fix(blob): switch to private access with delivery route

User-uploaded images should not be publicly accessible. This switches
from public to private blob storage and adds a delivery route that
proxies files through the server.

Changes:
- Upload route: access 'public' -> 'private', addRandomSuffix, returns
  delivery route URL instead of raw blob URL
- New /api/files/serve route: proxies private blobs with ETag caching,
  Content-Disposition: inline for browser display
- next.config.ts: localPatterns for next/image, removed public blob domain
- proxy.ts: skip middleware auth for serve route (image optimizer can't
  forward cookies, pathname unguessability provides security)
- vercel-template.json: force private access in 1-click deploy
- Upgraded @vercel/blob to 2.3.3 for get() support

Author: vvo

app/(chat)/api/files/serve/route.ts

@@ -0,0 +1,39 @@
+import { get } from "@vercel/blob";
+import { type NextRequest, NextResponse } from "next/server";
+
+export async function GET(request: NextRequest) {
+  const pathname = request.nextUrl.searchParams.get("pathname");
+
+  if (!pathname) {
+    return NextResponse.json({ error: "Missing pathname" }, { status: 400 });
+  }
+
+  const result = await get(pathname, {
+    access: "private",
+    ifNoneMatch: request.headers.get("if-none-match") ?? undefined,
+  });
+
+  if (!result) {
+    return new NextResponse("Not found", { status: 404 });
+  }
+
+  if (result.statusCode === 304) {
+    return new NextResponse(null, {
+      status: 304,
+      headers: {
+        ETag: result.blob.etag,
+        "Cache-Control": "private, no-cache",
+      },
+    });
+  }
+
+  return new NextResponse(result.stream, {
+    headers: {
+      "Content-Type": result.blob.contentType,
+      "Content-Disposition": "inline",
+      "X-Content-Type-Options": "nosniff",
+      ETag: result.blob.etag,
+      "Cache-Control": "private, no-cache",
+    },
+  });
+}

app/(chat)/api/files/upload/route.ts

@@ -50,10 +50,15 @@ export async function POST(request: Request) {
 
     try {
       const data = await put(`${safeName}`, fileBuffer, {
-        access: "public",
+        access: "private",
+        addRandomSuffix: true,
       });
 
-      return NextResponse.json(data);
+      return NextResponse.json({
+        url: `/api/files/serve?pathname=${encodeURIComponent(data.pathname)}`,
+        pathname: data.pathname,
+        contentType: data.contentType,
+      });
     } catch (_error) {
       return NextResponse.json({ error: "Upload failed" }, { status: 500 });
     }

next.config.ts

@@ -36,9 +36,10 @@ const nextConfig: NextConfig = {
       {
         hostname: "avatar.vercel.sh",
       },
+    ],
+    localPatterns: [
       {
-        protocol: "https",
-        hostname: "*.public.blob.vercel-storage.com",
+        pathname: "/api/files/serve",
       },
     ],
   },

package.json

@@ -32,7 +32,7 @@
     "@streamdown/math": "^1.0.2",
     "@streamdown/mermaid": "^1.0.2",
     "@vercel/analytics": "^1.3.1",
-    "@vercel/blob": "^0.24.1",
+    "@vercel/blob": "^2.3.3",
     "@vercel/functions": "^2.0.0",
     "@vercel/otel": "^1.12.0",
     "ai": "6.0.116",

pnpm-lock.yaml

@@ -9,7 +9,10 @@ export async function proxy(request: NextRequest) {
     return new Response("pong", { status: 200 });
   }
 
-  if (pathname.startsWith("/api/auth")) {
+  if (
+    pathname.startsWith("/api/auth") ||
+    pathname.startsWith("/api/files/serve")
+  ) {
     return NextResponse.next();
   }
 

proxy.ts

@@ -13,7 +13,8 @@
       "integrationSlug": "upstash"
     },
     {
-      "type": "blob"
+      "type": "blob",
+      "access": "private"
     }
   ]
 }