feat(link): convert external friend avatar links to internal links (#2480)

* feat(link): convert external friend links to internal links

* chore(test): add test for link

* fix(link): remove overly strict file type matcher

* chore: typo

Author: ttimochan

apps/core/src/modules/configs/configs.default.ts

@@ -43,7 +43,11 @@ export const generateDefaultConfig: () => IConfig = () => ({
     enableComment: true,
     enableThrottleGuard: false,
   },
-  friendLinkOptions: { allowApply: true, allowSubPath: false },
+  friendLinkOptions: {
+    allowApply: true,
+    allowSubPath: false,
+    enableAvatarInternalization: true,
+  },
   backupOptions: {
     enable: true,
     endpoint: null!,

apps/core/src/modules/configs/configs.dto.ts

@@ -326,6 +326,14 @@ export class FriendLinkOptionsDto {
   @IsOptional()
   @JSONSchemaToggleField('允许子路径友链', { description: '例如 /blog 子路径' })
   allowSubPath: boolean
+
+  @IsBoolean()
+  @IsOptional()
+  @JSONSchemaToggleField('友链头像转内链', {
+    description:
+      '通过审核后将会下载友链头像并改为内部链接，仅支持常见图片格式，其他格式将不会转换',
+  })
+  enableAvatarInternalization: boolean
 }
 
 @JSONSchema({ title: '文本设定' })

apps/core/src/modules/link/link-avatar.service.ts

@@ -0,0 +1,217 @@
+import { Readable } from 'node:stream'
+import { URL } from 'node:url'
+import { nanoid } from '@mx-space/compiled'
+import {
+  BadRequestException,
+  Injectable,
+  Logger,
+  NotFoundException,
+} from '@nestjs/common'
+import type { DocumentType } from '@typegoose/typegoose'
+import { alphabet } from '~/constants/other.constant'
+import { HttpService } from '~/processors/helper/helper.http.service'
+import { InjectModel } from '~/transformers/model.transformer'
+import { validateImageBuffer } from '~/utils/image.util'
+import { ConfigsService } from '../configs/configs.service'
+import { FileService } from '../file/file.service'
+import type { FileType } from '../file/file.type'
+import { LinkModel, LinkState } from './link.model'
+
+const { customAlphabet } = nanoid
+const AVATAR_TYPE: FileType = 'avatar'
+
+const ALLOWED_IMAGE_MIME_TYPES = new Set([
+  'image/jpeg',
+  'image/jpg',
+  'image/png',
+  'image/webp',
+  'image/gif',
+  'image/x-icon',
+])
+
+const ALLOWED_IMAGE_EXTENSIONS = new Set([
+  '.jpg',
+  '.jpeg',
+  '.png',
+  '.webp',
+  '.gif',
+  '.ico',
+])
+
+@Injectable()
+export class LinkAvatarService {
+  private readonly logger: Logger
+
+  constructor(
+    @InjectModel(LinkModel)
+    private readonly linkModel: MongooseModel<LinkModel>,
+    private readonly configsService: ConfigsService,
+    private readonly fileService: FileService,
+    private readonly http: HttpService,
+  ) {
+    this.logger = new Logger(LinkAvatarService.name)
+  }
+
+  async convertToInternal(
+    link: string | DocumentType<LinkModel>,
+  ): Promise<boolean> {
+    const doc =
+      typeof link === 'string' ? await this.linkModel.findById(link) : link
+    if (!doc) {
+      if (typeof link === 'string') {
+        throw new NotFoundException()
+      }
+      return false
+    }
+
+    const avatar = doc.avatar
+    if (!avatar || !this.isExternalAvatar(avatar)) {
+      return false
+    }
+
+    const { url: configUrl, friendLinkOptions } =
+      await this.configsService.waitForConfigReady()
+
+    if (!friendLinkOptions.enableAvatarInternalization) {
+      return false
+    }
+
+    const { webUrl } = configUrl
+
+    const refererHeader = (() => {
+      try {
+        if (doc.url) {
+          return new URL(doc.url).origin
+        }
+      } catch (error: any) {
+        this.logger.warn(
+          `解析友链 ${doc._id} 的站点地址失败: ${error?.message || String(error)}`,
+        )
+      }
+      return webUrl
+    })()
+
+    const response = await this.http.axiosRef.get<ArrayBuffer>(avatar, {
+      responseType: 'arraybuffer',
+      timeout: 10_000,
+      headers: {
+        'user-agent':
+          'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36',
+        referer: refererHeader,
+      },
+    })
+
+    const buffer = Buffer.from(response.data as any)
+    const contentType = (response.headers['content-type'] ||
+      response.headers['Content-Type']) as string | undefined
+    const normalizedContentType = this.normalizeMimeType(contentType)
+
+    if (
+      !normalizedContentType ||
+      !this.isAllowedMimeType(normalizedContentType)
+    ) {
+      this.logger.warn(
+        `友链 ${doc._id} 头像响应类型 ${contentType || 'unknown'} 不在受支持图片范围，跳过内链转换`,
+      )
+      return false
+    }
+
+    const validation = validateImageBuffer({
+      originUrl: avatar,
+      buffer,
+      allowedExtensions: ALLOWED_IMAGE_EXTENSIONS,
+      allowedMimeTypes: ALLOWED_IMAGE_MIME_TYPES,
+    })
+
+    if (!validation.ok) {
+      throw new BadRequestException(validation.reason)
+    }
+
+    const { ext } = validation
+
+    const filename = customAlphabet(alphabet)(18) + ext.toLowerCase()
+
+    await this.fileService.writeFile(
+      AVATAR_TYPE,
+      filename,
+      Readable.from(buffer),
+    )
+
+    const internalUrl = await this.fileService.resolveFileUrl(
+      AVATAR_TYPE,
+      filename,
+    )
+
+    doc.avatar = internalUrl
+    await doc.save()
+
+    this.logger.log(`友链 ${doc._id} 头像已转换为内部链接`)
+
+    return true
+  }
+
+  async migratePassedLinks(): Promise<{
+    updatedCount: number
+    updatedIds: string[]
+  }> {
+    const { friendLinkOptions } = await this.configsService.waitForConfigReady()
+    if (!friendLinkOptions.enableAvatarInternalization) {
+      return {
+        updatedCount: 0,
+        updatedIds: [],
+      }
+    }
+
+    const links = await this.linkModel
+      .find({
+        state: LinkState.Pass,
+        avatar: { $exists: true, $ne: null },
+      })
+      .lean()
+
+    const updatedIds: string[] = []
+
+    for (const link of links) {
+      try {
+        if (this.isExternalAvatar(link.avatar as string)) {
+          const converted = await this.convertToInternal(String(link._id))
+          if (converted) {
+            updatedIds.push(String(link._id))
+          }
+        }
+      } catch (error: any) {
+        this.logger.error(
+          `迁移友链头像失败: ${link._id} - ${error?.message || String(error)}`,
+        )
+      }
+    }
+
+    return {
+      updatedCount: updatedIds.length,
+      updatedIds,
+    }
+  }
+
+  private isExternalAvatar(avatar: string | undefined | null): boolean {
+    if (!avatar) return false
+    try {
+      new URL(avatar)
+    } catch {
+      return false
+    }
+    if (avatar.includes('/objects/avatar/')) {
+      return false
+    }
+
+    return true
+  }
+
+  private normalizeMimeType(mime?: string): string | undefined {
+    if (!mime) return undefined
+    return mime.split(';')[0].trim().toLowerCase()
+  }
+
+  private isAllowedMimeType(mime: string): boolean {
+    return ALLOWED_IMAGE_MIME_TYPES.has(mime)
+  }
+}

apps/core/src/modules/link/link.controller.ts

@@ -109,14 +109,17 @@ export class LinkController {
   @Patch('/audit/:id')
   @Auth()
   async approveLink(@Param('id') id: string) {
-    const doc = await this.linkService.approveLink(id)
+    const { link, convertedAvatar } = await this.linkService.approveLink(id)
 
     scheduleManager.schedule(async () => {
-      if (doc.email) {
-        await this.linkService.sendToCandidate(doc)
+      if (link.email) {
+        await this.linkService.sendToCandidate(link as any)
       }
     })
-    return
+    return {
+      link,
+      convertedAvatar,
+    }
   }
 
   @Post('/audit/reason/:id')
@@ -136,4 +139,11 @@ export class LinkController {
   async checkHealth() {
     return this.linkService.checkLinkHealth()
   }
+
+  /** 批量迁移已通过友链的外部头像为内部链接 */
+  @Post('/avatar/migrate')
+  @Auth()
+  async migrateExternalAvatars() {
+    return this.linkService.migrateExternalAvatarsForPassedLinks()
+  }
 }

apps/core/src/modules/link/link.module.ts

@@ -1,12 +1,14 @@
 import { Module } from '@nestjs/common'
 import { GatewayModule } from '~/processors/gateway/gateway.module'
+import { FileModule } from '../file/file.module'
+import { LinkAvatarService } from './link-avatar.service'
 import { LinkController, LinkControllerCrud } from './link.controller'
 import { LinkService } from './link.service'
 
 @Module({
   controllers: [LinkController, LinkControllerCrud],
-  providers: [LinkService],
+  providers: [LinkService, LinkAvatarService],
   exports: [LinkService],
-  imports: [GatewayModule],
+  imports: [GatewayModule, FileModule],
 })
 export class LinkModule {}

apps/core/src/modules/link/link.service.ts

@@ -15,6 +15,7 @@ import { InjectModel } from '~/transformers/model.transformer'
 import { scheduleManager } from '~/utils/schedule.util'
 import { ConfigsService } from '../configs/configs.service'
 import { UserService } from '../user/user.service'
+import { LinkAvatarService } from './link-avatar.service'
 import { LinkApplyEmailType } from './link-mail.enum'
 import { LinkModel, LinkState, LinkStateMap, LinkType } from './link.model'
 
@@ -30,6 +31,7 @@ export class LinkService {
     private readonly eventManager: EventManagerService,
     private readonly http: HttpService,
     private readonly configsService: ConfigsService,
+    private readonly linkAvatarService: LinkAvatarService,
   ) {}
 
   public get model() {
@@ -91,20 +93,24 @@ export class LinkService {
   }
 
   async approveLink(id: string) {
-    const doc = await this.model
-      .findOneAndUpdate(
-        { _id: id },
-        {
-          $set: { state: LinkState.Pass },
-        },
-      )
-      .lean()
+    const doc = await this.model.findOneAndUpdate(
+      { _id: id },
+      {
+        $set: { state: LinkState.Pass },
+      },
+      { new: true },
+    )
 
     if (!doc) {
       throw new NotFoundException()
     }
 
-    return doc
+    const convertedAvatar = await this.linkAvatarService.convertToInternal(doc)
+
+    return {
+      link: doc.toObject(),
+      convertedAvatar,
+    }
   }
 
   async getCount() {
@@ -284,4 +290,8 @@ export class LinkService {
       text: `申请结果：${LinkStateMap[state]}\n原因：${reason}`,
     })
   }
+
+  async migrateExternalAvatarsForPassedLinks() {
+    return this.linkAvatarService.migratePassedLinks()
+  }
 }