msglist: Use HTTP header instead of URL query param to auth image requests

Keeping the user's API key out of these URLs makes it easier to
avoid leaking the API key, e.g. to the clipboard with a future "copy
image link" feature.

Author: chrisbobbe

lib/widgets/content.dart

@@ -1,6 +1,7 @@
 import 'package:flutter/material.dart';
 import 'package:html/dom.dart' as dom;
 
+import '../api/core.dart';
 import '../api/model/model.dart';
 import '../model/content.dart';
 import '../model/store.dart';
@@ -184,7 +185,7 @@ class MessageImage extends StatelessWidget {
     final src = node.srcUrl;
 
     final store = PerAccountStoreWidget.of(context);
-    final adjustedSrc = rewriteImageUrl(src, store.account);
+    final resolvedSrc = resolveUrl(src, store.account);
 
     return Align(
         alignment: Alignment.centerLeft,
@@ -200,8 +201,11 @@ class MessageImage extends StatelessWidget {
                 alignment: Alignment.center,
                 color: const Color.fromRGBO(0, 0, 0, 0.03),
                 child: Image.network(
-                  adjustedSrc,
+                  resolvedSrc,
                   filterQuality: FilterQuality.medium,
+                  headers: isUrlOnRealm(resolvedSrc, store.account)
+                    ? Map.fromEntries([authHeader(store.account)])
+                    : null,
                 ))));
   }
 }
@@ -442,7 +446,7 @@ class MessageImageEmoji extends StatelessWidget {
   @override
   Widget build(BuildContext context) {
     final store = PerAccountStoreWidget.of(context);
-    final adjustedSrc = rewriteImageUrl(node.src, store.account);
+    final resolvedSrc = resolveUrl(node.src, store.account);
 
     const size = 20.0;
 
@@ -456,7 +460,10 @@ class MessageImageEmoji extends StatelessWidget {
               // too low.
               top: -1.5,
               child: Image.network(
-                adjustedSrc.toString(),
+                resolvedSrc.toString(),
+                headers: isUrlOnRealm(resolvedSrc, store.account)
+                  ? Map.fromEntries([authHeader(store.account)])
+                  : null,
                 filterQuality: FilterQuality.medium,
                 width: size,
                 height: size,
@@ -469,32 +476,18 @@ class MessageImageEmoji extends StatelessWidget {
 // Small helpers.
 //
 
-/// Resolve URL if relative; add the user's API key if appropriate.
-///
-/// The API key is added if the URL is on the realm, and is an endpoint
-/// known to require authentication (and to accept it in this form.)
-String rewriteImageUrl(String src, Account account) {
+/// Resolve `src` to `account`'s realm, if relative
+String resolveUrl(String url, Account account) {
   final realmUrl = Uri.parse(account.realmUrl); // TODO clean this up
-  final resolved = realmUrl.resolve(src); // TODO handle if fails to parse
-
-  Uri adjustedSrc = resolved;
-  if (resolved.origin == realmUrl.origin) {
-    if (_kInlineApiRoutes.any((regexp) => regexp.hasMatch(resolved.path))) {
-      final delimiter = resolved.query.isNotEmpty ? '&' : '';
-      adjustedSrc = resolved
-          .resolve('?${resolved.query}${delimiter}api_key=${account.apiKey}');
-    }
-  }
-
-  return adjustedSrc.toString();
+  final resolved = realmUrl.resolve(url); // TODO handle if fails to parse
+  return resolved.toString();
 }
 
-/// List of routes which accept the API key appended as a GET parameter.
-final List<RegExp> _kInlineApiRoutes = [
-  RegExp(r'^/user_uploads/'),
-  RegExp(r'^/thumbnail$'),
-  RegExp(r'^/avatar/')
-];
+/// Whether the given absolute URL has the same origin as the account's realm.
+// TODO: Take a `Uri` instead of String for `url`; remove "absolute" from doc
+bool isUrlOnRealm(String url, Account account) {
+  return Uri.parse(url).origin == Uri.parse(account.realmUrl).origin;
+}
 
 InlineSpan _errorUnimplemented(UnimplementedNode node) {
   // For now this shows error-styled HTML code even in release mode,

lib/widgets/message_list.dart

@@ -2,6 +2,7 @@ import 'dart:io' show Platform;
 import 'package:flutter/material.dart';
 import 'package:intl/intl.dart';
 
+import '../api/core.dart';
 import '../api/model/model.dart';
 import '../model/content.dart';
 import '../model/message_list.dart';
@@ -290,12 +291,15 @@ class MessageWithSender extends StatelessWidget {
 
     final avatarUrl = message.avatar_url == null // TODO get from user data
         ? null // TODO handle computing gravatars
-        : rewriteImageUrl(message.avatar_url!, store.account);
+        : resolveUrl(message.avatar_url!, store.account);
     final avatar = (avatarUrl == null)
         ? const SizedBox.shrink()
         : Image.network(
             avatarUrl,
             filterQuality: FilterQuality.medium,
+            headers: isUrlOnRealm(avatarUrl, store.account)
+              ? Map.fromEntries([authHeader(store.account)])
+              : null,
           );
 
     final time = _kMessageTimestampFormat