Tiptap Media Picker: ImageSharp HMAC support#19333
Merged
iOvergaard merged 9 commits intorelease/16.0from May 16, 2025
Merged
Conversation
to get the resized URLs from the server. This adds support for ImageSharp's HMAC security.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for ImageSharp’s HMAC security parameter by updating the Tiptap Media Picker code to use the imaging repository for fetching resized image URLs.
- Removed the legacy getProcessedImageUrl import and its usage.
- Introduced a new imaging repository instance and corresponding request for resized items.
iOvergaard
reviewed
May 15, 2025
...raco.Web.UI.Client/src/packages/tiptap/extensions/toolbar/media-picker.tiptap-toolbar-api.ts
Show resolved
Hide resolved
iOvergaard
reviewed
May 16, 2025
...raco.Web.UI.Client/src/packages/tiptap/extensions/toolbar/media-picker.tiptap-toolbar-api.ts
Outdated
Show resolved
Hide resolved
…ar/media-picker.tiptap-toolbar-api.ts
iOvergaard
approved these changes
May 16, 2025
… as documented this also deprecates the public maxWidth property
… and ensures that imageSize() accounts for maxHeight as well
iOvergaard
approved these changes
May 16, 2025
Contributor
iOvergaard
left a comment
iOvergaard
left a comment
There was a problem hiding this comment.
I found I had to duplicate the logic into the drag'n'drop function for images as well, because it initially tries to simulate the server with the blob-url. This required me to add support for maxHeight as well to the function, and thanks to Copilot Chat, I was able to do that and create mocked tests for it as well. It should now mimick the ImageSharp.MAX mode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #18020.
Modifies the Tiptap Media Picker code to make use of the imaging repository, to get the resized URLs from the server.
This adds support for ImageSharp's HMAC security parameter.
Related PR: #19331.
See also the documentation on HMAC: https://docs.umbraco.com/umbraco-cms/reference/configuration/imagingsettings#hmac-secret-key
Limitations
Specifically for rich text editors, the HMAC is generated once, so if you modify any parameter that could affect the HMAC hash, the image will stop working. This is a limitation that has existed ever since HMAC was first implemented back in V12. Parameters that could affect this include, but are not limited to, the
height,width,mode, and the path itself. This means if you change the image file (on the media item), the image will also stop working.To get around this, you need to modify the media object to get a new HMAC if any of them change. You can, for instance, reselect the image, and a new HMAC will be generated.
If the HMAC salt is changed in appsettings, all images in rich text editors will also stop working.
The limitation does not apply to selected media items, for example, in the mediapicker and image cropper.