Improve caching, HTTP headers and URL handling (#3594)

* Fix relative URLs
* Improve login base URL and redirects
* Prevent duplicate customlocales requests
* Improve UI base URL handling
* Improve UI embedding
* Improve CSP header
* Add Cache-Control headers to all responses
* Improve CORS responses
* Improve authentication handler
* Add back media timestamp suffixes
* Fix default image handling
* Add default param to other image URLs

pkg/utils/http.go

@@ -0,0 +1,41 @@
+package utils
+
+import (
+	"bytes"
+	"net/http"
+	"time"
+
+	"github.com/stashapp/stash/pkg/hash/md5"
+)
+
+// Returns an MD5 hash of data, formatted for use as an HTTP ETag header.
+// Intended for use with `http.ServeContent`, to respond to conditional requests.
+func GenerateETag(data []byte) string {
+	hash := md5.FromBytes(data)
+	return `"` + hash + `"`
+}
+
+// Serves static content, adding Cache-Control: no-cache and a generated ETag header.
+// Responds to conditional requests using the ETag.
+func ServeStaticContent(w http.ResponseWriter, r *http.Request, data []byte) {
+	if r.URL.Query().Has("t") {
+		w.Header().Set("Cache-Control", "private, max-age=31536000, immutable")
+	} else {
+		w.Header().Set("Cache-Control", "no-cache")
+	}
+	w.Header().Set("ETag", GenerateETag(data))
+
+	http.ServeContent(w, r, "", time.Time{}, bytes.NewReader(data))
+}
+
+// Serves static content at filepath, adding Cache-Control: no-cache.
+// Responds to conditional requests using the file modtime.
+func ServeStaticFile(w http.ResponseWriter, r *http.Request, filepath string) {
+	if r.URL.Query().Has("t") {
+		w.Header().Set("Cache-Control", "private, max-age=31536000, immutable")
+	} else {
+		w.Header().Set("Cache-Control", "no-cache")
+	}
+
+	http.ServeFile(w, r, filepath)
+}

pkg/utils/image.go

@@ -2,16 +2,12 @@ package utils
 
 import (
 	"context"
-	"crypto/md5"
 	"crypto/tls"
 	"encoding/base64"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"regexp"
-	"strings"
-	"syscall"
 	"time"
 )
 
@@ -110,30 +106,12 @@ func GetBase64StringFromData(data []byte) string {
 	return base64.StdEncoding.EncodeToString(data)
 }
 
-func ServeImage(image []byte, w http.ResponseWriter, r *http.Request) error {
-	etag := fmt.Sprintf("%x", md5.Sum(image))
-
-	if match := r.Header.Get("If-None-Match"); match != "" {
-		if strings.Contains(match, etag) {
-			w.WriteHeader(http.StatusNotModified)
-			return nil
-		}
-	}
-
+func ServeImage(w http.ResponseWriter, r *http.Request, image []byte) {
 	contentType := http.DetectContentType(image)
 	if contentType == "text/xml; charset=utf-8" || contentType == "text/plain; charset=utf-8" {
 		contentType = "image/svg+xml"
 	}
 
 	w.Header().Set("Content-Type", contentType)
-	w.Header().Add("Etag", etag)
-	w.Header().Set("Cache-Control", "public, max-age=604800, immutable")
-	_, err := w.Write(image)
-	// Broken pipe errors are common when serving images and the remote
-	// connection closes the connection. Filter them out of the error
-	// messages, as they are benign.
-	if errors.Is(err, syscall.EPIPE) {
-		return nil
-	}
-	return err
+	ServeStaticContent(w, r, image)
 }