reactbin/specs/002-api-image-proxy/spec.md

Feature Specification: API Image Proxy

Feature Branch: 002-api-image-proxy Created: 2026-05-03 Status: Draft Input: User description: "Instead of directly exposing the Minio storage, proxy fetching images through the API. The API server should talk directly to the S3 backend."

User Scenarios & Testing (mandatory)

User Story 1 — View Images Without Storage Configuration (Priority: P1)

A user opens the application on any network without any special DNS or host-file configuration. All images — both thumbnails in the library grid and the full-size image on the detail page — load correctly.

Why this priority: This is the core motivator for the feature. Direct storage exposure required /etc/hosts hacks to resolve the internal storage hostname; the proxy removes this friction entirely and makes the application work out-of-the-box.

Independent Test: Start the application on a machine with no custom /etc/hosts entries for the storage backend. Open the library and verify all thumbnails load. Open an image detail page and verify the full-size image loads. Confirm no network errors related to image fetching appear in the browser console.

Acceptance Scenarios:

1. Given the application is running, When the user opens the library, Then all image thumbnails display correctly with no host-file configuration required.

2. Given the user opens an image detail page, When the page loads, Then the full-size image displays correctly.

3. Given a request for an image that does not exist, When the client requests its content, Then a not-found response is returned with no storage-specific details exposed.

---

User Story 2 — Storage Backend Remains Private (Priority: P1)

The image storage system is never directly reachable or identifiable from a client browser. Image URLs in the application reference only the API, never the storage backend's hostname, credentials, or bucket names.

Why this priority: Security and portability. A private storage backend means credentials cannot be extracted from the browser and the storage layer can be reconfigured without affecting clients.

Independent Test: Open browser developer tools while browsing the application. Inspect all image src attributes, network requests, and API responses. Confirm that no request goes directly to the storage backend and no storage-specific URL, hostname, or credential appears in the browser's network tab or page source.

Acceptance Scenarios:

1. Given the user is browsing the application, When they inspect network traffic, Then all image content is fetched through the application's API domain — no request goes directly to storage infrastructure.

2. Given any API response containing image metadata, When it is inspected, Then no storage-specific URLs, hostnames, bucket names, or credentials appear in the response body.

---

Edge Cases

• What happens when the storage backend is temporarily unavailable? → The proxy returns a generic server-error response; no storage internals are disclosed.
• What happens when the image exists in the database but the file is missing from storage? → The proxy returns a not-found response with a generic message.
• What happens when image content is large (up to 50 MB)? → Content streams to the client without exhausting server memory.

Requirements (mandatory)

Functional Requirements

• FR-001: The API MUST expose an endpoint that returns image binary content when given a valid image identifier.
• FR-002: The API MUST serve image content with the correct file-type indicator so that browsers render it natively.
• FR-003: The image content endpoint MUST be the sole mechanism by which clients retrieve image binary data; no other image content URL format MUST be presented to clients.
• FR-004: The storage backend MUST NOT be directly reachable by client browsers; all image content MUST flow through the API.
• FR-005: The API MUST return a not-found response when content is requested for a non-existent image.
• FR-006: The API MUST handle image content requests for files up to 50 MB without exhausting server memory.
• FR-007: The image content endpoint MUST include caching metadata in its response so that browsers can avoid redundant fetches for the same image.
• FR-008: The UI MUST construct all image display URLs using the API's image content endpoint, for both library thumbnails and the detail view.

Success Criteria (mandatory)

Measurable Outcomes

• SC-001: A user can view all images in the library and on detail pages on a freshly configured machine with no custom DNS or host-file entries for the storage backend.
• SC-002: No image-related network request in the browser targets the storage backend directly — verifiable by inspecting browser developer tools.
• SC-003: Images up to 50 MB load completely without a server-side memory or timeout error.
• SC-004: A browser that has already loaded an image does not re-download it on a second visit to the same page (browser caching headers are respected).
• SC-005: Image load time via the proxy is within 20% of the time taken when served directly from storage on a local network connection.

Assumptions

• The storage backend is accessible from the API server via an internal network hostname that is not reachable from client browsers.
• Image files are immutable after upload; once a client has the content for a given image identifier it need not be re-fetched.
• No authentication is required to access the image content endpoint in Phase 1, consistent with the application's no-auth Phase 1 stance.
• This feature changes how image content is delivered but does not alter any image metadata endpoints, the upload flow, or tag management behaviour.
• No new database entities or schema changes are required; only how the existing stored file is retrieved and served changes.