Rework user image handling

Moved all the logic out of the template into a separate endpoint. This
makes it easy to extend to also support images from different sources
like LDAP/SAML/OIDC. Session-based caching is hard to do, so to allow
time-based caching in the browser, the url needs to be unique for every
user by using a query parameter.

Replaced the default/fallback user image with a new one. It is based on
the old one, but does not need css to be visible. And removed said css.

Gravatar has now its own setting named `gravatar_enabled`, which is
disabled by default.

powerdnsadmin/routes/admin.py

@@ -1259,20 +1259,41 @@ def history_table():    # ajax call data
 @login_required
 @operator_role_required
 def setting_basic():
-    if request.method == 'GET':
-        settings = [
-            'maintenance', 'fullscreen_layout', 'record_helper',
-            'login_ldap_first', 'default_record_table_size',
-            'default_domain_table_size', 'auto_ptr', 'record_quick_edit',
-            'pretty_ipv6_ptr', 'dnssec_admins_only',
-            'allow_user_create_domain', 'allow_user_remove_domain', 'allow_user_view_history', 'bg_domain_updates', 'site_name',
-            'session_timeout', 'warn_session_timeout', 'ttl_options',
-            'pdns_api_timeout', 'verify_ssl_connections', 'verify_user_email',
-            'delete_sso_accounts', 'otp_field_enabled', 'custom_css', 'enable_api_rr_history', 'max_history_records', 'otp_force',
-            'deny_domain_override', 'enforce_api_ttl', 'account_name_extra_chars'
-        ]
+    settings = [
+        'account_name_extra_chars',
+        'allow_user_create_domain',
+        'allow_user_remove_domain',
+        'allow_user_view_history',
+        'auto_ptr',
+        'bg_domain_updates',
+        'custom_css',
+        'default_domain_table_size',
+        'default_record_table_size',
+        'delete_sso_accounts',
+        'deny_domain_override',
+        'dnssec_admins_only',
+        'enable_api_rr_history',
+        'enforce_api_ttl',
+        'fullscreen_layout',
+        'gravatar_enabled',
+        'login_ldap_first',
+        'maintenance',
+        'max_history_records',
+        'otp_field_enabled',
+        'otp_force',
+        'pdns_api_timeout',
+        'pretty_ipv6_ptr',
+        'record_helper',
+        'record_quick_edit',
+        'session_timeout',
+        'site_name',
+        'ttl_options',
+        'verify_ssl_connections',
+        'verify_user_email',
+        'warn_session_timeout',
+    ]
 
-        return render_template('admin_setting_basic.html', settings=settings)
+    return render_template('admin_setting_basic.html', settings=settings)
 
 
 @admin_bp.route('/setting/basic/<path:setting>/edit', methods=['POST'])

powerdnsadmin/routes/user.py

@@ -1,5 +1,8 @@
 import datetime
-from flask import Blueprint, request, render_template, make_response, jsonify, redirect, url_for, g, session, current_app
+import hashlib
+
+from flask import Blueprint, request, render_template, make_response, jsonify, redirect, url_for, g, session, \
+    current_app, after_this_request, abort
 from flask_login import current_user, login_required, login_manager
 
 from ..models.user import User, Anonymous
@@ -96,4 +99,34 @@ def qrcode():
         'Cache-Control': 'no-cache, no-store, must-revalidate',
         'Pragma': 'no-cache',
         'Expires': '0'
-    }
+    }
+
+
+@user_bp.route('/image', methods=['GET'])
+@login_required
+def image():
+    """Returns the user profile image or avatar."""
+
+    @after_this_request
+    def add_cache_headers(response_):
+        """When the response is ok, add cache headers."""
+        if 200 <= response_.status_code <= 399:
+            response_.cache_control.private = True
+            response_.cache_control.max_age = int(datetime.timedelta(days=1).total_seconds())
+        return response_
+
+    # To prevent "cache poisoning", the username query parameter is required
+    if request.args.get('username', None) != current_user.username:
+        abort(400)
+
+    setting = Setting()
+
+    email = current_user.email
+    if email and setting.get('gravatar_enabled'):
+        hash_ = hashlib.md5(email.encode('utf-8')).hexdigest()
+        url = f'https://s.gravatar.com/avatar/{hash_}?s=100'
+        current_app.logger.debug('Redirect user image request to gravatar')
+        return redirect(url, 307)
+
+    # Fallback to the local default image
+    return current_app.send_static_file('img/user_image.png')