stash icon indicating copy to clipboard operation
stash copied to clipboard
verified publisher icon stashapp

Performer Image Malformed via Local Image URL when API/Creds Enabled

Open Serechops opened this issue 1 year ago • 10 comments

Describe the bug When setting a performer image via a local image URL when credentials/API key is set, the image becomes malformed. With no auth, the image updates and persists as normal.

To Reproduce Steps to reproduce the behavior:

  • Ensure credentials and API are disabled
  • Set performer image via URL and use a local image URL
  • The performer image is updated successfully and persists

Now, set credentials and generate API key

  • Set performer image via URL and use local image URL
  • The performer image is updated successfully at first, however on page reload, the image is malformed.

Expected behavior The performer image should persist after being updated, but instead it malforms and no image is shown.

Screenshots Please see the attached screenshots.

abella_malformed abella_malformed_2

Stash Version: (from Settings -> About):

v0.27.2
Build hash:
76648fee
Build time:
2024-10-15 22:17:23

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser Chrome
  • Version 131.0.6778.109 (Official Build) (64-bit)

Smartphone (please complete the following information): Desktop PC

Additional context Problem first reported by user @nofinway on Discord when reporting an issue using my stashRightClickPerformers plugin to attempt to update a performer image via a local gallery image while having credentials and API enabled.

Serechops avatar Dec 07 '24 02:12 Serechops

Also found this to be an issue using my merge plugin, reported by Dogma Dragon and I've been able to replicate. It works absolutely fine without credentials. I tried adding the API key to the request, but no change.

Valkyr-JS avatar Dec 16 '24 16:12 Valkyr-JS

Reproduced on https://github.com/stashapp/stash/commit/76648fee66bce1356dbce2de5871205f68f6f3f0

DogmaDragon avatar Dec 16 '24 19:12 DogmaDragon

The image link provided in the UI assumes that the cookies are inherited, what happens when you pass your apikey via the &apikey parameter?

feederbox826 avatar Dec 20 '24 07:12 feederbox826

The image link provided in the UI assumes that the cookies are inherited, what happens when you pass your apikey via the &apikey parameter?

Just gave this a go and it doesn't work for me. I tried in my plugin and also in the performer edit screen. If you add image by URL, you can see the image come up in the preview, but after saving it breaks again.

Valkyr-JS avatar Dec 20 '24 15:12 Valkyr-JS

Will probably also fix #5015

feederbox826 avatar Nov 27 '25 07:11 feederbox826

So this one is complicated.

The issue is that when you set a performer image via a local URL (like http://localhost:9999/performer/123/image), the backend makes a fresh HTTP request to fetch that image but that request has no authentication headers (no cookies, no API key). When auth is enabled, the request gets a 401 and fails.

We could add the API key to the outgoing request, but we need to know when a URL is "local" (pointing back to stash). The middlewhere already can parse out the baseURL but what if I attach the image via localhost one day and then my domain name the other. Users access stash via localhost, localIPs, domain names, Tailscale, reverse proxies, etc. so detecting "is this URL pointing to me?" is unreliable.

We would always add an API key to every call but that would cause security leaks and not be a good idea.

We could detect local image URLs and parse the ID to read directly form the DB but that would be a LOT of refactoring and probably not worth the changes.

I'm not quite sure of any other implementations and if someone who is smarter than me has any ideas then i'm happy to look at them.

Gykes avatar Nov 27 '25 08:11 Gykes

This issue has been mentioned on Stash. There might be relevant details there:

https://discourse.stashapp.cc/t/stash-v0-30-release-development-thread/4484/1

discourse-stashapp avatar Nov 27 '25 14:11 discourse-stashapp

Using the stash URL of an image wasn't really the intended use of the set image from URL functionality and I would view this particular use case as unsupported.

I understand however that there's an appetite for conveniently setting an image within the stash system as a performer image/etc. One possible compromise I can think of is to accept relative URLs in the form of /performer/123/image, and intercept these to make an applicable call within the backend using the existing user session. The front end can silently remove the host part of the URL when sending it to the backend, if it detects that the host is from stash. That way, no api key is necessary.

WithoutPants avatar Nov 28 '25 00:11 WithoutPants

This issue has been mentioned on Stash. There might be relevant details there:

https://discourse.stashapp.cc/t/stash-mergers/241/1

discourse-stashapp avatar Dec 01 '25 14:12 discourse-stashapp

This issue has been mentioned on Stash. There might be relevant details there:

https://discourse.stashapp.cc/t/scene-paths-screenshot-performer-image-path-require-additional-login/4664/2

discourse-stashapp avatar Dec 06 '25 23:12 discourse-stashapp