feat: validate external domains

[farnabaz]

Add logic to serve original src if image does not serve from listed domains

Resolves #342

[codecov-commenter]

Codecov Report

Merging #343 (f117bd7) into main (4711fee) will decrease coverage by 0.06%.
The diff coverage is 44.44%.

@@            Coverage Diff             @@
##             main     #343      +/-   ##
==========================================
- Coverage   59.36%   59.30%   -0.07%     
==========================================
  Files          26       26              
  Lines         598      602       +4     
  Branches      188      188              
==========================================
+ Hits          355      357       +2     
- Misses        243      245       +2     

Impacted Files	Coverage Δ
src/provider.ts	74.28% <ø> (+2.06%)	⬆️
src/runtime/providers/vercel.ts	0.00% <0.00%> (ø)
src/runtime/image.ts	66.37% <25.00%> (-1.52%)	⬇️
src/module.ts	92.85% <50.00%> (-3.30%)	⬇️
src/runtime/providers/ipx.ts	100.00% <100.00%> (+15.38%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4711fee...f117bd7. Read the comment docs.

[pi0]

Thanks for pull-request @farnabaz. I think we shall move this validation out of provider implementation and always validate to externalize URLs when domains option is provided and current URL is not matching.

[atinux]

On which file/function can he implement the validation @pi0 ?

[pi0]

I think here we can add the hostname check:

image/src/runtime/image.ts

Line 97 in d9aeae2

[farnabaz]

I moved domain validation into resolveImage helper and removed logic from both ipx and vercel providers.

Does it requires other changes @pi0?

[pi0]

Changes look good @farnabaz 👌 I'm adding a change to ipx using hostname to use unified method and avoid startsWith check for vercel

[pi0]

• Updated ipx with hostname check
• Domains are normalized in module
• Only do external check if provider exports validateDomains flag enabled for ipx and vercel. This is to avoid breaking prismic and storyblok as they accept full URLs (will probably add a flag for this incompatible providers instead later for now flag is undocumented)