseUrl } from '../utils/response.js';
 import { isValidDevice, isValidGalleryName } from '../utils/file.js';
 
 function parseDevice(value, fallback = 'all') {
@@ -16,14 +16,6 @@ function parseLimit(value) {
   return Math.min(parsed, 100);
 }
 
-function requestBaseUrl(req) {
-  const forwardedHost = req.get('x-forwarded-host');
-  const host = forwardedHost ? forwardedHost.split(',')[0].trim() : req.get('host');
-  const forwardedProto = req.get('x-forwarded-proto');
-  const protocol = forwardedProto ? forwardedProto.split(',')[0].trim() : req.protocol;
-  return host ? `${protocol}://${host}` : config.publicBaseUrl;
-}
-
 function galleryRows(galleries) {
   if (galleries.length === 0) {
     return '<tr><td colspan="5">暂无图库，请在后台创建图库或手动放入图片目录。</td></tr>';
@@ -51,6 +43,8 @@ function galleryRows(galleries) {
 export function createPublicRouter(store) {
   const router = express.Router();
 
+  router.use('/api', imageApiMiddleware);
+
   router.get('/', async (req, res, next) => {
     try {
       const stats = await store.getStats();
@@ -88,7 +82,6 @@ export function createPublicRouter(store) {
   });
 
   async function randomHandler(req, res, galleryFromPath) {
-    noStore(res);
     const gallery = galleryFromPath || req.query.gallery;
     const device = parseDevice(req.query.device, 'all');
     const type = req.query.type || 'redirect';
@@ -112,14 +105,9 @@ export function createPublicRouter(store) {
       return res.json(publicImageJson(image, total, requestBaseUrl(req)));
     }
     if (type === 'redirect') {
-      res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
-      return res.redirect(302, image.path);
+      return res.redirect(302, absoluteUrl(req, image.path));
     }
-    return res.sendFile(image.absolutePath, {
-      headers: {
-        'Cache-Control': 'no-store'
-      }
-    });
+    return res.sendFile(image.absolutePath);
   }
 
   router.get('/api/random', (req, res, next) => {

src/utils/response.js

@@ -1,5 +1,6 @@
 import fs from 'node:fs/promises';
 import path from 'node:path';
+import { config } from '../config.js';
 
 const viewRoot = path.resolve(process.cwd(), 'views');
 
@@ -22,7 +23,46 @@ export async function renderView(filename, data = {}) {
 }
 
 export function noStore(res) {
-  res.setHeader('Cache-Control', 'no-store');
+  res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+  res.setHeader('Pragma', 'no-cache');
+  res.setHeader('Expires', '0');
+}
+
+export function imageCors(res) {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Methods', 'GET, HEAD, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Range');
+  res.setHeader('Access-Control-Expose-Headers', 'Location, Content-Length, Content-Type, Cache-Control');
+}
+
+export function imageApiHeaders(res) {
+  imageCors(res);
+  noStore(res);
+}
+
+export function imageApiMiddleware(req, res, next) {
+  imageApiHeaders(res);
+  if (req.method === 'OPTIONS') return res.sendStatus(204);
+  return next();
+}
+
+export function staticImageHeaders(res) {
+  imageCors(res);
+  res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+}
+
+export function requestBaseUrl(req) {
+  const forwardedHost = req.get('x-forwarded-host');
+  const host = forwardedHost ? forwardedHost.split(',')[0].trim() : req.get('host');
+  const forwardedProto = req.get('x-forwarded-proto');
+  const protocol = forwardedProto ? forwardedProto.split(',')[0].trim() : req.protocol;
+  return host ? `${protocol}://${host}` : config.publicBaseUrl;
+}
+
+export function absoluteUrl(req, urlPath) {
+  if (/^https?:\/\//i.test(urlPath)) return urlPath;
+  const pathWithSlash = urlPath.startsWith('/') ? urlPath : `/${urlPath}`;
+  return `${requestBaseUrl(req)}${pathWithSlash}`;
 }
 
 export function jsonError(res, status, message, extra = {}) {

src/utils/response.test.js

@@ -0,0 +1,88 @@
+import { describe, expect, it, vi } from 'vitest';
+import {
+  absoluteUrl,
+  imageApiMiddleware,
+  imageCors,
+  noStore,
+  requestBaseUrl,
+  staticImageHeaders
+} from './response.js';
+
+function mockResponse() {
+  const headers = new Map();
+  return {
+    headers,
+    setHeader: vi.fn((name, value) => headers.set(name.toLowerCase(), value)),
+    sendStatus: vi.fn()
+  };
+}
+
+function mockRequest(headers = {}, protocol = 'http') {
+  return {
+    protocol,
+    get(name) {
+      return headers[name.toLowerCase()];
+    }
+  };
+}
+
+describe('response image headers', () => {
+  it('sets CORS headers for image responses', () => {
+    const res = mockResponse();
+
+    imageCors(res);
+
+    expect(res.headers.get('access-control-allow-origin')).toBe('*');
+    expect(res.headers.get('access-control-allow-methods')).toBe('GET, HEAD, OPTIONS');
+    expect(res.headers.get('access-control-expose-headers')).toContain('Location');
+  });
+
+  it('sets no-cache headers for API responses', () => {
+    const res = mockResponse();
+
+    noStore(res);
+
+    expect(res.headers.get('cache-control')).toBe('no-store, no-cache, must-revalidate, proxy-revalidate');
+    expect(res.headers.get('pragma')).toBe('no-cache');
+    expect(res.headers.get('expires')).toBe('0');
+  });
+
+  it('keeps static images cacheable while allowing cross-origin use', () => {
+    const res = mockResponse();
+
+    staticImageHeaders(res);
+
+    expect(res.headers.get('access-control-allow-origin')).toBe('*');
+    expect(res.headers.get('cache-control')).toBe('public, max-age=31536000, immutable');
+  });
+
+  it('answers API preflight with shared image API headers', () => {
+    const req = { method: 'OPTIONS' };
+    const res = mockResponse();
+    const next = vi.fn();
+
+    imageApiMiddleware(req, res, next);
+
+    expect(res.headers.get('access-control-allow-origin')).toBe('*');
+    expect(res.headers.get('cache-control')).toBe('no-store, no-cache, must-revalidate, proxy-revalidate');
+    expect(res.sendStatus).toHaveBeenCalledWith(204);
+    expect(next).not.toHaveBeenCalled();
+  });
+});
+
+describe('response URL helpers', () => {
+  it('builds base URL from forwarded headers', () => {
+    const req = mockRequest({
+      'x-forwarded-host': 'img.example.com',
+      'x-forwarded-proto': 'https'
+    });
+
+    expect(requestBaseUrl(req)).toBe('https://img.example.com');
+  });
+
+  it('converts image paths to absolute URLs for redirects', () => {
+    const req = mockRequest({ host: 'localhost:3000' });
+
+    expect(absoluteUrl(req, '/image/images/anime/pc/001.jpg')).toBe('http://localhost:3000/image/images/anime/pc/001.jpg');
+  });
+});