Merge pull request #85 from shinonomeow/shino_aio

shinonomeow · web-flow · commit 8313fcfa64f5 · 2025-08-03T13:57:56.000+08:00
fix poster api error
diff --git a/backend/src/main.py b/backend/src/main.py
@@ -1,13 +1,16 @@
 import logging
 import os
+from pathlib import Path
 
 import uvicorn
-from fastapi import FastAPI, Request
+from fastapi import Depends, FastAPI, HTTPException, Request
 from fastapi.responses import FileResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
 from module.api import lifespan, v1
 from module.conf import VERSION, settings, setup_logger
+from module.network import load_image
+from module.security.api import get_current_user
 
 setup_logger(reset=True)
 logger = logging.getLogger(__name__)
@@ -38,6 +41,51 @@ def create_app() -> FastAPI:
 app = create_app()
 
 
+@app.get("/posters/{path:path}", dependencies=[Depends(get_current_user)])
+async def get_poster(path: str):
+    """
+    安全的poster图片访问端点
+    - 添加了用户鉴权
+    - 防止路径遍历攻击
+    - 限制只能访问posters目录下的文件
+    """
+    # 验证路径安全性 - 阻止路径遍历
+    if ".." in path or path.startswith("/") or "\\" in path:
+        logger.warning(f"[Poster] Blocked path traversal attempt: {path}")
+        raise HTTPException(status_code=400, detail="Invalid path")
+
+    # 构建安全的文件路径
+    poster_dir = Path("data/posters")
+    post_path = poster_dir / Path(path)
+
+    # 确保解析后的路径仍在预期目录内
+    try:
+        post_path.resolve().relative_to(poster_dir.resolve())
+    except ValueError:
+        logger.warning(f"[Poster] Path outside allowed directory: {path}")
+        raise HTTPException(status_code=400, detail="Path outside allowed directory")
+
+    logger.debug(f"[Poster] Accessing poster: {post_path}")
+
+    # 如果文件不存在，尝试下载
+    if not post_path.exists():
+        try:
+            await load_image(path)
+        except Exception as e:
+            logger.warning(f"[Poster] Failed to load image {path}: {e}")
+
+    # 返回文件
+    if post_path.exists() and post_path.is_file():
+        return FileResponse(
+            post_path,
+            media_type="image/jpeg",
+            headers={"Cache-Control": "public, max-age=86400"},  # 缓存1天
+        )
+    else:
+        logger.warning(f"[Poster] File not found: {post_path}")
+        raise HTTPException(status_code=404, detail="Poster not found")
+
+
 if VERSION != "DEV_VERSION":
     app.mount("/assets", StaticFiles(directory="dist/assets"), name="assets")
     app.mount("/images", StaticFiles(directory="dist/images"), name="images")
diff --git a/backend/src/module/api/bangumi.py b/backend/src/module/api/bangumi.py
@@ -1,14 +1,12 @@
 import logging
-from pathlib import Path
 
 from fastapi import APIRouter, Depends, HTTPException
-from fastapi.responses import FileResponse, JSONResponse
+from fastapi.responses import JSONResponse
 from sqlalchemy.util.concurrency import asyncio
 
 from module.database import Database, engine
 from module.manager import BangumiManager
 from module.models import APIResponse, Bangumi, BangumiUpdate, ResponseModel
-from module.network import load_image
 from module.security.api import get_current_user
 
 from .response import u_response
@@ -17,11 +15,6 @@
 logger = logging.getLogger(__name__)
 
 
-# def str_to_list(data: Bangumi):
-#     data.exclude_filter = data.exclude_filter.split(",") if data.exclude_filter else []
-#     data.include_filter = data.include_filter.split(",") if data.include_filter else []
-#     data.rss_link = data.rss_link.split(",") if data.rss_link else []
-#     return data
 
 
 @router.get(
@@ -233,46 +226,3 @@ async def reset_all():
         )
 
 
-@router.get("/poster/{path:path}", dependencies=[Depends(get_current_user)])
-async def get_poster(path: str):
-    """
-    安全的poster图片访问端点
-    - 添加了用户鉴权
-    - 防止路径遍历攻击
-    - 限制只能访问posters目录下的文件
-    """
-    # 验证路径安全性 - 阻止路径遍历
-    if ".." in path or path.startswith("/") or "\\" in path:
-        logger.warning(f"[Poster] Blocked path traversal attempt: {path}")
-        raise HTTPException(status_code=400, detail="Invalid path")
-
-    # 构建安全的文件路径
-    poster_dir = Path("data/posters")
-    post_path = poster_dir / Path(path)
-
-    # 确保解析后的路径仍在预期目录内
-    try:
-        post_path.resolve().relative_to(poster_dir.resolve())
-    except ValueError:
-        logger.warning(f"[Poster] Path outside allowed directory: {path}")
-        raise HTTPException(status_code=400, detail="Path outside allowed directory")
-
-    logger.debug(f"[Poster] Accessing poster: {post_path}")
-
-    # 如果文件不存在，尝试下载
-    if not post_path.exists():
-        try:
-            await load_image(path)
-        except Exception as e:
-            logger.warning(f"[Poster] Failed to load image {path}: {e}")
-
-    # 返回文件
-    if post_path.exists() and post_path.is_file():
-        return FileResponse(
-            post_path,
-            media_type="image/jpeg",
-            headers={"Cache-Control": "public, max-age=86400"},  # 缓存1天
-        )
-    else:
-        logger.warning(f"[Poster] File not found: {post_path}")
-        raise HTTPException(status_code=404, detail="Poster not found")
