Add validation schemas and improve texture handling

Introduces zod-based validation schemas for Minecraft and Mojang API endpoints. Refactors texture route to support hash-based file serving and removes the old static texture route. Updates database schema for player properties and adds an event to clean expired certificates. Improves ValidationError formatting, adjusts skin/cape URL construction, and adds SSRF protection for skin uploads.

services/sessionsService.js

@@ -73,12 +73,12 @@ async function getProfile({ uuid, unsigned = false }) {
     const hasValidCape = !!activeCape
 
     const skinNode = hasValidSkin ? {
-        url: activeSkin.url,
+        url: (process.env.TEXTURES_ENDPOINTS || `http://localhost:${process.env.WEB_PORT}/textures/`) + activeSkin.url,
         metadata: activeSkin.variant === "SLIM" ? { model: "slim" } : undefined
     } : undefined
 
     const capeNode = hasValidCape ? {
-        url: activeCape.url
+        url: (process.env.TEXTURES_ENDPOINTS || `http://localhost:${process.env.WEB_PORT}/textures/`) + activeCape.url
     } : undefined
 
     const texturesObject = {

services/userService.js

@@ -1,7 +1,9 @@
 const fs = require("node:fs/promises")
+const path = require("node:path")
 const util = require("node:util")
 const logger = require("../modules/logger")
 const crypto = require("node:crypto")
+const ssrfcheck = require("ssrfcheck")
 const certsManager = require("../modules/certificatesManager")
 const userRepository = require("../repositories/userRepository")
 const { DefaultError } = require("../errors/errors")
@@ -475,6 +477,7 @@ async function uploadSkin(uuid, fileObject, variant) {
 
 async function uploadSkinFromUrl(uuid, url, variant) {
     if (!url) throw new DefaultError(400, "Missing 'url' parameter.")
+    if (ssrfcheck.isSSRFSafeURL(url)) throw new DefaultError(400, "Bad request", null)
 
     let buffer
     try {