Add getAttachmentUrl toolkit utility, fix avatar URL in HDSProfile

- New toolkit/getAttachmentUrl: builds browser-safe attachment URLs
  using connection.endpoint + attachment.readToken (no embedded credentials)
- HDSProfile.resolveAvatarUrl now delegates to getAttachmentUrl
- Fix: browsers blocked old URLs with embedded credentials in <img> src
- Update HDSProfile tests for readToken-based URLs
- Add 6 unit tests for getAttachmentUrl

Author: perki

tests/HDSProfile.test.js

@@ -217,8 +217,7 @@ describe('[HDSP] HDSProfile (dev API)', function () {
       const avatarUrl = HDSProfile.getAvatarUrl();
       assert.ok(avatarUrl, 'Should have avatar URL');
       assert.ok(avatarUrl.includes('/events/'), 'Should be an attachment URL');
-      assert.ok(avatarUrl.includes('red-pixel.png'), 'Should contain filename');
-      assert.ok(avatarUrl.includes('auth='), 'Should contain auth token');
+      assert.ok(avatarUrl.includes('readToken='), 'Should contain readToken');
 
       // Verify persistence
       await HDSProfile.reload();
@@ -237,7 +236,7 @@ describe('[HDSP] HDSProfile (dev API)', function () {
 
       const newUrl = HDSProfile.getAvatarUrl();
       assert.ok(newUrl, 'Should have new avatar URL');
-      assert.ok(newUrl.includes('new-avatar.png'), 'Should contain new filename');
+      assert.ok(newUrl.includes('readToken='), 'Should contain readToken');
       assert.notStrictEqual(newUrl, previousUrl, 'URL should differ from previous');
     });
   });
@@ -293,7 +292,7 @@ describe('[HDSP] HDSProfile (dev API)', function () {
       const profile = await HDSProfile.readFromConnection(sharedConnection);
       assert.ok(profile.avatar, 'Should have avatar URL');
       assert.ok(profile.avatar.includes('/events/'), 'Avatar should be an attachment URL');
-      assert.ok(profile.avatar.includes('auth='), 'Avatar URL should contain auth token');
+      assert.ok(profile.avatar.includes('readToken='), 'Avatar URL should contain readToken');
     });
 
     it('[HDSP-X3] does not affect singleton state', async () => {

tests/getAttachmentUrl.test.js

@@ -0,0 +1,56 @@
+import { assert } from './test-utils/deps-node.js';
+import { getAttachmentUrl } from '../ts/toolkit/getAttachmentUrl.ts';
+
+describe('[GAU] getAttachmentUrl', function () {
+  const fakeConnection = {
+    endpoint: 'https://demo.datasafe.dev/testuser/',
+    apiEndpoint: 'https://token123@demo.datasafe.dev/testuser/',
+    token: 'token123'
+  };
+
+  const eventWithAttachment = {
+    id: 'evt123',
+    attachments: [
+      { id: 'att-001', fileName: 'photo.jpg', readToken: 'rt-abc-123' },
+      { id: 'att-002', fileName: 'thumb.jpg', readToken: 'rt-def-456' }
+    ]
+  };
+
+  it('[GAU1] builds URL with readToken from first attachment', function () {
+    const url = getAttachmentUrl(fakeConnection, eventWithAttachment);
+    assert.strictEqual(
+      url,
+      'https://demo.datasafe.dev/testuser/events/evt123/att-001?readToken=rt-abc-123'
+    );
+  });
+
+  it('[GAU2] builds URL for specific attachment index', function () {
+    const url = getAttachmentUrl(fakeConnection, eventWithAttachment, 1);
+    assert.strictEqual(
+      url,
+      'https://demo.datasafe.dev/testuser/events/evt123/att-002?readToken=rt-def-456'
+    );
+  });
+
+  it('[GAU3] returns null when no attachments', function () {
+    const url = getAttachmentUrl(fakeConnection, { id: 'evt456' });
+    assert.strictEqual(url, null);
+  });
+
+  it('[GAU4] returns null for out-of-range index', function () {
+    const url = getAttachmentUrl(fakeConnection, eventWithAttachment, 5);
+    assert.strictEqual(url, null);
+  });
+
+  it('[GAU5] strips trailing slash from endpoint', function () {
+    const url = getAttachmentUrl(fakeConnection, eventWithAttachment);
+    assert.ok(!url.includes('//events'), 'Should not have double slash before events');
+  });
+
+  it('[GAU6] uses connection.endpoint (no embedded credentials)', function () {
+    const url = getAttachmentUrl(fakeConnection, eventWithAttachment);
+    assert.ok(!url.includes('@'), 'URL should not contain embedded credentials');
+    assert.ok(!url.includes('auth='), 'URL should use readToken, not auth');
+    assert.ok(url.includes('readToken='), 'URL should contain readToken');
+  });
+});

ts/settings/HDSProfile.ts

@@ -1,4 +1,5 @@
 import { pryv } from '../patchedPryv.ts';
+import { getAttachmentUrl } from '../toolkit/getAttachmentUrl.ts';
 
 type Connection = InstanceType<typeof pryv.Connection>;
 
@@ -46,6 +47,8 @@ let _cache: Partial<Record<ProfileKey, any>> = {};
 let _values: ProfileValues = { ...DEFAULTS };
 /** @internal */
 let _hooked = false;
+/** @internal — tracks which streams have been verified/created */
+let _ensuredStreams: Set<string> = new Set();
 
 /**
  * Check if event type matches a field's eventType (supports `picture/*` wildcard).
@@ -75,13 +78,9 @@ function matchField (event: any): ProfileKey | null {
  * Handles: attachment (construct API URL), data URL in content, plain URL in content.
  */
 function resolveAvatarUrl (event: any, conn: Connection | null = _connection): string | null {
-  // Attachment — construct URL from connection endpoint
+  // Attachment — use shared getAttachmentUrl utility
   if (event.attachments?.length > 0 && conn) {
-    const att = event.attachments[0];
-    const endpoint = (conn as any).apiEndpoint || '';
-    const token = (conn as any).token || '';
-    const fileName = att.fileName || att.id;
-    return `${endpoint}events/${event.id}/${fileName}?auth=${token}`;
+    return getAttachmentUrl(conn, event);
   }
   // Content is a string (data URL or plain URL)
   if (typeof event.content === 'string' && event.content.length > 0) {
@@ -135,6 +134,30 @@ async function trashExistingAvatar (): Promise<void> {
   }
 }
 
+/**
+ * Ensure a profile child stream exists, creating the parent `profile` stream and the child if needed.
+ */
+async function ensureStream (streamId: string): Promise<void> {
+  if (_ensuredStreams.has(streamId) || !_connection) return;
+  try {
+    // Create parent 'profile' stream (idempotent — ignores "already exists" error)
+    await _connection.apiOne(
+      'streams.create',
+      { id: 'profile', name: 'Profile' },
+      'stream'
+    ).catch(() => { /* already exists — ok */ });
+    // Create child stream
+    await _connection.apiOne(
+      'streams.create',
+      { id: streamId, name: streamId, parentId: 'profile' },
+      'stream'
+    ).catch(() => { /* already exists — ok */ });
+    _ensuredStreams.add(streamId);
+  } catch {
+    // best effort — the subsequent events.create will fail with a clear error if stream is truly missing
+  }
+}
+
 async function load (): Promise<void> {
   if (!_connection) return;
 
@@ -231,6 +254,7 @@ const HDSProfile = {
       );
       _cache[key] = updated;
     } else {
+      await ensureStream(field.streamId);
       const created = await _connection.apiOne(
         'events.create',
         { streamIds: [field.streamId], type: field.eventType, content: value },
@@ -264,6 +288,7 @@ const HDSProfile = {
       throw new Error('HDSProfile: call hookToConnection() first');
     }
     await trashExistingAvatar();
+    await ensureStream(PROFILE_FIELDS.avatar.streamId);
     const result = await (_connection as any).createEventWithFileFromBuffer(
       { type: 'picture/attached', streamIds: [PROFILE_FIELDS.avatar.streamId] },
       fileData,
@@ -284,6 +309,7 @@ const HDSProfile = {
       throw new Error('HDSProfile: call hookToConnection() first');
     }
     await trashExistingAvatar();
+    await ensureStream(PROFILE_FIELDS.avatar.streamId);
     const created = await _connection.apiOne(
       'events.create',
       { streamIds: [PROFILE_FIELDS.avatar.streamId], type: 'picture/base64', content: dataUrl },
@@ -315,6 +341,7 @@ const HDSProfile = {
     _cache = {};
     _values = { ...DEFAULTS };
     _hooked = false;
+    _ensuredStreams = new Set();
   },
 };
 

ts/toolkit/getAttachmentUrl.ts

@@ -0,0 +1,23 @@
+import { pryv } from '../patchedPryv.ts';
+
+type Connection = InstanceType<typeof pryv.Connection>;
+
+/**
+ * Build a browser-safe URL for an event attachment.
+ * Uses the attachment's `readToken` for auth (no embedded credentials in the URL).
+ *
+ * @param connection - Pryv Connection (uses `.endpoint` for the clean base URL)
+ * @param event - Pryv event with attachments
+ * @param attachmentIndex - index of the attachment (default 0)
+ * @returns URL string or null if no attachment at the given index
+ */
+export function getAttachmentUrl (
+  connection: Connection,
+  event: any,
+  attachmentIndex: number = 0
+): string | null {
+  if (!event.attachments?.[attachmentIndex]) return null;
+  const attachment = event.attachments[attachmentIndex];
+  const baseUrl = ((connection as any).endpoint || '').replace(/\/$/, '');
+  return `${baseUrl}/events/${event.id}/${attachment.id}?readToken=${attachment.readToken}`;
+}

ts/toolkit/index.ts

@@ -1,4 +1,5 @@
 import { StreamsAutoCreate } from './StreamsAutoCreate.ts';
 import * as StreamTools from './StreamsTools.ts';
+import { getAttachmentUrl } from './getAttachmentUrl.ts';
 
-export { StreamsAutoCreate, StreamTools };
+export { StreamsAutoCreate, StreamTools, getAttachmentUrl };