Avoid further complaint on api/v2/diagnostics endpoint

SECURITY.md

@@ -19,3 +19,11 @@ please contact us directly on [discord][3]. All security vulnerabilities will be
 
 [1]: https://lycheeorg.dev/docs/contributions.html#security-vulnerabilities
 [3]: https://discord.gg/JMPvuRQcTf
+
+## About the api/v2/Diagnostics endpoint
+
+If you are thinking about reporting an issue regarding the `api/v2/Diagnostics` endpoint,
+please note that **it is intentionally public and does not require authentication**.
+The responses from this endpoint do not contain any sensitive information or secrets and have been anonymized.
+
+Its main goal is to allow users to easily diagnose issues with their Lychee installation even if they can't log in.

app/Http/Controllers/Admin/DiagnosticsController.php

@@ -15,9 +15,11 @@
 use App\Constants\AccessPermissionConstants as APC;
 use App\Http\Requests\Diagnostics\DiagnosticsRequest;
 use App\Http\Resources\Diagnostics\ErrorLine;
+use App\Http\Resources\Diagnostics\Errors as DiagnosticsErrors;
 use App\Http\Resources\Diagnostics\Permissions;
 use App\Models\AccessPermission;
 use App\Policies\AlbumQueryPolicy;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
@@ -32,11 +34,17 @@ class DiagnosticsController extends Controller
 	 *
 	 * @param Errors $errors
 	 *
-	 * @return array<array-key, \App\Http\Resources\Diagnostics\ErrorLine>
+	 * @return JsonResponse
 	 */
-	public function errors(Request $request, Errors $errors): array
+	public function errors(Request $request, Errors $errors): JsonResponse
 	{
-		return ErrorLine::collect($errors->get());
+		return (new DiagnosticsErrors(ErrorLine::collect($errors->get())))
+			->toResponse($request)
+			/** @phpstan-ignore method.notFound (it exists) */
+			->withHeaders([
+				'X-Auth-Required' => 'false',
+				'X-Security-Policy' => 'https://github.com/LycheeOrg/Lychee/security/policy',
+			]);
 	}
 
 	/**

app/Http/Resources/Diagnostics/Errors.php

@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+namespace App\Http\Resources\Diagnostics;
+
+use Spatie\LaravelData\Data;
+use Spatie\TypeScriptTransformer\Attributes\LiteralTypeScriptType;
+use Spatie\TypeScriptTransformer\Attributes\TypeScript;
+
+#[TypeScript()]
+class Errors extends Data
+{
+	public string $_note = 'This endpoint is intentionally public. See security policy at https://github.com/LycheeOrg/Lychee/security/policy';
+	/** @var ErrorLine[] */
+	#[LiteralTypeScriptType('App.Http.Resources.Diagnostics.ErrorLine[]')]
+	public array $errors;
+
+	/**
+	 * Create a Diagnostic Info.
+	 *
+	 * @param ErrorLine[] $errors
+	 */
+	public function __construct(
+		array $errors,
+	) {
+		$this->errors = $errors;
+	}
+}

resources/js/components/diagnostics/ErrorsDiagnostics.vue

@@ -26,8 +26,8 @@ const emits = defineEmits<{
 
 function load() {
 	DiagnosticsService.errors().then((response) => {
-		errors.value = response.data;
-		emits("loaded", toArray(response.data));
+		errors.value = response.data.errors;
+		emits("loaded", toArray(response.data.errors));
 	});
 }
 

resources/js/lychee.d.ts

@@ -315,6 +315,10 @@ declare namespace App.Http.Resources.Diagnostics {
 		from: string;
 		details: string[];
 	};
+	export type Errors = {
+		_note: string;
+		errors: App.Http.Resources.Diagnostics.ErrorLine[];
+	};
 	export type Permissions = {
 		left: string;
 		right: string;
@@ -530,6 +534,7 @@ declare namespace App.Http.Resources.GalleryConfigs {
 		is_slideshow_enabled: boolean;
 		is_timeline_left_border_visible: boolean;
 		title: string;
+		site_logo: string;
 		dropbox_api_key: string;
 		is_se_enabled: boolean;
 		is_pro_enabled: boolean;
@@ -565,7 +570,6 @@ declare namespace App.Http.Resources.GalleryConfigs {
 		album_header_size: App.Enum.AlbumHeaderSize;
 		is_album_header_landing_title_enabled: boolean;
 		use_admin_dashboard: boolean;
-		site_logo: string;
 	};
 	export type LandingPageResource = {
 		landing_page_enable: boolean;

resources/js/services/diagnostics-service.ts

@@ -10,7 +10,7 @@ export type UpdateProfileRequest = {
 };
 
 const DiagnosticsService = {
-	errors(): Promise<AxiosResponse<App.Http.Resources.Diagnostics.ErrorLine[]>> {
+	errors(): Promise<AxiosResponse<App.Http.Resources.Diagnostics.Errors>> {
 		return axios.get(`${Constants.getApiUrl()}Diagnostics`, { data: {} });
 	},