Image optimization endpoint redirects to underlying image URL if the …

…signature is not the latest. (#2665)

.changeset/tender-bags-guess.md

@@ -0,0 +1,5 @@
+---
+'gitbook': minor
+---
+
+Image optimization endpoint redirects to underlying image URL if the signature is not the latest.

packages/gitbook/src/app/(global)/~gitbook/image/route.ts

@@ -1,6 +1,11 @@
 import { NextRequest } from 'next/server';
 
-import { isSignatureVersion, SignatureVersion, verifyImageSignature } from '@/lib/image-signatures';
+import {
+    CURRENT_SIGNATURE_VERSION,
+    isSignatureVersion,
+    SignatureVersion,
+    verifyImageSignature,
+} from '@/lib/image-signatures';
 import { resizeImage, CloudflareImageOptions, checkIsSizableImageURL } from '@/lib/images';
 import { parseImageAPIURL } from '@/lib/urls';
 
@@ -39,6 +44,10 @@ export async function GET(request: NextRequest) {
         return new Response(`Invalid signature "${signature ?? ''}" for "${url}"`, { status: 400 });
     }
 
+    if (signatureVersion !== CURRENT_SIGNATURE_VERSION) {
+        return Response.redirect(url, 302);
+    }
+
     // Cloudflare-specific options are in the cf object.
     const options: CloudflareImageOptions = {
         fit: 'scale-down',

packages/gitbook/src/lib/image-signatures.ts

@@ -11,6 +11,11 @@ import { host } from './links';
  */
 export type SignatureVersion = '0' | '1' | '2';
 
+/**
+ * The current version of the signature.
+ */
+export const CURRENT_SIGNATURE_VERSION: SignatureVersion = '2';
+
 /**
  * A mapping of signature versions to signature functions.
  */
@@ -48,7 +53,7 @@ export function generateImageSignature(input: string): {
     version: SignatureVersion;
 } {
     const result = generateSignatureV2(input);
-    return { signature: result, version: '2' };
+    return { signature: result, version: CURRENT_SIGNATURE_VERSION };
 }
 
 // Reused buffer for FNV-1a hashing in the v2 algorithm