fix: prevent unsigned generated asset image requests
This commit is contained in:
108
src/hooks/useResolvedAssetReadUrl.test.tsx
Normal file
108
src/hooks/useResolvedAssetReadUrl.test.tsx
Normal file
@@ -0,0 +1,108 @@
|
|||||||
|
// @vitest-environment jsdom
|
||||||
|
|
||||||
|
import { render, screen, waitFor } from '@testing-library/react';
|
||||||
|
import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
|
||||||
|
|
||||||
|
import { ResolvedAssetImage } from '../components/ResolvedAssetImage';
|
||||||
|
import { clearStoredAccessToken, setStoredAccessToken } from '../services/apiClient';
|
||||||
|
import { clearSignedAssetReadUrlCache } from '../services/assetReadUrlService';
|
||||||
|
|
||||||
|
describe('useResolvedAssetReadUrl', () => {
|
||||||
|
beforeEach(() => {
|
||||||
|
clearSignedAssetReadUrlCache();
|
||||||
|
clearStoredAccessToken({ emit: false });
|
||||||
|
setStoredAccessToken('test-access-token', { emit: false });
|
||||||
|
vi.restoreAllMocks();
|
||||||
|
});
|
||||||
|
|
||||||
|
afterEach(() => {
|
||||||
|
clearStoredAccessToken({ emit: false });
|
||||||
|
});
|
||||||
|
|
||||||
|
test('generated 私有资源签名完成前不会把裸路径写入 img', async () => {
|
||||||
|
vi.spyOn(globalThis, 'fetch').mockResolvedValue(
|
||||||
|
new Response(
|
||||||
|
JSON.stringify({
|
||||||
|
ok: true,
|
||||||
|
data: {
|
||||||
|
read: {
|
||||||
|
objectKey:
|
||||||
|
'generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png',
|
||||||
|
signedUrl: 'https://signed.example.com/puzzle.png',
|
||||||
|
expiresAt: '2099-01-01T00:10:00Z',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
error: null,
|
||||||
|
meta: {
|
||||||
|
apiVersion: '2026-04-08',
|
||||||
|
routeVersion: '2026-04-08',
|
||||||
|
latencyMs: 1,
|
||||||
|
timestamp: '2099-01-01T00:00:00Z',
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
{
|
||||||
|
status: 200,
|
||||||
|
headers: {
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
),
|
||||||
|
);
|
||||||
|
|
||||||
|
render(
|
||||||
|
<ResolvedAssetImage
|
||||||
|
src="/generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png"
|
||||||
|
alt="候选图"
|
||||||
|
/>,
|
||||||
|
);
|
||||||
|
|
||||||
|
expect(screen.queryByRole('img', { name: '候选图' })).toBeNull();
|
||||||
|
|
||||||
|
const image = await screen.findByRole('img', { name: '候选图' });
|
||||||
|
expect(image.getAttribute('src')).toBe('https://signed.example.com/puzzle.png');
|
||||||
|
expect(globalThis.fetch).toHaveBeenCalledTimes(1);
|
||||||
|
expect(String(vi.mocked(globalThis.fetch).mock.calls[0]?.[0])).toContain(
|
||||||
|
'legacyPublicPath=%2Fgenerated-puzzle-assets%2Fpuzzle-session-1%2Fcandidate-1%2Fasset-1%2Fimage.png',
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
|
test('generated 私有资源签名失败时保持空图像而不是回退裸路径', async () => {
|
||||||
|
vi.spyOn(globalThis, 'fetch').mockResolvedValue(
|
||||||
|
new Response(
|
||||||
|
JSON.stringify({
|
||||||
|
ok: false,
|
||||||
|
data: null,
|
||||||
|
error: {
|
||||||
|
code: 'NOT_FOUND',
|
||||||
|
message: '对象不存在',
|
||||||
|
},
|
||||||
|
meta: {
|
||||||
|
apiVersion: '2026-04-08',
|
||||||
|
routeVersion: '2026-04-08',
|
||||||
|
latencyMs: 1,
|
||||||
|
timestamp: '2099-01-01T00:00:00Z',
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
{
|
||||||
|
status: 400,
|
||||||
|
headers: {
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
),
|
||||||
|
);
|
||||||
|
|
||||||
|
render(
|
||||||
|
<ResolvedAssetImage
|
||||||
|
src="/generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png"
|
||||||
|
alt="候选图"
|
||||||
|
/>,
|
||||||
|
);
|
||||||
|
|
||||||
|
await waitFor(() => {
|
||||||
|
expect(globalThis.fetch).toHaveBeenCalledTimes(1);
|
||||||
|
});
|
||||||
|
expect(screen.queryByRole('img', { name: '候选图' })).toBeNull();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
@@ -18,7 +18,9 @@ export function useResolvedAssetReadUrl(
|
|||||||
const normalizedSource = source?.trim() ?? '';
|
const normalizedSource = source?.trim() ?? '';
|
||||||
const shouldResolve =
|
const shouldResolve =
|
||||||
enabled && Boolean(normalizedSource) && isGeneratedLegacyPath(normalizedSource);
|
enabled && Boolean(normalizedSource) && isGeneratedLegacyPath(normalizedSource);
|
||||||
const [resolvedUrl, setResolvedUrl] = useState(normalizedSource);
|
const [resolvedUrl, setResolvedUrl] = useState(
|
||||||
|
shouldResolve ? '' : normalizedSource,
|
||||||
|
);
|
||||||
|
|
||||||
useEffect(() => {
|
useEffect(() => {
|
||||||
if (!normalizedSource) {
|
if (!normalizedSource) {
|
||||||
@@ -32,8 +34,8 @@ export function useResolvedAssetReadUrl(
|
|||||||
}
|
}
|
||||||
|
|
||||||
let cancelled = false;
|
let cancelled = false;
|
||||||
// 生成资源的签名 URL 还没回来前,先保留原始路径占位,避免结果页/运行时首屏出现空白图块。
|
// 生成资源通常是 OSS 私有对象;签名 URL 未就绪前不能把裸 generated 路径交给 img 触发无鉴权 GET。
|
||||||
setResolvedUrl(normalizedSource);
|
setResolvedUrl('');
|
||||||
|
|
||||||
void resolveAssetReadUrl(normalizedSource, {
|
void resolveAssetReadUrl(normalizedSource, {
|
||||||
expireSeconds: options.expireSeconds,
|
expireSeconds: options.expireSeconds,
|
||||||
@@ -45,8 +47,8 @@ export function useResolvedAssetReadUrl(
|
|||||||
})
|
})
|
||||||
.catch(() => {
|
.catch(() => {
|
||||||
if (!cancelled) {
|
if (!cancelled) {
|
||||||
// 读取签名失败时回退原始路径,至少保持现有 UI 可见错误表象。
|
// 签名失败时保持空 src,避免继续请求无签名的私有对象兼容路径。
|
||||||
setResolvedUrl(normalizedSource);
|
setResolvedUrl('');
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user