GenarrativeAI/Genarrative
5
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix: prevent unsigned generated asset image requests

Browse Source
This commit is contained in:
kdletters
2026-04-25 14:10:40 +08:00
parent dbf106c746
commit 6f35306d53
2 changed files with 115 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
src/hooks/useResolvedAssetReadUrl.test.tsx Normal file
View File

@@ -0,0 +1,108 @@
// @vitest-environment jsdom
import { render, screen, waitFor } from '@testing-library/react';
import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
import { ResolvedAssetImage } from '../components/ResolvedAssetImage';
import { clearStoredAccessToken, setStoredAccessToken } from '../services/apiClient';
import { clearSignedAssetReadUrlCache } from '../services/assetReadUrlService';
describe('useResolvedAssetReadUrl', () => {
beforeEach(() => {
clearSignedAssetReadUrlCache();
clearStoredAccessToken({ emit: false });
setStoredAccessToken('test-access-token', { emit: false });
vi.restoreAllMocks();
});
afterEach(() => {
clearStoredAccessToken({ emit: false });
});
test('generated 私有资源签名完成前不会把裸路径写入 img', async () => {
vi.spyOn(globalThis, 'fetch').mockResolvedValue(
new Response(
JSON.stringify({
ok: true,
data: {
read: {
objectKey:
'generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png',
signedUrl: 'https://signed.example.com/puzzle.png',
expiresAt: '2099-01-01T00:10:00Z',
},
},
error: null,
meta: {
apiVersion: '2026-04-08',
routeVersion: '2026-04-08',
latencyMs: 1,
timestamp: '2099-01-01T00:00:00Z',
},
}),
{
status: 200,
headers: {
'Content-Type': 'application/json',
},
},
),
);
render(
<ResolvedAssetImage
src="/generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png"
alt="候选图"
/>,
);
expect(screen.queryByRole('img', { name: '候选图' })).toBeNull();
const image = await screen.findByRole('img', { name: '候选图' });
expect(image.getAttribute('src')).toBe('https://signed.example.com/puzzle.png');
expect(globalThis.fetch).toHaveBeenCalledTimes(1);
expect(String(vi.mocked(globalThis.fetch).mock.calls[0]?.[0])).toContain(
'legacyPublicPath=%2Fgenerated-puzzle-assets%2Fpuzzle-session-1%2Fcandidate-1%2Fasset-1%2Fimage.png',
);
});
test('generated 私有资源签名失败时保持空图像而不是回退裸路径', async () => {
vi.spyOn(globalThis, 'fetch').mockResolvedValue(
new Response(
JSON.stringify({
ok: false,
data: null,
error: {
code: 'NOT_FOUND',
message: '对象不存在',
},
meta: {
apiVersion: '2026-04-08',
routeVersion: '2026-04-08',
latencyMs: 1,
timestamp: '2099-01-01T00:00:00Z',
},
}),
{
status: 400,
headers: {
'Content-Type': 'application/json',
},
},
),
);
render(
<ResolvedAssetImage
src="/generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png"
alt="候选图"
/>,
);
await waitFor(() => {
expect(globalThis.fetch).toHaveBeenCalledTimes(1);
});
expect(screen.queryByRole('img', { name: '候选图' })).toBeNull();
});
});

12
src/hooks/useResolvedAssetReadUrl.ts
View File

@@ -18,7 +18,9 @@ export function useResolvedAssetReadUrl(
const normalizedSource = source?.trim() ?? '';
const shouldResolve =
enabled && Boolean(normalizedSource) && isGeneratedLegacyPath(normalizedSource);
const [resolvedUrl, setResolvedUrl] = useState(normalizedSource);
const [resolvedUrl, setResolvedUrl] = useState(
shouldResolve ? '' : normalizedSource,
);
useEffect(() => {
if (!normalizedSource) {
@@ -32,8 +34,8 @@ export function useResolvedAssetReadUrl(
}
let cancelled = false;
// 生成资源的签名 URL 还没回来前,先保留原始路径占位,避免结果页/运行时首屏出现空白图块
setResolvedUrl(normalizedSource);
// 生成资源通常是 OSS 私有对象;签名 URL 未就绪前不能把裸 generated 路径交给 img 触发无鉴权 GET
setResolvedUrl('');
void resolveAssetReadUrl(normalizedSource, {
expireSeconds: options.expireSeconds,
@@ -45,8 +47,8 @@ export function useResolvedAssetReadUrl(
})
.catch(() => {
if (!cancelled) {
// 读取签名失败时回退原始路径,至少保持现有 UI 可见错误表象
setResolvedUrl(normalizedSource);
// 签名失败时保持空 src避免继续请求无签名的私有对象兼容路径
setResolvedUrl('');
}
});