URL Support ala thumbor

[aphillipo]

Hi Doomspork,

I might take a look at signing and url support ala thumbor? https://github.com/thumbor/thumbor/wiki/Security

Obviously we'll just keep the predefined generation profiles and generate a signature on them and the url.

Thoughts?

[doomspork]

Heck yeah, please do @aphillipo!

Let me know if I can do anything to help 😀

[aphillipo]

• match on the name if it begins with http(s):// for now
• HTTPoison for making the request
• Seems we should maybe use poolboy for requesting images, block until we get a return.

[doomspork]

@aphillipo I was thinking about this some more. Are you sure this is something that would impact us? One of the decision I made that deviate from Thumbor/Dragonfly was the use of pre-defined and configured formats. My reasoning for that decision was to a) avoid people requesting whatever they wanted (as outlined in your link) and b) to keep urls simple, readable, and short.

[aphillipo]

Okay so following that maybe the config can include a list of domains/paths that we allow you to load an image from; for example cdns or s3 etc. and obviously that'll do away with the need for signing. We'd need to make sure that query strings are filtered otherwise you might be able to make an infinite number of the same image.

[doomspork]

That makes sense @aphillipo, good thinking 👍

[doomspork]

How are things coming @aphillipo? Do you want me to jump into this?

[aphillipo]

Hmmm. Thanks for the heads up, it'd be good if you do it because I'm so busy right now.

I think we should have a discussion about caching the output. Are you sure you don't want it in there?

Be cool to have an on filesystem cache and s3 cache?