ipx 0.9.2 → 0.9.6

package/README.md

@@ -52,27 +52,29 @@ Resize to `200x200px` using `embed` method and change format to `webp`:
 
 ### Modifiers
 
-| Property    | Docs                                                            | Example                                                 | Comments                                                                                                                                                          |
-| ----------- | :-------------------------------------------------------------- | :------------------------------------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| width / w   | \_                                                              | `http://localhost:3000/width_200/buffalo.png`           |
-| height / h  | \_                                                              | `http://localhost:3000/height_200/buffalo.png`          |
-| resize / s  | \_                                                              | `http://localhost:3000/s_200x200/buffalo.png`           |
-| trim        | [Docs](https://sharp.pixelplumbing.com/api-resize#trim)         | `http://localhost:3000/trim_100/buffalo.png`            |
-| format      | [Docs](https://sharp.pixelplumbing.com/api-output#toformat)     | `http://localhost:3000/format_webp/buffalo.png`         | Supported format: `jpg`, `jpeg`, `png`, `webp`, `avif`, `gif`, `heif`                                                                                             |
-| quality / q | \_                                                              | `http://localhost:3000/quality_50/buffalo.png`          | Accepted values: 0 to 100                                                                                                                                         |
-| rotate      | [Docs](https://sharp.pixelplumbing.com/api-operation#rotate)    | `http://localhost:3000/rotate_45/buffalo.png`           |
-| enlarge     | \_                                                              | `http://localhost:3000/enlarge,s_2000x2000/buffalo.png` | Allow the image to be upscaled. By default the returned image will never be larger than the source in any dimension, while preserving the requested aspect ratio. |
-| flip        | [Docs](https://sharp.pixelplumbing.com/api-operation#flip)      | `http://localhost:3000/flip/buffalo.png`                |
-| flop        | [Docs](https://sharp.pixelplumbing.com/api-operation#flop)      | `http://localhost:3000/flop/buffalo.png`                |
-| sharpen     | [Docs](https://sharp.pixelplumbing.com/api-operation#sharpen)   | `http://localhost:3000/sharpen_30/buffalo.png`          |
-| median      | [Docs](https://sharp.pixelplumbing.com/api-operation#median)    | `http://localhost:3000/median_10/buffalo.png`           |
-| gamma       | [Docs](https://sharp.pixelplumbing.com/api-operation#gamma)     | `http://localhost:3000/gamma_3/buffalo.png`             |
-| negate      | [Docs](https://sharp.pixelplumbing.com/api-operation#negate)    | `http://localhost:3000/negate/buffalo.png`              |
-| normalize   | [Docs](https://sharp.pixelplumbing.com/api-operation#normalize) | `http://localhost:3000/normalize/buffalo.png`           |
-| threshold   | [Docs](https://sharp.pixelplumbing.com/api-operation#threshold) | `http://localhost:3000/threshold_10/buffalo.png`        |
-| tint        | [Docs](https://sharp.pixelplumbing.com/api-colour#tint)         | `http://localhost:3000/tint_1098123/buffalo.png`        |
-| grayscale   | [Docs](https://sharp.pixelplumbing.com/api-colour#grayscale)    | `http://localhost:3000/grayscale/buffalo.png`           |
-| animated    | -                                                               | `http://localhost:3000/animated/buffalo.gif`            | Experimental                                                                                                                                                      |
+| Property        | Docs                                                            | Example                                                     | Comments                                                                                                                                                          |
+| --------------- | :-------------------------------------------------------------- | :---------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| width / w       | [Docs](https://sharp.pixelplumbing.com/api-resize#resize)       | `http://localhost:3000/width_200/buffalo.png`               |
+| height / h      | [Docs](https://sharp.pixelplumbing.com/api-resize#resize)       | `http://localhost:3000/height_200/buffalo.png`              |
+| resize / s      | [Docs](https://sharp.pixelplumbing.com/api-resize#resize)       | `http://localhost:3000/s_200x200/buffalo.png`               |
+| fit             | [Docs](https://sharp.pixelplumbing.com/api-resize#resize)       | `http://localhost:3000/s_200x200,fit_outside/buffalo.png`   | Sets `fit` option for `resize`.
+| position / pos  | [Docs](https://sharp.pixelplumbing.com/api-resize#resize)       | `http://localhost:3000/s_200x200,pos_top/buffalo.png`       | Sets `position` option for `resize`.
+| trim            | [Docs](https://sharp.pixelplumbing.com/api-resize#trim)         | `http://localhost:3000/trim_100/buffalo.png`                |
+| format          | [Docs](https://sharp.pixelplumbing.com/api-output#toformat)     | `http://localhost:3000/format_webp/buffalo.png`             | Supported format: `jpg`, `jpeg`, `png`, `webp`, `avif`, `gif`, `heif`                                                                                             |
+| quality / q     | \_                                                              | `http://localhost:3000/quality_50/buffalo.png`              | Accepted values: 0 to 100                                                                                                                                         |
+| rotate          | [Docs](https://sharp.pixelplumbing.com/api-operation#rotate)    | `http://localhost:3000/rotate_45/buffalo.png`               |
+| enlarge         | \_                                                              | `http://localhost:3000/enlarge,s_2000x2000/buffalo.png`     | Allow the image to be upscaled. By default the returned image will never be larger than the source in any dimension, while preserving the requested aspect ratio. |
+| flip            | [Docs](https://sharp.pixelplumbing.com/api-operation#flip)      | `http://localhost:3000/flip/buffalo.png`                    |
+| flop            | [Docs](https://sharp.pixelplumbing.com/api-operation#flop)      | `http://localhost:3000/flop/buffalo.png`                    |
+| sharpen         | [Docs](https://sharp.pixelplumbing.com/api-operation#sharpen)   | `http://localhost:3000/sharpen_30/buffalo.png`              |
+| median          | [Docs](https://sharp.pixelplumbing.com/api-operation#median)    | `http://localhost:3000/median_10/buffalo.png`               |
+| gamma           | [Docs](https://sharp.pixelplumbing.com/api-operation#gamma)     | `http://localhost:3000/gamma_3/buffalo.png`                 |
+| negate          | [Docs](https://sharp.pixelplumbing.com/api-operation#negate)    | `http://localhost:3000/negate/buffalo.png`                  |
+| normalize       | [Docs](https://sharp.pixelplumbing.com/api-operation#normalize) | `http://localhost:3000/normalize/buffalo.png`               |
+| threshold       | [Docs](https://sharp.pixelplumbing.com/api-operation#threshold) | `http://localhost:3000/threshold_10/buffalo.png`            |
+| tint            | [Docs](https://sharp.pixelplumbing.com/api-colour#tint)         | `http://localhost:3000/tint_1098123/buffalo.png`            |
+| grayscale       | [Docs](https://sharp.pixelplumbing.com/api-colour#grayscale)    | `http://localhost:3000/grayscale/buffalo.png`               |
+| animated        | -                                                               | `http://localhost:3000/animated/buffalo.gif`                | Experimental                                                                                                                                                      |
 
 ### Config
 

package/dist/chunks/middleware.cjs

@@ -5,7 +5,6 @@ const imageMeta = require('image-meta');
 const ufo = require('ufo');
 const fs = require('fs');
 const pathe = require('pathe');
-const isValidPath = require('is-valid-path');
 const http = require('http');
 const https = require('https');
 const ohmyfetch = require('ohmyfetch');
@@ -16,7 +15,6 @@ const xss = require('xss');
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e["default"] : e; }
 
 const defu__default = /*#__PURE__*/_interopDefaultLegacy(defu);
-const isValidPath__default = /*#__PURE__*/_interopDefaultLegacy(isValidPath);
 const http__default = /*#__PURE__*/_interopDefaultLegacy(http);
 const https__default = /*#__PURE__*/_interopDefaultLegacy(https);
 const destr__default = /*#__PURE__*/_interopDefaultLegacy(destr);
@@ -27,6 +25,7 @@ const Handlers = {
   __proto__: null,
   get quality () { return quality; },
   get fit () { return fit; },
+  get position () { return position; },
   get background () { return background; },
   get enlarge () { return enlarge; },
   get width () { return width; },
@@ -54,7 +53,8 @@ const Handlers = {
   get b () { return b; },
   get w () { return w; },
   get h () { return h; },
-  get s () { return s; }
+  get s () { return s; },
+  get pos () { return pos; }
 };
 
 function getEnv(name, defaultValue) {
@@ -72,9 +72,9 @@ function cachedPromise(fn) {
 }
 class IPXError extends Error {
 }
-function createError(message, statusCode) {
-  const err = new IPXError(message);
-  err.statusMessage = "IPX: " + message;
+function createError(statusMessage, statusCode, trace) {
+  const err = new IPXError(statusMessage + (trace ? ` (${trace})` : ""));
+  err.statusMessage = "IPX: " + statusMessage;
   err.statusCode = statusCode;
   return err;
 }
@@ -83,29 +83,35 @@ const createFilesystemSource = (options) => {
   const rootDir = pathe.resolve(options.dir);
   return async (id) => {
     const fsPath = pathe.resolve(pathe.join(rootDir, id));
-    if (!isValidPath__default(id) || id.includes("..") || !fsPath.startsWith(rootDir)) {
-      throw createError("Forbidden path:" + id, 403);
+    if (!isValidPath(fsPath) || !fsPath.startsWith(rootDir)) {
+      throw createError("Forbidden path", 403, id);
     }
     let stats;
     try {
       stats = await fs.promises.stat(fsPath);
     } catch (err) {
       if (err.code === "ENOENT") {
-        throw createError("File not found: " + fsPath, 404);
+        throw createError("File not found", 404, fsPath);
       } else {
-        throw createError("File access error for " + fsPath + ":" + err.code, 403);
+        throw createError("File access error " + err.code, 403, fsPath);
       }
     }
     if (!stats.isFile()) {
-      throw createError("Path should be a file: " + fsPath, 400);
+      throw createError("Path should be a file", 400, fsPath);
     }
     return {
       mtime: stats.mtime,
-      maxAge: options.maxAge || 300,
+      maxAge: options.maxAge,
       getData: cachedPromise(() => fs.promises.readFile(fsPath))
     };
   };
 };
+function isValidPath(fp) {
+  if (/[<>:"|?*]/.test(fp)) {
+    return false;
+  }
+  return true;
+}
 
 const createHTTPSource = (options) => {
   const httpsAgent = new https__default.Agent({ keepAlive: true });
@@ -118,18 +124,19 @@ const createHTTPSource = (options) => {
   return async (id, reqOptions) => {
     const url = new URL(id);
     if (!url.hostname) {
-      throw createError("Hostname is missing: " + id, 403);
+      throw createError("Hostname is missing", 403, id);
     }
     if (!reqOptions?.bypassDomain && !hosts.find((host) => url.hostname === host)) {
-      throw createError("Forbidden host: " + url.hostname, 403);
+      throw createError("Forbidden host", 403, url.hostname);
     }
     const response = await ohmyfetch.fetch(id, {
-      agent: id.startsWith("https") ? httpsAgent : httpAgent
+      agent: id.startsWith("https") ? httpsAgent : httpAgent,
+      ...options.fetchOptions
     });
     if (!response.ok) {
-      throw createError(response.statusText || "fetch error", response.status || 500);
+      throw createError("Fetch error", response.status || 500, response.statusText);
     }
-    let maxAge = options.maxAge || 300;
+    let maxAge = options.maxAge;
     const _cacheControl = response.headers.get("cache-control");
     if (_cacheControl) {
       const m = _cacheControl.match(/max-age=(\d+)/);
@@ -145,7 +152,7 @@ const createHTTPSource = (options) => {
     return {
       mtime,
       maxAge,
-      getData: cachedPromise(() => response.buffer())
+      getData: cachedPromise(() => response.arrayBuffer().then((ab) => Buffer.from(ab)))
     };
   };
 };
@@ -192,6 +199,13 @@ const fit = {
     context.fit = fit2;
   }
 };
+const position = {
+  args: [VArg],
+  order: -1,
+  apply: (context, _pipe, position2) => {
+    context.position = position2;
+  }
+};
 const HEX_RE = /^([a-f\d]{2})([a-f\d]{2})([a-f\d]{2})$/i;
 const SHORTHEX_RE = /^([a-f\d])([a-f\d])([a-f\d])$/i;
 const background = {
@@ -227,6 +241,12 @@ const resize = {
   args: [VArg, VArg, VArg],
   apply: (context, pipe, size) => {
     let [width2, height2] = String(size).split("x").map((v) => Number(v));
+    if (!width2) {
+      return;
+    }
+    if (!height2) {
+      height2 = width2;
+    }
     if (!context.enlarge) {
       const clamped = clampDimensionsPreservingAspectRatio(context.meta, { width: width2, height: height2 });
       width2 = clamped.width;
@@ -234,6 +254,7 @@ const resize = {
     }
     return pipe.resize(width2, height2, {
       fit: context.fit,
+      position: context.position,
       background: context.background
     });
   }
@@ -366,13 +387,16 @@ const b = background;
 const w = width;
 const h = height;
 const s = resize;
+const pos = position;
 
-const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff"];
+const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff", "gif"];
 function createIPX(userOptions) {
   const defaults = {
     dir: getEnv("IPX_DIR", "."),
     domains: getEnv("IPX_DOMAINS", []),
     alias: getEnv("IPX_ALIAS", {}),
+    fetchOptions: getEnv("IPX_FETCH_OPTIONS", {}),
+    maxAge: getEnv("IPX_MAX_AGE", 300),
     sharp: {}
   };
   const options = defu__default(userOptions, defaults);
@@ -382,12 +406,15 @@ function createIPX(userOptions) {
   };
   if (options.dir) {
     ctx.sources.filesystem = createFilesystemSource({
-      dir: options.dir
+      dir: options.dir,
+      maxAge: options.maxAge
     });
   }
   if (options.domains) {
     ctx.sources.http = createHTTPSource({
-      domains: options.domains
+      domains: options.domains,
+      fetchOptions: options.fetchOptions,
+      maxAge: options.maxAge
     });
   }
   return function ipx(id, modifiers = {}, reqOptions = {}) {
@@ -403,7 +430,7 @@ function createIPX(userOptions) {
     const getSrc = cachedPromise(() => {
       const source = ufo.hasProtocol(id) ? "http" : "filesystem";
       if (!ctx.sources[source]) {
-        throw createError("Unknown source: " + source, 400);
+        throw createError("Unknown source", 400, source);
       }
       return ctx.sources[source](id, reqOptions);
     });
@@ -423,10 +450,7 @@ function createIPX(userOptions) {
           meta
         };
       }
-      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0;
-      if (animated) {
-        format = "webp";
-      }
+      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0 || format === "gif";
       const Sharp = await import('sharp').then((r) => r.default || r);
       let sharp = Sharp(data, { animated });
       Object.assign(sharp.options, options.sharp);
@@ -459,6 +483,8 @@ function createIPX(userOptions) {
   };
 }
 
+const MODIFIER_SEP = /[,&]/g;
+const MODIFIER_VAL_SEP = /[_=:]/g;
 async function _handleRequest(req, ipx) {
   const res = {
     statusCode: 200,
@@ -466,19 +492,19 @@ async function _handleRequest(req, ipx) {
     headers: {},
     body: ""
   };
-  const [modifiersStr = "", ...idSegments] = req.url.substr(1).split("/");
-  const id = ufo.decode(idSegments.join("/"));
+  const [modifiersStr = "", ...idSegments] = req.url.substring(1).split("/");
+  const id = safeString(ufo.decode(idSegments.join("/")));
   if (!modifiersStr) {
-    throw createError("Modifiers is missing in path: " + req.url, 400);
+    throw createError("Modifiers are missing", 400, req.url);
   }
   if (!id || id === "/") {
-    throw createError("Resource id is missing: " + req.url, 400);
+    throw createError("Resource id is missing", 400, req.url);
   }
-  const modifiers = Object.create(null);
+  const modifiers = /* @__PURE__ */ Object.create(null);
   if (modifiersStr !== "_") {
-    for (const p of modifiersStr.split(",")) {
-      const [key, value = ""] = p.split("_");
-      modifiers[key] = ufo.decode(value);
+    for (const p of modifiersStr.split(MODIFIER_SEP)) {
+      const [key, value = ""] = p.split(MODIFIER_VAL_SEP);
+      modifiers[safeString(key)] = safeString(ufo.decode(value));
     }
   }
   const img = ipx(id, modifiers, req.options);
@@ -492,7 +518,7 @@ async function _handleRequest(req, ipx) {
     }
     res.headers["Last-Modified"] = +src.mtime + "";
   }
-  if (src.maxAge !== void 0) {
+  if (typeof src.maxAge === "number") {
     res.headers["Cache-Control"] = `max-age=${+src.maxAge}, public, s-maxage=${+src.maxAge}`;
   }
   const { data, format } = await img.data();
@@ -506,21 +532,21 @@ async function _handleRequest(req, ipx) {
     res.headers["Content-Type"] = `image/${format}`;
   }
   res.body = data;
-  return res;
+  return sanetizeReponse(res);
 }
 function handleRequest(req, ipx) {
   return _handleRequest(req, ipx).catch((err) => {
     const statusCode = parseInt(err.statusCode) || 500;
-    const statusMessage = err.statusMessage ? xss__default(err.statusMessage) : `IPX Error (${statusCode})`;
+    const statusMessage = err.statusMessage ? err.statusMessage : `IPX Error (${statusCode})`;
     if (process.env.NODE_ENV !== "production" && statusCode === 500) {
       console.error(err);
     }
-    return {
+    return sanetizeReponse({
       statusCode,
       statusMessage,
-      body: statusMessage,
+      body: "IPX Error: " + err,
       headers: {}
-    };
+    });
   });
 }
 function createIPXMiddleware(ipx) {
@@ -535,6 +561,24 @@ function createIPXMiddleware(ipx) {
     });
   };
 }
+function sanetizeReponse(res) {
+  return {
+    statusCode: res.statusCode || 200,
+    statusMessage: res.statusMessage ? safeString(res.statusMessage) : "OK",
+    headers: safeStringObject(res.headers || {}),
+    body: typeof res.body === "string" ? xss__default(safeString(res.body)) : res.body || ""
+  };
+}
+function safeString(input) {
+  return JSON.stringify(input).replace(/^"|"$/g, "");
+}
+function safeStringObject(input) {
+  const dst = {};
+  for (const key in input) {
+    dst[key] = safeString(input[key]);
+  }
+  return dst;
+}
 
 exports.createIPX = createIPX;
 exports.createIPXMiddleware = createIPXMiddleware;

package/dist/chunks/middleware.mjs

@@ -3,7 +3,6 @@ import { imageMeta } from 'image-meta';
 import { parseURL, withLeadingSlash, hasProtocol, joinURL, decode } from 'ufo';
 import { promises } from 'fs';
 import { resolve, join } from 'pathe';
-import isValidPath from 'is-valid-path';
 import http from 'http';
 import https from 'https';
 import { fetch } from 'ohmyfetch';
@@ -15,6 +14,7 @@ const Handlers = {
   __proto__: null,
   get quality () { return quality; },
   get fit () { return fit; },
+  get position () { return position; },
   get background () { return background; },
   get enlarge () { return enlarge; },
   get width () { return width; },
@@ -42,7 +42,8 @@ const Handlers = {
   get b () { return b; },
   get w () { return w; },
   get h () { return h; },
-  get s () { return s; }
+  get s () { return s; },
+  get pos () { return pos; }
 };
 
 function getEnv(name, defaultValue) {
@@ -60,9 +61,9 @@ function cachedPromise(fn) {
 }
 class IPXError extends Error {
 }
-function createError(message, statusCode) {
-  const err = new IPXError(message);
-  err.statusMessage = "IPX: " + message;
+function createError(statusMessage, statusCode, trace) {
+  const err = new IPXError(statusMessage + (trace ? ` (${trace})` : ""));
+  err.statusMessage = "IPX: " + statusMessage;
   err.statusCode = statusCode;
   return err;
 }
@@ -71,29 +72,35 @@ const createFilesystemSource = (options) => {
   const rootDir = resolve(options.dir);
   return async (id) => {
     const fsPath = resolve(join(rootDir, id));
-    if (!isValidPath(id) || id.includes("..") || !fsPath.startsWith(rootDir)) {
-      throw createError("Forbidden path:" + id, 403);
+    if (!isValidPath(fsPath) || !fsPath.startsWith(rootDir)) {
+      throw createError("Forbidden path", 403, id);
     }
     let stats;
     try {
       stats = await promises.stat(fsPath);
     } catch (err) {
       if (err.code === "ENOENT") {
-        throw createError("File not found: " + fsPath, 404);
+        throw createError("File not found", 404, fsPath);
       } else {
-        throw createError("File access error for " + fsPath + ":" + err.code, 403);
+        throw createError("File access error " + err.code, 403, fsPath);
       }
     }
     if (!stats.isFile()) {
-      throw createError("Path should be a file: " + fsPath, 400);
+      throw createError("Path should be a file", 400, fsPath);
     }
     return {
       mtime: stats.mtime,
-      maxAge: options.maxAge || 300,
+      maxAge: options.maxAge,
       getData: cachedPromise(() => promises.readFile(fsPath))
     };
   };
 };
+function isValidPath(fp) {
+  if (/[<>:"|?*]/.test(fp)) {
+    return false;
+  }
+  return true;
+}
 
 const createHTTPSource = (options) => {
   const httpsAgent = new https.Agent({ keepAlive: true });
@@ -106,18 +113,19 @@ const createHTTPSource = (options) => {
   return async (id, reqOptions) => {
     const url = new URL(id);
     if (!url.hostname) {
-      throw createError("Hostname is missing: " + id, 403);
+      throw createError("Hostname is missing", 403, id);
     }
     if (!reqOptions?.bypassDomain && !hosts.find((host) => url.hostname === host)) {
-      throw createError("Forbidden host: " + url.hostname, 403);
+      throw createError("Forbidden host", 403, url.hostname);
     }
     const response = await fetch(id, {
-      agent: id.startsWith("https") ? httpsAgent : httpAgent
+      agent: id.startsWith("https") ? httpsAgent : httpAgent,
+      ...options.fetchOptions
     });
     if (!response.ok) {
-      throw createError(response.statusText || "fetch error", response.status || 500);
+      throw createError("Fetch error", response.status || 500, response.statusText);
     }
-    let maxAge = options.maxAge || 300;
+    let maxAge = options.maxAge;
     const _cacheControl = response.headers.get("cache-control");
     if (_cacheControl) {
       const m = _cacheControl.match(/max-age=(\d+)/);
@@ -133,7 +141,7 @@ const createHTTPSource = (options) => {
     return {
       mtime,
       maxAge,
-      getData: cachedPromise(() => response.buffer())
+      getData: cachedPromise(() => response.arrayBuffer().then((ab) => Buffer.from(ab)))
     };
   };
 };
@@ -180,6 +188,13 @@ const fit = {
     context.fit = fit2;
   }
 };
+const position = {
+  args: [VArg],
+  order: -1,
+  apply: (context, _pipe, position2) => {
+    context.position = position2;
+  }
+};
 const HEX_RE = /^([a-f\d]{2})([a-f\d]{2})([a-f\d]{2})$/i;
 const SHORTHEX_RE = /^([a-f\d])([a-f\d])([a-f\d])$/i;
 const background = {
@@ -215,6 +230,12 @@ const resize = {
   args: [VArg, VArg, VArg],
   apply: (context, pipe, size) => {
     let [width2, height2] = String(size).split("x").map((v) => Number(v));
+    if (!width2) {
+      return;
+    }
+    if (!height2) {
+      height2 = width2;
+    }
     if (!context.enlarge) {
       const clamped = clampDimensionsPreservingAspectRatio(context.meta, { width: width2, height: height2 });
       width2 = clamped.width;
@@ -222,6 +243,7 @@ const resize = {
     }
     return pipe.resize(width2, height2, {
       fit: context.fit,
+      position: context.position,
       background: context.background
     });
   }
@@ -354,13 +376,16 @@ const b = background;
 const w = width;
 const h = height;
 const s = resize;
+const pos = position;
 
-const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff"];
+const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff", "gif"];
 function createIPX(userOptions) {
   const defaults = {
     dir: getEnv("IPX_DIR", "."),
     domains: getEnv("IPX_DOMAINS", []),
     alias: getEnv("IPX_ALIAS", {}),
+    fetchOptions: getEnv("IPX_FETCH_OPTIONS", {}),
+    maxAge: getEnv("IPX_MAX_AGE", 300),
     sharp: {}
   };
   const options = defu(userOptions, defaults);
@@ -370,12 +395,15 @@ function createIPX(userOptions) {
   };
   if (options.dir) {
     ctx.sources.filesystem = createFilesystemSource({
-      dir: options.dir
+      dir: options.dir,
+      maxAge: options.maxAge
     });
   }
   if (options.domains) {
     ctx.sources.http = createHTTPSource({
-      domains: options.domains
+      domains: options.domains,
+      fetchOptions: options.fetchOptions,
+      maxAge: options.maxAge
     });
   }
   return function ipx(id, modifiers = {}, reqOptions = {}) {
@@ -391,7 +419,7 @@ function createIPX(userOptions) {
     const getSrc = cachedPromise(() => {
       const source = hasProtocol(id) ? "http" : "filesystem";
       if (!ctx.sources[source]) {
-        throw createError("Unknown source: " + source, 400);
+        throw createError("Unknown source", 400, source);
       }
       return ctx.sources[source](id, reqOptions);
     });
@@ -411,10 +439,7 @@ function createIPX(userOptions) {
           meta
         };
       }
-      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0;
-      if (animated) {
-        format = "webp";
-      }
+      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0 || format === "gif";
       const Sharp = await import('sharp').then((r) => r.default || r);
       let sharp = Sharp(data, { animated });
       Object.assign(sharp.options, options.sharp);
@@ -447,6 +472,8 @@ function createIPX(userOptions) {
   };
 }
 
+const MODIFIER_SEP = /[,&]/g;
+const MODIFIER_VAL_SEP = /[_=:]/g;
 async function _handleRequest(req, ipx) {
   const res = {
     statusCode: 200,
@@ -454,19 +481,19 @@ async function _handleRequest(req, ipx) {
     headers: {},
     body: ""
   };
-  const [modifiersStr = "", ...idSegments] = req.url.substr(1).split("/");
-  const id = decode(idSegments.join("/"));
+  const [modifiersStr = "", ...idSegments] = req.url.substring(1).split("/");
+  const id = safeString(decode(idSegments.join("/")));
   if (!modifiersStr) {
-    throw createError("Modifiers is missing in path: " + req.url, 400);
+    throw createError("Modifiers are missing", 400, req.url);
   }
   if (!id || id === "/") {
-    throw createError("Resource id is missing: " + req.url, 400);
+    throw createError("Resource id is missing", 400, req.url);
   }
-  const modifiers = Object.create(null);
+  const modifiers = /* @__PURE__ */ Object.create(null);
   if (modifiersStr !== "_") {
-    for (const p of modifiersStr.split(",")) {
-      const [key, value = ""] = p.split("_");
-      modifiers[key] = decode(value);
+    for (const p of modifiersStr.split(MODIFIER_SEP)) {
+      const [key, value = ""] = p.split(MODIFIER_VAL_SEP);
+      modifiers[safeString(key)] = safeString(decode(value));
     }
   }
   const img = ipx(id, modifiers, req.options);
@@ -480,7 +507,7 @@ async function _handleRequest(req, ipx) {
     }
     res.headers["Last-Modified"] = +src.mtime + "";
   }
-  if (src.maxAge !== void 0) {
+  if (typeof src.maxAge === "number") {
     res.headers["Cache-Control"] = `max-age=${+src.maxAge}, public, s-maxage=${+src.maxAge}`;
   }
   const { data, format } = await img.data();
@@ -494,21 +521,21 @@ async function _handleRequest(req, ipx) {
     res.headers["Content-Type"] = `image/${format}`;
   }
   res.body = data;
-  return res;
+  return sanetizeReponse(res);
 }
 function handleRequest(req, ipx) {
   return _handleRequest(req, ipx).catch((err) => {
     const statusCode = parseInt(err.statusCode) || 500;
-    const statusMessage = err.statusMessage ? xss(err.statusMessage) : `IPX Error (${statusCode})`;
+    const statusMessage = err.statusMessage ? err.statusMessage : `IPX Error (${statusCode})`;
     if (process.env.NODE_ENV !== "production" && statusCode === 500) {
       console.error(err);
     }
-    return {
+    return sanetizeReponse({
       statusCode,
       statusMessage,
-      body: statusMessage,
+      body: "IPX Error: " + err,
       headers: {}
-    };
+    });
   });
 }
 function createIPXMiddleware(ipx) {
@@ -523,5 +550,23 @@ function createIPXMiddleware(ipx) {
     });
   };
 }
+function sanetizeReponse(res) {
+  return {
+    statusCode: res.statusCode || 200,
+    statusMessage: res.statusMessage ? safeString(res.statusMessage) : "OK",
+    headers: safeStringObject(res.headers || {}),
+    body: typeof res.body === "string" ? xss(safeString(res.body)) : res.body || ""
+  };
+}
+function safeString(input) {
+  return JSON.stringify(input).replace(/^"|"$/g, "");
+}
+function safeStringObject(input) {
+  const dst = {};
+  for (const key in input) {
+    dst[key] = safeString(input[key]);
+  }
+  return dst;
+}
 
 export { createIPXMiddleware as a, createIPX as c, handleRequest as h };

package/dist/cli.cjs

@@ -8,7 +8,6 @@ require('image-meta');
 require('ufo');
 require('fs');
 require('pathe');
-require('is-valid-path');
 require('http');
 require('https');
 require('ohmyfetch');

package/dist/cli.mjs

@@ -6,7 +6,6 @@ import 'image-meta';
 import 'ufo';
 import 'fs';
 import 'pathe';
-import 'is-valid-path';
 import 'http';
 import 'https';
 import 'ohmyfetch';

package/dist/index.cjs

@@ -8,7 +8,6 @@ require('image-meta');
 require('ufo');
 require('fs');
 require('pathe');
-require('is-valid-path');
 require('http');
 require('https');
 require('ohmyfetch');

package/dist/index.d.ts

@@ -6,7 +6,7 @@ interface SourceData {
     getData: () => Promise<Buffer>;
 }
 declare type Source = (src: string, reqOptions?: any) => Promise<SourceData>;
-declare type SourceFactory = (options?: any) => Source;
+declare type SourceFactory<T = Record<string, any>> = (options: T) => Source;
 
 interface ImageMeta {
     width: number;
@@ -27,8 +27,10 @@ declare type IPX = (id: string, modifiers?: Record<string, string>, reqOptions?:
 };
 interface IPXOptions {
     dir?: false | string;
+    maxAge?: number;
     domains?: false | string[];
     alias: Record<string, string>;
+    fetchOptions: RequestInit;
     sharp?: {
         [key: string]: any;
     };

package/dist/index.mjs

@@ -4,7 +4,6 @@ import 'image-meta';
 import 'ufo';
 import 'fs';
 import 'pathe';
-import 'is-valid-path';
 import 'http';
 import 'https';
 import 'ohmyfetch';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ipx",
-  "version": "0.9.2",
+  "version": "0.9.6",
   "repository": "unjs/ipx",
   "license": "MIT",
   "exports": {
@@ -9,51 +9,50 @@
       "import": "./dist/index.mjs"
     }
   },
-  "main": "dist/index.cjs",
-  "module": "dist/index.mjs",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.mjs",
   "types": "./dist/index.d.ts",
   "bin": "./bin/ipx.mjs",
   "files": [
     "dist",
     "bin"
   ],
-  "scripts": {
-    "build": "unbuild",
-    "dev": "nodemon",
-    "lint": "eslint --ext .ts .",
-    "prepack": "yarn build",
-    "release": "yarn test && standard-version && git push --follow-tags && npm publish",
-    "start": "node bin/ipx.js",
-    "test": "yarn lint && jest"
-  },
   "dependencies": {
     "consola": "^2.15.3",
-    "defu": "^5.0.0",
-    "destr": "^1.1.0",
+    "defu": "^6.0.0",
+    "destr": "^1.1.1",
     "etag": "^1.8.1",
     "image-meta": "^0.1.1",
-    "is-valid-path": "^0.1.1",
-    "listhen": "^0.2.5",
-    "ohmyfetch": "^0.4.2",
-    "pathe": "^0.2.0",
-    "sharp": "^0.29.0",
-    "ufo": "^0.7.9",
-    "xss": "^1.0.10"
+    "listhen": "^0.2.13",
+    "ohmyfetch": "^0.4.18",
+    "pathe": "^0.3.0",
+    "sharp": "^0.30.6",
+    "ufo": "^0.8.4",
+    "xss": "^1.0.13"
   },
   "devDependencies": {
     "@nuxtjs/eslint-config-typescript": "latest",
     "@types/etag": "latest",
     "@types/is-valid-path": "latest",
-    "@types/jest": "latest",
     "@types/node-fetch": "latest",
     "@types/sharp": "latest",
+    "c8": "latest",
     "eslint": "latest",
-    "jest": "latest",
     "jiti": "latest",
     "nodemon": "latest",
+    "serve-handler": "^6.1.3",
     "standard-version": "latest",
-    "ts-jest": "latest",
     "typescript": "latest",
-    "unbuild": "latest"
+    "unbuild": "latest",
+    "vitest": "latest"
+  },
+  "packageManager": "pnpm@7.3.0",
+  "scripts": {
+    "build": "unbuild",
+    "dev": "nodemon",
+    "lint": "eslint --ext .ts .",
+    "release": "pnpm test && standard-version && git push --follow-tags && pnpm publish",
+    "start": "node bin/ipx.js",
+    "test": "pnpm lint && vitest run --coverage"
   }
-}
+}