fix: use bsky cdn + only fetch from https pds endpoints

Author: danielroe

server/api/auth/atproto.get.ts

@@ -69,20 +69,23 @@ export default defineEventHandler(async event => {
     const miniDoc: PublicUserSession = await response.json()
 
     // Fetch the user's profile record to get their avatar blob reference
-    // We use com.atproto.repo.getRecord to fetch directly from the user's PDS
-    // This works with any PDS, not just Bluesky
     let avatar: string | undefined
+    const did = agent.did
     try {
-      const profileResponse = await fetch(
-        `${miniDoc.pds}/xrpc/com.atproto.repo.getRecord?repo=${encodeURIComponent(agent.did!)}&collection=app.bsky.actor.profile&rkey=self`,
-        { headers: { 'User-Agent': 'npmx' } },
-      )
-      if (profileResponse.ok) {
-        const record = (await profileResponse.json()) as { value: ProfileRecord }
-        const avatarBlob = record.value.avatar
-        if (avatarBlob?.ref?.$link) {
-          // Construct the blob URL from the user's PDS
-          avatar = `${miniDoc.pds}/xrpc/com.atproto.sync.getBlob?did=${encodeURIComponent(agent.did!)}&cid=${encodeURIComponent(avatarBlob.ref.$link)}`
+      const pdsUrl = new URL(miniDoc.pds)
+      // Only fetch from HTTPS PDS endpoints to prevent SSRF
+      if (did && pdsUrl.protocol === 'https:') {
+        const profileResponse = await fetch(
+          `${pdsUrl.origin}/xrpc/com.atproto.repo.getRecord?repo=${encodeURIComponent(did)}&collection=app.bsky.actor.profile&rkey=self`,
+          { headers: { 'User-Agent': 'npmx' } },
+        )
+        if (profileResponse.ok) {
+          const record = (await profileResponse.json()) as { value: ProfileRecord }
+          const avatarBlob = record.value.avatar
+          if (avatarBlob?.ref?.$link) {
+            // Use Bluesky CDN for faster image loading
+            avatar = `https://cdn.bsky.app/img/feed_thumbnail/plain/${did}/${avatarBlob.ref.$link}@jpeg`
+          }
         }
       }
     } catch {