Fix secure link missing route (#3348)

Author: ildyria

app/Exceptions/SecurePaths/InvalidPayloadException.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2025 LycheeOrg.
+ */
+
+namespace App\Exceptions\SecurePaths;
+
+use App\Exceptions\BaseLycheeException;
+use Symfony\Component\HttpFoundation\Response;
+
+class InvalidPayloadException extends BaseLycheeException
+{
+	public function __construct(?\Throwable $previous = null)
+	{
+		parent::__construct(Response::HTTP_FORBIDDEN, 'Invalid payload', $previous);
+	}
+}

app/Http/Controllers/SecurePathController.php

@@ -9,9 +9,11 @@
 namespace App\Http\Controllers;
 
 use App\Enum\StorageDiskType;
+use App\Exceptions\SecurePaths\InvalidPayloadException;
 use App\Exceptions\SecurePaths\InvalidSignatureException;
 use App\Exceptions\SecurePaths\WrongPathException;
 use App\Models\Configs;
+use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Crypt;
@@ -33,7 +35,11 @@ public function __invoke(Request $request, ?string $path)
 		}
 
 		if (Configs::getValueAsBool('secure_image_link_enabled')) {
-			$path = Crypt::decryptString($path);
+			try {
+				$path = Crypt::decryptString($path);
+			} catch (DecryptException) {
+				throw new InvalidPayloadException();
+			}
 		}
 
 		$file = Storage::disk(StorageDiskType::LOCAL->value)->path($path);

routes/web_v2.php

@@ -68,5 +68,9 @@
 	->where('path', '.*')
 	->middleware(['migration:complete']);
 
+Route::get('image/{path}', SecurePathController::class)
+	->name('image')
+	->where('path', '.*');
+
 // This route must be defined last because it is a catch all.
 Route::match(['get', 'post'], '{path}', HoneyPotController::class)->where('path', '.*');

tests/Feature_v2/SecureImageLinksTest.php

@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2025 LycheeOrg.
+ */
+
+/**
+ * We don't care for unhandled exceptions in tests.
+ * It is the nature of a test to throw an exception.
+ * Without this suppression we had 100+ Linter warning in this file which
+ * don't help anything.
+ *
+ * @noinspection PhpDocMissingThrowsInspection
+ * @noinspection PhpUnhandledExceptionInspection
+ */
+
+namespace Tests\Feature_v2;
+
+use App\Models\Configs;
+use Illuminate\Support\Facades\URL;
+use Tests\Feature_v2\Base\BaseApiWithDataTest;
+
+class SecureImageLinksTest extends BaseApiWithDataTest
+{
+	public function setUp(): void
+	{
+		parent::setUp();
+		Configs::set('temporary_image_link_enabled', '1');
+		Configs::invalidateCache();
+	}
+
+	public function tearDown(): void
+	{
+		Configs::set('temporary_image_link_enabled', '0');
+		Configs::set('secure_image_link_enabled', '0');
+		Configs::invalidateCache();
+		parent::tearDown();
+	}
+
+	public function testTemporaryImage(): void
+	{
+		$response = $this->getJsonWithData('Album', ['album_id' => $this->album4->id]);
+		$this->assertOk($response);
+		$url = $response->json('resource.photos.0.size_variants.medium.url');
+		$this->assertStringContainsString('/image/medium/', $url);
+
+		$response = $this->get($url);
+		$this->assertNotFound($response);
+		$response->assertSeeText('File not found'); // We mocked the file !
+
+		$unsigned_url = explode('?', $url)[0];
+		$response = $this->get($unsigned_url);
+		$this->assertForbidden($response);
+	}
+
+	public function testEncryptedImages(): void
+	{
+		Configs::set('secure_image_link_enabled', '1');
+		Configs::invalidateCache();
+
+		$response = $this->getJsonWithData('Album', ['album_id' => $this->album4->id]);
+		$this->assertOk($response);
+		$url = $response->json('resource.photos.0.size_variants.medium.url');
+		$this->assertStringContainsString('/image/', $url);
+
+		$response = $this->get($url);
+		$this->assertNotFound($response);
+		$response->assertSeeText('File not found'); // We mocked the file !
+
+		$unsigned_url = explode('?', $url)[0];
+		$response = $this->get($unsigned_url);
+		$this->assertForbidden($response);
+	}
+
+	public function testBrokenEncryption(): void
+	{
+		Configs::set('secure_image_link_enabled', '1');
+		Configs::invalidateCache();
+
+		$broken_url = URL::temporarySignedRoute('image', now()->addSeconds(10), ['path' => 'broken_path']);
+		$response = $this->get($broken_url);
+		$this->assertForbidden($response);
+		$response->assertSeeText('Invalid payload');
+	}
+}