From 20b966b4e823f6bc34269e6998588dd60467a0ba Mon Sep 17 00:00:00 2001
From: Michael Genson <71845777+michael-genson@users.noreply.github.com>
Date: Thu, 24 Oct 2024 16:19:49 +0000
Subject: [PATCH 1/3] removed references to Caddy since we don't use it anymore

---
 docker/Dockerfile                                          | 1 -
 .../documentation/getting-started/installation/security.md | 1 -
 mealie/routes/media/media_recipe.py                        | 7 +------
 mealie/routes/media/media_user.py                          | 7 +------
 4 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60607fa4b8a..6c9c09066ee 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -131,7 +131,6 @@ HEALTHCHECK CMD python $MEALIE_HOME/mealie/scripts/healthcheck.py || exit 1
 # ----------------------------------
 # Copy Frontend
 
-# copying caddy into image
 ENV STATIC_FILES=/spa/static
 COPY --from=builder /app/dist  ${STATIC_FILES}
 
diff --git a/docs/docs/documentation/getting-started/installation/security.md b/docs/docs/documentation/getting-started/installation/security.md
index 29f6b19da28..3d61fca0af8 100644
--- a/docs/docs/documentation/getting-started/installation/security.md
+++ b/docs/docs/documentation/getting-started/installation/security.md
@@ -29,7 +29,6 @@ If you'd like to mitigate this risk, we suggest that you rate limit the API in g
 
 - [Traefik](https://doc.traefik.io/traefik/middlewares/http/ratelimit/)
 - [Nginx](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html)
-- [Caddy](https://caddyserver.com/docs/modules/http.handlers.rate_limit)
 
 ## Server Side Request Forgery
 
diff --git a/mealie/routes/media/media_recipe.py b/mealie/routes/media/media_recipe.py
index 85620a666da..1b25cc7f594 100644
--- a/mealie/routes/media/media_recipe.py
+++ b/mealie/routes/media/media_recipe.py
@@ -7,12 +7,7 @@
 from mealie.schema.recipe import Recipe
 from mealie.schema.recipe.recipe_timeline_events import RecipeTimelineEventOut
 
-"""
-These routes are for development only! These assets are served by Caddy when not
-in development mode. If you make changes, be sure to test the production container.
-"""
-
-router = APIRouter(prefix="/recipes", include_in_schema=False)
+router = APIRouter(prefix="/recipes")
 
 
 class ImageType(str, Enum):
diff --git a/mealie/routes/media/media_user.py b/mealie/routes/media/media_user.py
index 561778800d4..96088b22bcc 100644
--- a/mealie/routes/media/media_user.py
+++ b/mealie/routes/media/media_user.py
@@ -4,12 +4,7 @@
 
 from mealie.schema.user import PrivateUser
 
-"""
-These routes are for development only! These assets are served by Caddy when not
-in development mode. If you make changes, be sure to test the production container.
-"""
-
-router = APIRouter(prefix="/users", include_in_schema=False)
+router = APIRouter(prefix="/users")
 
 
 @router.get("/{user_id}/{file_name}", response_class=FileResponse)

From e09af46809aa933be57ad5345e8aa81d625dabf2 Mon Sep 17 00:00:00 2001
From: Michael Genson <71845777+michael-genson@users.noreply.github.com>
Date: Thu, 24 Oct 2024 16:26:16 +0000
Subject: [PATCH 2/3] add explicit media type to media routes

---
 mealie/routes/media/media_recipe.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mealie/routes/media/media_recipe.py b/mealie/routes/media/media_recipe.py
index 1b25cc7f594..12f8d12b249 100644
--- a/mealie/routes/media/media_recipe.py
+++ b/mealie/routes/media/media_recipe.py
@@ -25,7 +25,7 @@ async def get_recipe_img(recipe_id: str, file_name: ImageType = ImageType.origin
     recipe_image = Recipe.directory_from_id(recipe_id).joinpath("images", file_name.value)
 
     if recipe_image.exists():
-        return FileResponse(recipe_image)
+        return FileResponse(recipe_image, media_type="image/webp")
     else:
         raise HTTPException(status.HTTP_404_NOT_FOUND)
 
@@ -43,7 +43,7 @@ async def get_recipe_timeline_event_img(
     )
 
     if timeline_event_image.exists():
-        return FileResponse(timeline_event_image)
+        return FileResponse(timeline_event_image, media_type="image/webp")
     else:
         raise HTTPException(status.HTTP_404_NOT_FOUND)
 

From cbcbb08055b21c8c4bfd9ce3e345b755b9530a16 Mon Sep 17 00:00:00 2001
From: Michael Genson <71845777+michael-genson@users.noreply.github.com>
Date: Thu, 24 Oct 2024 17:53:58 +0000
Subject: [PATCH 3/3] restore caddy security suggestion

---
 docs/docs/documentation/getting-started/installation/security.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/docs/documentation/getting-started/installation/security.md b/docs/docs/documentation/getting-started/installation/security.md
index 3d61fca0af8..29f6b19da28 100644
--- a/docs/docs/documentation/getting-started/installation/security.md
+++ b/docs/docs/documentation/getting-started/installation/security.md
@@ -29,6 +29,7 @@ If you'd like to mitigate this risk, we suggest that you rate limit the API in g
 
 - [Traefik](https://doc.traefik.io/traefik/middlewares/http/ratelimit/)
 - [Nginx](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html)
+- [Caddy](https://caddyserver.com/docs/modules/http.handlers.rate_limit)
 
 ## Server Side Request Forgery