New feautres (form visibility feature + simple auth + deleting images)

README.md

@@ -25,6 +25,11 @@ http://some.host/somename.png?w=320&h=240
 ```
 returns the image cropped to the desired size
 
+Deleting an image, it requires `TOKEN_REQUIRED` to be `True` and `BEARER_TOKEN` set (e.g. `test` like below):
+```
+curl --location --request DELETE 'http://some.host/somename.png' --header 'Authorization: Bearer test'
+```
+
 ## Running
 imgpush requires docker
 
@@ -107,17 +112,20 @@ livenessProbe:
 
 
 ## Configuration
-| Setting  | Default value | Description |
-| ------------- | ------------- |------------- |
-| OUTPUT_TYPE  | Same as Input file | An image type supported by imagemagick, e.g. png or jpg |
-| MAX_SIZE_MB  | "16"  | Integer, Max size per uploaded file in megabytes |
-| MAX_UPLOADS_PER_DAY  | "1000"  | Integer, max per IP address |
-| MAX_UPLOADS_PER_HOUR  | "100"  | Integer, max per IP address |
-| MAX_UPLOADS_PER_MINUTE  | "20"  | Integer, max per IP address |
-| ALLOWED_ORIGINS  | "['*']"  | array of domains, e.g ['https://a.com'] |
-| VALID_SIZES  | Any size  | array of integers allowed in the h= and w= parameters, e.g "[100,200,300]". You should set this to protect against being bombarded with requests! |
-| NAME_STRATEGY  | "randomstr"  | `randomstr` for random 5 chars, `uuidv4` for UUIDv4 |
-| NUDE_FILTER_MAX_THRESHOLD  | None  | max unsafe value returned from nudenet library(https://github.com/notAI-tech/NudeNet), range is from 0-0.99. Blocks nudity from being uploaded. |
+| Setting                   | Default value      | Description                                                                                                                                       |
+|---------------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| OUTPUT_TYPE               | Same as Input file | An image type supported by imagemagick, e.g. png or jpg                                                                                           |
+| MAX_SIZE_MB               | "16"               | Integer, Max size per uploaded file in megabytes                                                                                                  |
+| MAX_UPLOADS_PER_DAY       | "1000"             | Integer, max per IP address                                                                                                                       |
+| MAX_UPLOADS_PER_HOUR      | "100"              | Integer, max per IP address                                                                                                                       |
+| MAX_UPLOADS_PER_MINUTE    | "20"               | Integer, max per IP address                                                                                                                       |
+| ALLOWED_ORIGINS           | "['*']"            | array of domains, e.g ['https://a.com']                                                                                                           |
+| VALID_SIZES               | Any size           | array of integers allowed in the h= and w= parameters, e.g "[100,200,300]". You should set this to protect against being bombarded with requests! |
+| NAME_STRATEGY             | "randomstr"        | `randomstr` for random 5 chars, `uuidv4` for UUIDv4                                                                                               |
+| NUDE_FILTER_MAX_THRESHOLD | None               | max unsafe value returned from nudenet library(https://github.com/notAI-tech/NudeNet), range is from 0-0.99. Blocks nudity from being uploaded.   |
+| SHOW_UPLOAD_FORM          | True               | Boolean, whether upload form should be displayed                                                                                                  |                                                                                                                                         |
+| TOKEN_REQUIRED            | False              | Boolean, if True then upload requests must be authorized                                                                                          |                                                                                                                                         |
+| BEARER_TOKEN              | None               | String, defines token to authorize upload requests when TOKEN_REQUIRED is True                                                                    |                                                                                                                                         |
 
 Setting configuration variables is all set through env variables that get passed to the docker container.
 ### Example:

app/app.py

@@ -13,6 +13,7 @@
 from flask_cors import CORS
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
+from flask_httpauth import HTTPTokenAuth
 from wand.exceptions import MissingDelegateError
 from wand.image import Image
 from werkzeug.middleware.proxy_fix import ProxyFix
@@ -21,6 +22,7 @@
 
 app = Flask(__name__)
 app.wsgi_app = ProxyFix(app.wsgi_app)
+auth = HTTPTokenAuth(scheme='Bearer')
 
 CORS(app, origins=settings.ALLOWED_ORIGINS)
 app.config["MAX_CONTENT_LENGTH"] = settings.MAX_SIZE_MB * 1024 * 1024
@@ -35,6 +37,10 @@
 else:
     nude_classifier = None
 
+@auth.verify_token
+def verify_token(token):
+    if token == settings.BEARER_TOKEN:
+        return 'user'
 
 @app.after_request
 def after_request(resp):
@@ -146,12 +152,14 @@ def resize(img, width, height):
 
 @app.route("/", methods=["GET"])
 def root():
-    return """
+    if settings.SHOW_UPLOAD_FORM:
+        return """
 <form action="/" method="post" enctype="multipart/form-data">
     <input type="file" name="file" id="file">
     <input type="submit" value="Upload" name="submit">
 </form>
 """
+    return Response(status=200)
 
 
 @app.route("/liveness", methods=["GET"])
@@ -169,7 +177,11 @@ def liveness():
         ]
     )
 )
+@auth.login_required(optional=True)
 def upload_image():
+    user = auth.current_user()
+    if user is None and settings.TOKEN_REQUIRED:
+        return jsonify(error="Token required"), 403
     _clear_imagemagick_temp_files()
 
     random_string = _get_random_filename()
@@ -219,6 +231,17 @@ def upload_image():
 
     return jsonify(filename=output_filename)
 
+@app.route("/<string:filename>", methods=["DELETE"])
+@auth.login_required
+def delete_image(filename):
+    path = os.path.join(settings.IMAGES_DIR, filename)
+    if os.path.isfile(path):
+        os.remove(path)
+    else:
+        return jsonify(error="File not found"), 404
+
+    return Response(status=202)
+
 
 @app.route("/<string:filename>")
 @limiter.exempt

app/settings.py

@@ -11,6 +11,9 @@
 MAX_TMP_FILE_AGE = 5 * 60
 RESIZE_TIMEOUT = 5
 NUDE_FILTER_MAX_THRESHOLD = None
+SHOW_UPLOAD_FORM = True
+TOKEN_REQUIRED = False
+BEARER_TOKEN = None
 
 VALID_SIZES = []
 

requirements.txt

@@ -2,6 +2,7 @@ filetype==1.0.5
 Flask==1.1.1
 flask_cors==3.0.9
 flask_limiter==1.0.1
+flask_httpauth==4.5.0
 wand==0.5.7
 Werkzeug==0.16.0
 gunicorn==19.9.0