Merge commit from fork

* fix: image proxy doesn't adhere to config

adapted and based on the generic endpoint https://github.com/withastro/astro/blob/main/packages/astro/src/assets/endpoint/generic.ts the custom image proxy endpoint should adhere and follow user configuration for remote domains

* chore: add tests

* fix: disallow remote images completly

* fix: filename

* chore: remove comment

* chore: add failing test to show that remote images are not downloaded

* chore: also add remote image to content collection for prerendering

* chore: add more test cases

* chore: fix typo

Co-authored-by: Matt Kane <m@mk.gg>

* refactor: return redirect

* fix: tests

* fix: test follows redirect

* chore: clean up unused exports

* refactor: use isRemoteAllowed from core

* chore: add redirect comment

---------

Co-authored-by: Matt Kane <m@mk.gg>

Author: alexanderniebuhr

.changeset/evil-rabbits-flow.md

@@ -0,0 +1,5 @@
+---
+'@astrojs/cloudflare': patch
+---
+
+Improves the image proxy endpoint when using the default compile option to adhere to user configuration regarding the allowed remote domains

packages/integrations/cloudflare/src/entrypoints/image-endpoint.ts

@@ -1,4 +1,8 @@
+// @ts-expect-error
+import { imageConfig } from 'astro:assets';
+import { isRemotePath } from '@astrojs/internal-helpers/path';
 import type { APIRoute } from 'astro';
+import { isRemoteAllowed } from 'astro/assets/utils';
 
 export const prerender = false;
 
@@ -11,5 +15,14 @@ export const GET: APIRoute = (ctx) => {
 		});
 	}
 
+	if (isRemotePath(href)) {
+		if (isRemoteAllowed(href, imageConfig) === false) {
+			return new Response('Forbidden', { status: 403 });
+		} else {
+			// Redirect here because it is safer than a proxy, remote image will be served by remote domain and not own domain
+			return Response.redirect(href, 302);
+		}
+	}
+
 	return fetch(new URL(href, ctx.url.origin));
 };

packages/integrations/cloudflare/test/compile-image-service.test.js

@@ -0,0 +1,68 @@
+import * as assert from 'node:assert/strict';
+import { after, before, describe, it } from 'node:test';
+import { fileURLToPath } from 'node:url';
+import { astroCli, wranglerCli } from './_test-utils.js';
+
+const root = new URL('./fixtures/compile-image-service/', import.meta.url);
+
+describe('CompileImageService', () => {
+	let wrangler;
+	before(async () => {
+		await astroCli(fileURLToPath(root), 'build');
+
+		wrangler = wranglerCli(fileURLToPath(root));
+		await new Promise((resolve) => {
+			wrangler.stdout.on('data', (data) => {
+				// console.log('[stdout]', data.toString());
+				if (data.toString().includes('http://127.0.0.1:8788')) resolve();
+			});
+			wrangler.stderr.on('data', (_data) => {
+				// console.log('[stderr]', data.toString());
+			});
+		});
+	});
+
+	after(() => {
+		wrangler.kill();
+	});
+
+	it('forbids http://', async () => {
+		const res = await fetch('http://127.0.0.1:8788/_image?href=http://placehold.co/600x400');
+		const html = await res.text();
+		const status = res.status;
+		assert.equal(html, 'Forbidden');
+		assert.equal(status, 403);
+	});
+
+	it('forbids https://', async () => {
+		const res = await fetch('http://127.0.0.1:8788/_image?href=https://placehold.co/600x400');
+		const html = await res.text();
+		const status = res.status;
+		assert.equal(html, 'Forbidden');
+		assert.equal(status, 403);
+	});
+
+	it('forbids //', async () => {
+		const res = await fetch('http://127.0.0.1:8788/_image?href=//placehold.co/600x400');
+		const html = await res.text();
+		const status = res.status;
+		assert.equal(html, 'Forbidden');
+		assert.equal(status, 403);
+	});
+
+	it('allows trusted with redirect', async () => {
+		const res = await fetch('http://127.0.0.1:8788/_image?href=https://astro.build/_astro/HeroBackground.B0iWl89K_2hpsgp.webp', { redirect: "manual" })
+		const header = res.headers.get("location")
+		const status = res.status;
+		assert.equal(header, "https://astro.build/_astro/HeroBackground.B0iWl89K_2hpsgp.webp")
+		assert.equal(status, 302)
+	})
+
+	it('allows local', async () => {
+		const res = await fetch('http://127.0.0.1:8788/_image?href=/_astro/placeholder.gLBdjEDe.jpg');
+		const blob = await res.blob();
+		const status = res.status;
+		assert.equal(blob.type, 'image/jpeg');
+		assert.equal(status, 200);
+	});
+});

packages/integrations/cloudflare/test/fixtures/compile-image-service/astro.config.mjs

@@ -6,4 +6,7 @@ export default defineConfig({
 		imageService: 'compile',
 	}),
 	output: 'static',
+	image: {
+		domains: ["astro.build"]
+	}
 });

packages/integrations/cloudflare/test/fixtures/compile-image-service/src/content/blog/post/index.md

@@ -2,4 +2,4 @@
 image: './placeholder.jpg'
 ---
 
-![placeholder](./placeholder.jpg)
+![placeholder](./placeholder.jpg)

packages/integrations/cloudflare/test/fixtures/compile-image-service/src/pages/blog/[...slug].astro

@@ -1,5 +1,4 @@
 ---
-import { Image } from "astro:assets";
 import { getEntry, type CollectionEntry } from "astro:content";
 
 export const prerender = false;
@@ -21,14 +20,6 @@ const { Content } = await post.render();
     <title>Document</title>
   </head>
   <body>
-    <div class="aspect-video w-full overflow-hidden flex items-end rounded-lg">
-      <Image
-        class="aspect-[4/3] object-cover object-left w-full"
-        src={post.data.image}
-        alt=""
-      />
-    </div>
-
     <Content />
   </body>
 </html>