perf(gravatar): support both sha256 and md5 hashing algorithm for gra…

…vatar

conf/artalk.example.simple.yml

@@ -236,7 +236,7 @@ frontend:
   nestSort: DATE_ASC
   gravatar:
     mirror: https://www.gravatar.com/avatar/
-    params: d=mp&s=240
+    params: sha256=1&d=mp&s=240
   pagination:
     pageSize: 20
     readMore: true

conf/artalk.example.yml

@@ -419,7 +419,7 @@ frontend:
     # API URL
     mirror: https://www.gravatar.com/avatar/
     # API parameters
-    params: d=mp&s=240
+    params: sha256=1&d=mp&s=240
   # Comment pagination
   pagination:
     # Number of comments per page

conf/artalk.example.zh-CN.yml

@@ -425,9 +425,9 @@ frontend:
   # 头像 Gravatar
   gravatar:
     # API 地址
-    mirror: https://cravatar.cn/avatar/
+    mirror: https://weavatar.com/avatar/
     # API 参数
-    params: d=mp&s=240
+    params: sha256=1&d=mp&s=240
   # 评论分页
   pagination:
     # 每页评论数

docs/docs/.vitepress/theme/Artalk.vue

@@ -42,9 +42,6 @@ function initArtalk(conf: any) {
   artalk = Artalk.init({
     el: el.value,
     emoticons: '/assets/emoticons/default.json',
-    gravatar: {
-      mirror: 'https://cravatar.cn/avatar/',
-    },
     ...conf,
   })
 

docs/docs/guide/env.md

@@ -251,8 +251,8 @@ ATK_TRUSTED_DOMAINS_0="https://a.com"
 | **ATK_FRONTEND_EDITORTRAVEL** | `true` | 评论框穿梭 | frontend.editorTravel (界面配置 > 评论框穿梭) |
 | **ATK_FRONTEND_EMOTICONS** | `"https://cdn.jsdelivr.net/gh/ArtalkJS/Emoticons/grps/default.json"` | 表情包 | frontend.emoticons (界面配置 > 表情包) |
 | **ATK_FRONTEND_FLATMODE** | `"auto"` | 平铺模式 (可选：`["auto", "true", "false"]`) | frontend.flatMode (界面配置 > 平铺模式) |
-| **ATK_FRONTEND_GRAVATAR_MIRROR** | `"https://cravatar.cn/avatar/"` | API 地址 | frontend.gravatar.mirror (界面配置 > 头像 Gravatar > API 地址) |
-| **ATK_FRONTEND_GRAVATAR_PARAMS** | `"d=mp&s=240"` | API 参数 | frontend.gravatar.params (界面配置 > 头像 Gravatar > API 参数) |
+| **ATK_FRONTEND_GRAVATAR_MIRROR** | `"https://weavatar.com/avatar/"` | API 地址 | frontend.gravatar.mirror (界面配置 > 头像 Gravatar > API 地址) |
+| **ATK_FRONTEND_GRAVATAR_PARAMS** | `"sha256=1&d=mp&s=240"` | API 参数 | frontend.gravatar.params (界面配置 > 头像 Gravatar > API 参数) |
 | **ATK_FRONTEND_HEIGHTLIMIT_CHILDREN** | `400` | 子评论区域限高 (单位：px) | frontend.heightLimit.children (界面配置 > 内容限高 > 子评论区域限高) |
 | **ATK_FRONTEND_HEIGHTLIMIT_CONTENT** | `300` | 评论内容限高 (单位：px) | frontend.heightLimit.content (界面配置 > 内容限高 > 评论内容限高) |
 | **ATK_FRONTEND_HEIGHTLIMIT_SCROLLABLE** | `false` | 滚动限高 (允许限高区域滚动) | frontend.heightLimit.scrollable (界面配置 > 内容限高 > 滚动限高) |

docs/docs/guide/frontend/config.md

@@ -358,12 +358,14 @@ gravatar: {
 **Gravatar 镜像地址**
 
 - 类型：`String`
-- 默认值：`"https://sdn.geekzu.org/avatar/"`
+- 默认值：`"https://www.gravatar.com/avatar/"`
 
 如果你觉得 Gravatar 头像加载速度不理想，可以尝试替换。
 
 例如：
 
+> WeAvatar：https://weavatar.com/avatar/
+>
 > Cravatar：https://cravatar.cn/avatar/
 >
 > V2EX：https://cdn.v2ex.com/gravatar/
@@ -377,7 +379,7 @@ gravatar: {
 **Gravatar API 参数**
 
 - 类型：`String`
-- 默认值：`"d=mp&s=240"`
+- 默认值：`"sha256=1&d=mp&s=240"`
 
 例如，你可以通过该配置项设置默认头像 (`d=mp`) 和头像尺寸 (`s=240`)。
 
@@ -387,6 +389,8 @@ gravatar: {
 
 ::: warning 更新注意
 
+v2.8.7 支持通过 SHA256 加密算法生成 Gravatar 头像链接，以提高用户隐私保护，请在 `params` 中填入 `sha256=1` 启用该加密（[#874](https://github.com/ArtalkJS/Artalk/issues/874)）。
+
 v2.5.5 已废弃 `gravatar.default` 配置项，请使用 `gravatar.params` 替代。
 
 :::

internal/config/utils.go

@@ -0,0 +1,19 @@
+package config
+
+import (
+	"strings"
+
+	"github.com/ArtalkJS/Artalk/internal/utils"
+)
+
+// Get the hash function according to the frontend gravatar.params configuration
+func GetHashFuncByFrontendConf(conf *Config) func(string) string {
+	if gravatar, ok := conf.Frontend["gravatar"].(map[string]interface{}); ok {
+		if params, ok := gravatar["params"].(string); ok {
+			if strings.Contains(params, "sha256=1") {
+				return utils.GetSha256Hash
+			}
+		}
+	}
+	return utils.GetMD5Hash
+}

internal/config/utils_test.go

@@ -0,0 +1,51 @@
+package config
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/ArtalkJS/Artalk/internal/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_GetHashFuncByFrontendConf(t *testing.T) {
+	tests := map[string]struct {
+		config   *Config
+		expected any
+	}{
+		"nil frontend conf": {
+			config:   &Config{Frontend: nil},
+			expected: utils.GetMD5Hash,
+		},
+		"empty frontend conf": {
+			config:   &Config{Frontend: map[string]interface{}{}},
+			expected: utils.GetMD5Hash,
+		},
+		"frontend conf without hash func": {
+			config: &Config{Frontend: map[string]interface{}{
+				"gravatar": false,
+			}},
+			expected: utils.GetMD5Hash,
+		},
+		"frontend conf with gravatar params but without hash func": {
+			config: &Config{Frontend: map[string]interface{}{
+				"gravatar": map[string]interface{}{"params": "a=1&b=2"},
+			}},
+			expected: utils.GetMD5Hash,
+		},
+		"frontend conf with gravatar params containing hash func": {
+			config: &Config{Frontend: map[string]interface{}{
+				"gravatar": map[string]interface{}{"params": "a=1&sha256=1&b=2"},
+			}},
+			expected: utils.GetSha256Hash,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			expect := reflect.ValueOf(tc.expected).Pointer()
+			actual := reflect.ValueOf(GetHashFuncByFrontendConf(tc.config)).Pointer()
+			assert.Equal(t, expect, actual)
+		})
+	}
+}

internal/core/base.go

@@ -42,11 +42,11 @@ func NewApp(conf *config.Config) *App {
 }
 
 func (app *App) injectDefaultServices() {
-	// 请勿依赖注入顺序
-	AppInject[*EmailService](app, NewEmailService(app))
-	AppInject[*IPRegionService](app, NewIPRegionService(app))
-	AppInject[*NotifyService](app, NewNotifyService(app))
-	AppInject[*AntiSpamService](app, NewAntiSpamService(app))
+	// Please do not depend on the order of dependency injection
+	AppInject(app, NewEmailService(app))
+	AppInject(app, NewIPRegionService(app))
+	AppInject(app, NewNotifyService(app))
+	AppInject(app, NewAntiSpamService(app))
 }
 
 func (app *App) registerDefaultHooks() {
@@ -270,6 +270,11 @@ func (app *App) initDao() error {
 	// create new dao instance
 	app.SetDao(dao.NewDao(dbInstance))
 
+	// patch: switch comment email hash algorithm by config
+	app.Dao().SetCommentEmailHashFunc(func(email string) string {
+		return config.GetHashFuncByFrontendConf(app.Conf())(strings.ToLower(email))
+	})
+
 	return nil
 }
 

internal/dao/cook.go

@@ -1,3 +1,5 @@
+// Convert Entity to JSON Response Data Structure for API
+// TODO: (refactor) consider to extract this file to a new package
 package dao
 
 import (
@@ -10,6 +12,13 @@ import (
 
 const CommonDateTimeFormat = "2006-01-02 15:04:05"
 
+// TODO: (refactor) remove this global variable
+var getCommentEmailHash = func(email string) string { return utils.GetMD5Hash(strings.ToLower(email)) }
+
+func (dao *Dao) SetCommentEmailHashFunc(fn func(string) string) {
+	getCommentEmailHash = fn
+}
+
 // ===============
 //  Comment
 // ===============
@@ -40,7 +49,7 @@ func (dao *Dao) CookComment(c *entity.Comment) entity.CookedComment {
 		ContentMarked:  markedContent,
 		UserID:         c.UserID,
 		Nick:           user.Name,
-		EmailEncrypted: utils.GetSha256Hash(strings.ToLower(user.Email)),
+		EmailEncrypted: getCommentEmailHash(user.Email),
 		Link:           user.Link,
 		UA:             c.UA,
 		Date:           c.CreatedAt.Local().Format(CommonDateTimeFormat),
@@ -92,7 +101,7 @@ func (dao *Dao) CookCommentForEmail(c *entity.Comment) entity.CookedCommentForEm
 		Site:       dao.CookSite(&site),
 		CookedComment: entity.CookedComment{
 			ID:             c.ID,
-			EmailEncrypted: utils.GetSha256Hash(strings.ToLower(user.Email)),
+			EmailEncrypted: getCommentEmailHash(user.Email),
 			Link:           user.Link,
 			UA:             c.UA,
 			IsCollapsed:    c.IsCollapsed,

ui/artalk-sidebar/src/components/Header.vue

@@ -1,21 +1,14 @@
 <script setup lang="ts">
-import sha256 from 'crypto-js/sha256'
 import { storeToRefs } from 'pinia'
 import { useUserStore } from '../stores/user'
 import { useNavStore } from '../stores/nav'
-import { artalk, isOpenFromSidebar } from '../global'
+import { isOpenFromSidebar } from '../global'
 
 const nav = useNavStore()
 const router = useRouter()
 const user = useUserStore()
 const { t } = useI18n()
-const { site: curtSite, isAdmin, email } = storeToRefs(user)
-
-const userAvatarImgURL = computed(() => {
-  const conf = artalk?.ctx.conf?.gravatar
-  if (!conf) return ``
-  return `${conf.mirror.replace(/\/$/, '')}/${sha256(email.value.toLowerCase())}?${conf.params.replace(/^\?/, '')}`
-})
+const { site: curtSite, isAdmin, avatar } = storeToRefs(user)
 
 const avatarClickHandler = () => {
   if (!isOpenFromSidebar()) logout()
@@ -44,7 +37,7 @@ const logout = () => {
     </template>
     <template v-else>
       <div class="avatar" @click="avatarClickHandler">
-        <img :src="userAvatarImgURL" />
+        <img :src="avatar" />
       </div>
     </template>
 

ui/artalk-sidebar/src/stores/user.ts

@@ -1,5 +1,7 @@
 import { defineStore } from 'pinia'
 import { bootParams, getArtalk } from '../global'
+import sha256 from 'crypto-js/sha256'
+import md5 from 'crypto-js/md5'
 
 export const useUserStore = defineStore('user', {
   state: () => ({
@@ -31,4 +33,22 @@ export const useUserStore = defineStore('user', {
       this.token = userData.token
     },
   },
+  getters: {
+    avatar: (state) => {
+      return getGravatar(state.email)
+    },
+  },
 })
+
+function getGravatar(email: string) {
+  // TODO get avatar url from backend api
+  const conf = getArtalk()?.ctx.conf?.gravatar
+  if (!conf) return ''
+
+  const emailHash =
+    typeof conf.params == 'string' && conf.params.includes('sha256=1')
+      ? sha256(email.toLowerCase()).toString()
+      : md5(email.toLowerCase()).toString()
+
+  return `${conf.mirror.replace(/\/$/, '')}/${emailHash}?${conf.params.replace(/^\?/, '')}`
+}

ui/artalk/src/defaults.ts

@@ -29,8 +29,8 @@ const defaults: ArtalkConfig = {
   statPageKeyAttr: 'data-page-key',
 
   gravatar: {
-    mirror: 'https://cravatar.cn/avatar/',
-    params: 'd=mp&s=240',
+    mirror: 'https://www.gravatar.com/avatar/',
+    params: 'sha256=1&d=mp&s=240',
   },
 
   pagination: {