fix: CMS image proxy + partial unique index for soft-deleted releases

This commit is contained in:
daniel-c-harvey
2026-06-12 06:27:34 -04:00
parent dd30d57838
commit 0448711082
10 changed files with 310 additions and 52 deletions
@@ -1,6 +1,5 @@
@using DeepDrftModels.Enums
@using Microsoft.AspNetCore.Components.Forms
@inject IHttpClientFactory HttpClientFactory
<MudPaper Class="pa-6 mb-4" Elevation="2">
<MudGrid>
@@ -93,19 +92,11 @@
[Parameter] public bool Disabled { get; set; }
// The image endpoint (GET api/image/{entryKey}) is unauthenticated, so the browser hits
// DeepDrftAPI directly. Base address comes from the same named client the CMS uses.
private string? ExistingImagePreviewUrl
{
get
{
if (string.IsNullOrEmpty(ExistingImagePath)) return null;
var baseAddress = HttpClientFactory.CreateClient("DeepDrft.Content.Cms").BaseAddress;
return baseAddress is null
? null
: new Uri(baseAddress, $"api/image/{Uri.EscapeDataString(ExistingImagePath)}").ToString();
}
}
// Relative path — resolves against the Manager's own origin, proxied by ImageProxyController.
private string? ExistingImagePreviewUrl =>
string.IsNullOrEmpty(ExistingImagePath)
? null
: $"/api/image/{Uri.EscapeDataString(ExistingImagePath)}";
private Task HandleImageFileSelected(InputFileChangeEventArgs e) =>
SelectedImageFileChanged.InvokeAsync(e.File);
@@ -2,7 +2,6 @@
@using DeepDrftManager.Services
@using DeepDrftModels.DTOs
@inject ICmsTrackService CmsTrackService
@inject IHttpClientFactory HttpClientFactory
@inject IDialogService DialogService
@inject ISnackbar Snackbar
@inject ILogger<CmsAlbumBrowser> Logger
@@ -126,13 +125,6 @@ else
// back. We only re-project when the parent hands us a genuinely new list.
private IReadOnlyList<ReleaseDto>? _projectedReleases;
// The cover-art endpoint (GET api/image/{entryKey}) lives on DeepDrftAPI and is unauthenticated,
// so the browser hits it directly. Base address comes from the same named client the CMS uses.
private Uri? _contentApiBase;
protected override void OnInitialized() =>
_contentApiBase = HttpClientFactory.CreateClient("DeepDrft.Content.Cms").BaseAddress;
// Re-project rows only when the parent supplies a genuinely new release list (reference change).
// Local edits to _rows (a removed row after delete) must survive re-renders triggered by the
// same cached VM.Albums instance.
@@ -145,10 +137,9 @@ else
}
}
private string? ThumbUrl(string imagePath) =>
_contentApiBase is null
? null
: new Uri(_contentApiBase, $"api/image/{Uri.EscapeDataString(imagePath)}").ToString();
// Relative path — resolves against the Manager's own origin, proxied by ImageProxyController.
private static string ThumbUrl(string imagePath) =>
$"/api/image/{Uri.EscapeDataString(imagePath)}";
private async Task ToggleExpand(AlbumRow row)
{
@@ -2,7 +2,6 @@
@using DeepDrftManager.Services
@using DeepDrftModels.DTOs
@inject ICmsTrackService CmsTrackService
@inject IHttpClientFactory HttpClientFactory
@inject IDialogService DialogService
@inject ISnackbar Snackbar
@inject ILogger<CmsTrackGrid> Logger
@@ -133,23 +132,17 @@
// The parent owns "Generate All Missing"; while it runs it disables this grid's per-row buttons.
private bool _bulkRunning;
// The image endpoint (GET api/image/{entryKey}) lives on DeepDrftAPI and is unauthenticated, so
// the browser hits it directly. Base address comes from the same named client the CMS uses.
private Uri? _contentApiBase;
protected override async Task OnInitializedAsync()
{
_contentApiBase = HttpClientFactory.CreateClient("DeepDrft.Content.Cms").BaseAddress;
await RefreshWaveformStatusAsync();
}
private bool HasProfile(string entryKey) =>
_waveformStatus.TryGetValue(entryKey, out var hasProfile) && hasProfile;
private string? ThumbUrl(string imagePath) =>
_contentApiBase is null
? null
: new Uri(_contentApiBase, $"api/image/{Uri.EscapeDataString(imagePath)}").ToString();
// Relative path — resolves against the Manager's own origin, proxied by ImageProxyController.
private static string ThumbUrl(string imagePath) =>
$"/api/image/{Uri.EscapeDataString(imagePath)}";
/// <summary>Number of tracks with a missing waveform profile — drives the parent's bulk button label.</summary>
public int GetMissingCount() => _waveformStatus.Count(kv => !kv.Value);
@@ -5,7 +5,6 @@
@attribute [Authorize]
@inject ICmsTrackService CmsTrackService
@inject CmsTrackBrowserViewModel VM
@inject IHttpClientFactory HttpClientFactory
@inject ISnackbar Snackbar
@inject IDialogService DialogService
@inject NavigationManager Nav
@@ -160,18 +159,11 @@
!string.IsNullOrWhiteSpace(_form.TrackName)
&& !string.IsNullOrWhiteSpace(_form.Artist);
// The image endpoint (GET api/image/{entryKey}) is unauthenticated, so the browser can hit
// DeepDrftAPI directly. Base address comes from the same named client the CMS uses for writes.
private string? ImagePreviewUrl
{
get
{
if (string.IsNullOrEmpty(_form.ImagePath)) return null;
var baseAddress = HttpClientFactory.CreateClient("DeepDrft.Content.Cms").BaseAddress;
if (baseAddress is null) return null;
return new Uri(baseAddress, $"api/image/{Uri.EscapeDataString(_form.ImagePath)}").ToString();
}
}
// Relative path — resolves against the Manager's own origin, proxied by ImageProxyController.
private string? ImagePreviewUrl =>
string.IsNullOrEmpty(_form.ImagePath)
? null
: $"/api/image/{Uri.EscapeDataString(_form.ImagePath)}";
protected override async Task OnInitializedAsync()
{
@@ -0,0 +1,63 @@
using Microsoft.AspNetCore.Mvc;
namespace DeepDrftManager.Controllers;
/// <summary>
/// Proxies image API calls to DeepDrftAPI so the browser never makes cross-origin requests.
/// The CMS host runs server-side only, so rendered image URLs must resolve against the Manager's
/// own origin, not the internal API address. This controller forwards unauthenticated
/// <c>api/image/{entryKey}</c> requests upstream using the "DeepDrft.Content" named client
/// (no API key — the image endpoint is public).
/// </summary>
[ApiController]
[Route("api/image")]
public class ImageProxyController : ControllerBase
{
private readonly HttpClient _upstream;
private readonly ILogger<ImageProxyController> _logger;
public ImageProxyController(IHttpClientFactory httpClientFactory, ILogger<ImageProxyController> logger)
{
_upstream = httpClientFactory.CreateClient("DeepDrft.Content");
_logger = logger;
}
/// <summary>Proxies image binary streaming by vault entry key from DeepDrftAPI.</summary>
[HttpGet("{entryKey}")]
public async Task<ActionResult> GetImage(string entryKey, CancellationToken ct = default)
{
_logger.LogInformation("Proxying image {EntryKey}", entryKey);
var path = $"api/image/{Uri.EscapeDataString(entryKey)}";
HttpResponseMessage upstream;
try
{
upstream = await _upstream.GetAsync(path, HttpCompletionOption.ResponseHeadersRead, ct);
}
catch (Exception ex)
{
_logger.LogError(ex, "Upstream call to DeepDrftAPI image/{EntryKey} failed", entryKey);
return StatusCode(502, "Upstream unavailable");
}
if (!upstream.IsSuccessStatusCode)
{
upstream.Dispose();
_logger.LogWarning("DeepDrftAPI image/{EntryKey} returned {Status}", entryKey, (int)upstream.StatusCode);
return StatusCode((int)upstream.StatusCode);
}
// Do NOT dispose upstream here — File() takes ownership of the response stream
// and disposes it after the body is sent.
var contentType = upstream.Content.Headers.ContentType?.ToString() ?? "application/octet-stream";
var contentLength = upstream.Content.Headers.ContentLength;
if (contentLength.HasValue)
Response.ContentLength = contentLength.Value;
var stream = await upstream.Content.ReadAsStreamAsync(ct);
HttpContext.Response.RegisterForDispose(upstream);
return File(stream, contentType, enableRangeProcessing: false);
}
}
+6
View File
@@ -61,6 +61,11 @@ builder.Services.Configure<ForwardedHeadersOptions>(options =>
options.KnownProxies.Clear();
});
// MVC controllers — required for the ImageProxyController that forwards browser image requests
// to DeepDrftAPI so rendered URLs resolve against the Manager's own origin, not the internal
// API address.
builder.Services.AddControllers();
// InteractiveServer only — no WASM render mode on the CMS host.
builder.Services.AddRazorComponents()
.AddInteractiveServerComponents();
@@ -98,6 +103,7 @@ app.UseAntiforgery();
app.UseAuthorization();
app.MapStaticAssets();
app.MapControllers();
// The AuthBlocks API surface (/api/auth/*, /api/users/*, etc.) now lives on DeepDrftAPI; this host
// only renders the AuthBlocksWeb Razor pages (/account/login, /account/logout), which call that API.